The Court of Justice of the European Union (CJEU) yesterday ruled that the scope of European fundamental rights to privacy, data protection and freedom of expression extends to mass data retention and collection for national security purposes.

In judgments for three cases concerning the UK, France and Belgium, the Court found that despite national security being deemed within the scope of national authorities in member states, EU privacy rules nevertheless have jurisdiction over national rules requiring companies to collect (in the UK case) and retain (in the French and Belgian cases) general and indiscriminate bulk communications data – such as traffic, location and subscriber data – with security agencies.

Privacy International, which brought the UK case, had originally challenged the bulk acquisition and use of communications data by the British Security and Intelligence Agencies, GCHQ, MI5 and MI6, before the UK’s Investigatory Powers Tribunal in 2015, in which the UK government held that the bulk communications data regime was outside the scope of EU law as a national security matter. The IPT referred to the matter to the CJEU.

“Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.

Caroline Wilson Palow, Legal Director of Privacy International

“While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.”

Separately, the UK is currently awaiting an adequacy decision from the European Commission which will be vital in ensuring the transfer of data between the EU and the UK after the Brexit transition period ends. But earlier this year, the CJEU struck down the Privacy Shield which had previously allowed data transfers between the US and the EU over the issue of US surveillance laws.

“I think maybe in this case for the UK, it will be problematic because they need to get this adequacy decision and, as long as this regime is in place, they cannot support their findings or their ideas that they have adequate protection of personal data. They are sort of in a similar situation now as the US with no longer being valid of the Privacy Shield, which was decided last July. They also lack an adequacy decision, so there is no clear regime for transferring data to the US – and this will be the same for the UK, I’m afraid,”

Arnold Roosendaal, Director of Privacy Company

However, the Court also held that in the event of a serious threat to national security that proves to be genuine and present or foreseeable, EU member countries could allow indiscriminate and bulk retention of data for a time-limited period by way of legislative measures.

It also set out scope for the targeted retention of that data as well as its expedited retention for the purposes of combating serious crime and preventing serious threats to public security, if accompanied by safeguards and reviewed by a court or independent administrative authority.