The European Court of Justice has ruled that member states can not use national legislation to indiscriminately collect traffic data and location data of citizens as such indiscriminate collection of data falls foul of existing data privacy laws.
In the landmark ruling, the European Court of Justice said that national legislation, such as the Investigatory Powers Act in the UK, that provide for wholesale collection and retention of citizens' Internet traffic data and location data by governments, can not be allowed to stand as the same is contrary to the directive on privacy and electronic communications.
The Court said that existing privacy law in the European Union "precludes national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security."
It held that the use of national legislation to collect and retain the traffic data and location data of citizens indiscriminately "constitute particularly serious interferences with the fundamental rights guaranteed by the Charter". The GDPR also does not allow EU countries to introduce legislation that allows them to access online public communication services and hosting service providers to retain personal data relating to those services.
Despite stating that the privacy of citizens is of greater importance than the need of governments to collect the private data of citizens as a preventive measure, ECJ said governments can, in some circumstances, use national legislation to indiscriminately collect and retain traffic data and location data of citizens.
"In situations where the Member State concerned is facing a serious threat to national security that proves to be genuine and present or foreseeable, the directive on privacy and electronic communications, read in the light of the Charter, does not preclude recourse to an order requiring providers of electronic communications services to retain, generally and indiscriminately, traffic data and location data.
"In that context, the Court specifies that the decision imposing such an order, for a period that is limited in time to what is strictly necessary, must be subject to effective review either by a court or by an independent administrative body whose decision is binding, in order to verify that one of those situations exists and that the conditions and safeguards laid down are observed," it added.
The Court also held that governments can use legislative measures to retain internet traffic and location data of citizens on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, as long as the data retention is limited in time to what is strictly necessary.
Governments can also use legislative measures to authorise the indiscriminate collection and retention of IP
addresses assigned to the source of a communication or relating to the civil identity of users of means of electronic communications. This would allow governments to carry out surveillance over people who may use electronic communications for terrorist activities or activities that threaten the country's national security.
"The directive on privacy and electronic communications does not preclude national legislation which requires providers of electronic communications services to have recourse to the real-time collection of traffic data and location data, where that collection is limited to persons in respect of whom there is a valid reason to suspect that they are involved in one way or another in terrorist activities and is subject to a prior review carried out either by a court or by an independent administrative body whose decision is binding," ECJ said.
It added that the directive on privacy and electronic communications, interpreted in the light of the principle of effectiveness, requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law. This would prevent governments from using illegal surveillance tools and draconian legislation to collect citizens' personal data or to target citizens using data collected through unlawful means.
The European Court of Justice's ruling came in response to three cases filed in the UK, France, and Belgium that challenged the use of legislation by governments to indiscriminately collect and retain citizens' internet traffic and location data. One of these cases was filed by Privacy International in the Investigatory Powers Tribunal.
In 2017, Privacy International told the Investigatory Powers Tribunal that domestic intelligence agencies like the MI5 and MI6 were processing bulk data belonging to citizens and sharing it with others without following legal safeguards.
Privacy International alleged that bulk personal datasets collected and monitored by MI5 and MI6 contained highly sensitive content about citizens. These included their activities on social media sites, online dating sites and left almost nothing to the agencies' imagination. "Such datasets are very intrusive. They contain information that goes right to the core of an individual’s private life," said Ben Jaffey QC who represented Privacy International.
The Tribunal was told that a select group of researchers at the University of Bristol were also given access to bulk datasets collected and retained by GCHQ. These data sets included every conceivable sensitive information like internet usage logs, call logs, online file transfers, and lists of websites visited by citizens.
At the same time, GCHQ also shared bulk datasets with HM Revenue and Customs (HMRC). According to Privacy International, once such datasets are shared with external agencies, control over them is lost. At the same time, such datasets can also be used by intelligence agencies for purposes that may not have official or legal sanction.