GCHQ

European court to decide on legality of bulk phone and internet surveillance

The European Court of Justice will decide whether intelligence agencies across Europe can continue to lawfully collect the telephone and internet communications data of citizens, following a two-day hearing this week

Judges at Europe’s highest court are to decide whether the UK and other European countries’ mass collection of telephone, internet and web communications traffic is compatible with European law.

The European Court of Justice is due to make a determination, following a two–day hearing, whether European countries can claim exemption from EU laws – which protect individuals’ privacy – when collecting and retaining citizens’ communications data for reasons of national security.

The hearing before 15 judges follows a decision by the UK’s most secret court, the Investigatory Powers Tribunal, to refer two key questions over the legality of the UK’s bulk collection programme to the European Court of Justice of the European Union, following a legal challenge by Privacy International.

France and Belgium also asked the Luxembourg court to answer questions on the legality of their surveillance programmes, scheduled for the same hearing. France is raising questions over the legality of the real-time tracking of individuals’ location, phone and internet use.

The CJEU’s answers could require European countries, including the UK depending on the timing of Brexit, to rewrite laws governing bulk communications data collection and introduce new privacy safeguards, including a requirement that individuals are notified if their data has been collected after an investigation is complete.

Ilia Siatitsa, legal officer at Privacy International, which gave oral submissions during hearings, said the decision will test assertions by the UK that it can use national security as a justification for mass surveillance.

The hearing before the European Court of Justice is a key opportunity to challenge the systemic collection, storage and use of data belonging to millions of people by the UK government,” she said. “This data has been acquired by the UK security and intelligence authorities and put into databases for at least 14 years. The government vaguely asserts national security to justify this massive intrusion, but continues to resist important legal safeguards.”

Retained communications

Law and intelligence agencies across Europe collect and retain the communications data of citizens, including details of websites they have visited, records of where emails were sent and at what time, email subject lines and the location of mobile phones and call records.

This “metadata” can be used to build a highly detailed profile of an individual, including their contacts and associates, their interests and habits, and movements over time – as well as sensitive information, including their sexuality, religious beliefs and medical conditions.

European law regulating data retention has been in legal limbo since 2014, when the CJEU declared Europe’s data protection directive invalid, following a legal challenge by Digital Rights Ireland. The court concluded the directive interfered in a serious manor with individuals’ fundamental rights.

European member states have been in no hurry to reinstate a new version of the directive with stronger protections for individual privacy, giving them the freedom to continue with their existing data and potentially unlawful data retention programmes.

EU law could cripple intelligence services

The Investigatory Powers Tribunal has asked the court to decide, first, whether requiring telcos and internet companies to supply communications data to the intelligence agencies of member states falls within the scope of Union law and of the e-Privacy Directive.

Second, if the answer to the first question is yes, whether the legal safeguards in the Tele2/Watson judgment in 2016 – which found the general and indiscriminate retention of communications unlawful – should apply to the extent that they impede SIAs in national security cases.

The UK government argues that applying rulings by the ECJU and other EU law to current surveillance legislation would cripple the ability of the intelligence services to collect bulk communications data.

It claims that bulk data collection falls outside the scope of the European Union because it relates to national security rather than serious crime, arguing that Article 8 of the European Convention on Human Rights – which guarantees people the right to a private family and home life and private correspondence – provides sufficient safeguards to the public.

Member states argue for surveillance powers

Europe’s member states made 15-minute oral submissions during hearings on hearing on 9 and 10 September, arguing for the right to continue collecting bulk communications data without additional controls.

“All of the governments kept saying that generalised, indiscriminate retention is absolutely necessary,” said Siatitsa. “Every single government came up and said that, so the court is under a lot of pressure to do that.”

However, Anna Buchta, head of policy and constitution at the European Data Protection Supervisor, told the court that the data collected by governments should be limited.

She said that metadata included the subject line of emails, addresses of websites visited, date, time and length of online conversations, the geographical location of the device, email headers, telephone numbers called, and the location of terminal equipment “can be as revealing as the actual contents of the communication”.

“For example, it’s easy to infer some of the content of an email message from a subject field that reads: ‘Test results from your annual medical checkup last Monday’,” she said.

“Research has shown that a person can already be identified from a very limited amount of mobile phone location data. It has also been demonstrated that intimate details about a person’s lifestyle and beliefs, such as political leanings and associations, medical issues, sexual orientation, or habits of religious worship can be discovered through mobile phone traffic data.”

Specialised applications

Some applications for mobile devices are so specialised that just knowing they are used will allow profiling of a person. These include Grindr, which markets itself as a mobile social networking app for LGBTQ people.

Butcha said the collection of communications data should be limited to defined categories of data, each collected for a specific legal purpose. Data collection should be limited to data strictly necessary for each purpose for a limited retention period.

Governments seek prior authorisation by a court or independent administrative body before harvesting private data, “given the often very revealing nature of the data”.

There should be further controls in place after member states have collected data, with sanctions for non-compliance, periodic reviews of the data retention and access systems, and a high degree of transparency, said Buchta.

France: Real-time surveillance

France’s highest administrative court, the Conseil D’État, asked the European Court of Justice whether the e-privacy directive permits the real-time collection of traffic and location data of specified individuals, whether individuals should be informed their data has been collected once the investigation is over.

The intervention follows two lawsuits filed by the French Data Network, a non-profit organisation, the campaigning group La Quadrature du Net, the federation of internet service providers FFDN, and a non-profit internet service provider, which called for the annulment of regulations which allow the indiscriminate retention of personal data in contravention of EU law.

Privacy International, which joined the case, along with the Centre for Democracy and Technology, argues that the data protection directive and the European Charter on Fundamental Human Rights prohibit the widespread and indiscriminate retention of all user and subscriber data.

It argued that EU law does not allow national government to collect the traffic data and location data of individuals in real time without seeking prior authorisation from a court or independent body, it says in legal filings. EU law also precludes national governments collecting login data on individuals without notifying the people concerned as soon as the investigation is complete.

Privacy International claims in legal filings that communications data is “liable to allow very precise conclusions to be drawn” about people’s private lives, “such as everyday habits, permanent or temporary places of residence, daily or other movement, the activities carried out, the social relationships of those persons, and the social engagements frequented by them”.

Belgium asks for rights to continue data collection

Belgium’s constitutional court has asked the ECJU to decide whether EU law allows national legislation to compel telcos and internet service providers to retain the communications and location data for a wide range of purposes, including the investigation of serious crime, the safeguarding of national security, and defence.

The Belgian court has also asked Europe for permission to continue its collection and retention of electronic communications data on a temporary basis, and to use data previously collected and retained if the Constitutional Court found that its data retention law fails to meet EU law.

Legal action by NGOs has led to stronger oversight

The IPT submitted questions to the European Court of Justice after Privacy International filed a legal challenge over the intelligence agency’s acquisition of bulk communications under section 94 of the Telecommunications Act 1984 in June 2015.

Privacy International also challenged the UK’s intelligence agency’s acquisition of of bulk personal datasets (BPDs), which contain personal data about individuals – the majority of whom are unlikely to be of interest – such as passport databases and finance-related activity of individuals.

The Investigatory Powers Tribunal ruled in 2016 that UK intelligence agencies had been unlawfully collecting the population’s mobile phone and internet data for 17 years, without adequate safeguards or supervision. The practice remained secret until November 2015, when the government “avowed” the practice with the introduction of the Investigatory Powers Bill, known as the Snoopers’ Charter.

In a separate case, the European Court of Human Rights ruled last year that GCHQ’s use of mass surveillance of online communications data breached privacy laws and lacked sufficient oversight and safeguards.

Bulk communications data

  • GCHQ and MI5 obtain bulk communications data, under section 94 of the Telecommunications Act 1984.
  • GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception, including, for example, bulk collection from internet cables.
  • Around 5% of GCHQ’s original intelligence is based on material gathered under section 94.
  • MI5 has collected communications data from telephone and internet companies since 2005. MI5 argues that the data is anonymous, as no subscriber details are included. The data is of significant intelligence and security value. It retains bulk communications data for one year.
  • The existence of bulk communications data collection remained secret until November 2015, when it was disclosed along with the introduction of the Investigatory Powers Bill. 

The court acknowledged that the interception of data about people’s communications – including times and destinations of emails and phone calls, web pages visited, and mobile phone location – – poses as serious a risk to individuals’ privacy as the interception of phone calls, emails and texts.

The UK’s mass surveillance programmes do not “meet the quality of law” and were not capable of limiting “interference” to that “necessary in a democratic society”, it said, following a five-year legal battle by 11 human rights groups, including Liberty, Amnesty and Privacy International.

One concern of privacy campaigners, which does not feature in the legal arguments in the European Court of Justice, is that once intelligence agencies have collected data for national security purposes, it can potentially be repurposed for other uses, such as checking up on people’s tax status.

For example, under one programme – codenamed Milkwhite – GCHQ made huge volumes of data about people’s online activities available to MI5, the Metropolitan Police, the then Serious Organised Crime Agency, the Police Service of Northern Ireland, the Scottish Recording Centre, and Her Majesty’s Revenue and Customs (HMRC).

The court has not given a timetable for responding to the questions.

The impact of the court’s decision on the UK will largely depend on the timing of Brexit. If the UK leaves the EU before the court has reached a decision, it will no longer come under the jurisdiction of the CJEU, and will not have to comply with any legislative changes.

However, if the UK is still a member of the EU when the court releases its decision, the UK may be forced to amend its data retention legislation.

EU’s data retention laws and key judgments

The ePrivacy directive allows member states to override the privacy rights of an individual’s electronic communications to safeguard national security, defence, public security, and the prevention, investigation, and detection of criminal offences – or the unauthorised use of electronic communications systems.

These rights are balanced by the Charter of Fundamental Rights of the European Union, which gives citizens the right to a private life, privacy communications and the right to protection of their personal data. Where national telcos and internet service providers retain data and share it with law enforcement, EU law would apply.

The EU data retention directive, passed in 2006, required member states to store their citizens’ telecommunications data for a minimum of six months and a maximum of 12. It allowed police and security agencies to access data about the public’s communications – including their IP addresses – subject to a court order. It was later declared invalid by the European Court of Justice of the EU, leaving the legal position on data retention in the EU uncertain.

In 2014, the European Court of Justice declared the EU’s data retention directive invalid, following a case brought by Digital Rights Ireland. The CJEU found that the directive interfered in a particularly serious manner with the fundamental rights to a private life and to the protection of personal data. It was likely to generate a feeling that people were under constant surveillance, unless individuals were told their data had been accessed.

In 2016, the CJEU found the EU law precluded the general and indiscriminate retention of communications data by governments, following legal action brought by MP Tom Watson. The judgment, known as Tele2/Watson, said that blanket data collection was unlawful, that only the data of those suspected of serious crimes should be accessed and that those who had their data accessed must be notified.

Read more on Privacy and data protection