The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism and meets other stringent requirements.

The references were made by the Swedish and UK courts and concerned the interpretation of the Privacy and Electronic Communications Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) (the “Directive”), in light of the rights granted by the Charter of Fundamental Rights of the European Union (the “Charter”), particularly, the right to privacy (Article 7) and the right to protection of personal data (Article 8), and the decision of the CJEU in Digital Rights Ireland (C‑293/12 and C‑594/12).

The CJEU held that:

  • The Directive, the Charter and the Digital Rights judgment meant that legislation that required companies to retain all traffic and location data of all subscribers and registered users with respect to all electronic communications with no exceptions was unlawful.
  • Indiscriminate data retention would amount to a serious interference with fundamental rights, that could not necessarily be justified simply for the purposes of fighting crime. This was compounded by the fact that the retention of such data in these cases would affect all individuals, whether or not there was any evidence or suspicion and whether or not they were directly or indirectly involved with crime or terrorism.
  • The intention of the Directive was to make retention of such data the exception rather than the rule and the national legislation concerned here exceeded what was necessary and justifiable in a democratic society. Retention should be targeted and limited to what is strictly necessary in order to combat serious crime in terms of categories of data, communication type, persons concerned and retention period.
  • Unless there was a valid urgency the general rule should be that the relevant competent national authorities submit a reasoned request to the court or an independent administrative body who should review that request and make a decision. Other substantive and procedural conditions as well as data security obligations should also be in place.
  • In addition, an individual that is affected by the surveillance should be notified that surveillance has occurred, when it would no longer harm the investigation. This was necessary so that individuals could seek a remedy if they considered that their rights had been infringed.

EU Member States will now review their mass surveillance regimes to ensure that they are appropriately targeted and are in compliance with this judgment. This will take place in a climate where there is some sympathy for mass surveillance given the recent terrorist attacks in Europe in Nice, Brussels, Paris and Berlin. Though equally there are groups that feel the law permits an unnecessary and unlawful intrusion into their private lives.

With reference to the UK, this case is interesting for three further reasons:

  • New legislation, the Investigatory Powers Act 2016 (dubbed the “Snooper’s Charter”), will come into force from 31 December 2016. This Act contains powers that are broader than the current UK legislation this decision concerned, such as a requirement on web and phone companies to store all web browsing histories for 12 months, and giving police and security services increased access to data. This legislation was already divisive, and following this case we anticipate that it will receive challenges when it comes into force.
  • Given this clear decision from the CJEU, if the UK post-Brexit wishes to receive an adequacy decision from the European Commission in relation to the UK’s data protection regime, then it will likely have to make amendments to the current legislation to be in accordance with this decision, if it has not already done so at the point it leaves the EU.
  • Ironically, the UK government’s current Secretary in charge of Brexit, David Davis, was involved in the legal challenge to the legislation when he was a back bench MP (i.e. when he had no role in government). It was also supported by a number of organisations including: Liberty (an independent human rights organization), the Law Society (the representative body for solicitors in England and Wales), the Open Rights Group (a campaigning group for digital rights and civil liberties) and Privacy International (a human rights watchdog focused on privacy intrusions).