Greetings from Brussels!
There was an interesting opinion from the European Court of Justice this week. Advocate General Manuel Campos Sánchez-Bordona issued a legal opinion that could effectively limit the ability of national (EU) security agencies to seize and hold bulk personal data indiscriminately on national security grounds. Mass surveillance is clearly not a byword for “cool Europe” in Luxembourg these days.
Think of it, all that unrestrained, unbridled access the security agencies will have to your phone and internet user data. The nonbinding opinion is in response to several cases in the U.K., France and even Belgium where the governments are looking for greater powers to override existing data privacy laws. The advocate general argued that EU law applies and advised that the court should continue to uphold its 2016 ruling that the general and indiscriminate retention of data is incompatible with the ePrivacy Directive based on the EU’s charter of fundamental rights.
More specifically, in a related ECJ news release, the advocate general clarified that member state courts could only permit their security agencies to force telecoms providers to retain personal data “on an exceptional and temporary basis” if national law permits; the means and methods must ultimately be compatible with the rule of law. Although one could argue the use of an “exceptional and temporary” basis is an argument easily stretched. Nonetheless, this is an important opinion considering its timing, when the EU and member state governments have to reassess the future of the current (failed) ePrivacy Regulation; the advocate general's view will most likely set minds thinking.
One additional aspect stands out here, and it is worth bearing in mind that as the U.K. is in the process of leaving the EU at the end of the month, this development could further create complications. Following Brexit and during the transition period ending in December, EU law and trade regulations will remain in effect across the channel; the EU will need to negotiate an adequacy agreement with the U.K. during this time frame. There is a expressed hope on both sides that an agreement can be reached before the U.K. exits the EU data protection regime. However, the effect of an eventual ECJ case ruling reflecting the advocate general’s opinion could have an influence on adequacy proceedings. The U.K. “Snoopers” Charter has always been controversial in that it gives the U.K. security services extraordinary reach and powers to access data. Moreover, if an ECJ ruling restricted the rights of national security agencies to force internet providers and telecoms to retain communication data, it would “de facto” create a more stringent standard of data privacy protection in the EU.
That aside, France and Belgium, among other member states, may also have to face some national legislative scrutiny of their own; their intelligence services have similar reach. This development is all the more interesting as it lends to a converging conflict of different political interests: on the one hand, the national member state competence of national security, and on the other, the EU area of competence in the field of privacy and fundamental rights. In essence, what the advocate general is stating is that when national security becomes an obligation for companies operating within the internal market, then it becomes an EU problem, as well. This dilemma will take some cool heads to sort out.