According to the Advocate General, ISPs can not be forced by the authorities to hand over customers' personal data in bulk, including sensitive private data such as IP addresses, even when authorities claim that there is a national security issue at hand.
The Advocate General said: “The fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law.” Any new law must be “carried out in accordance with established procedures for accessing legitimately retained personal data and are subject to the same safeguards.”
In short, this means that a US-style unlimited storage of personal data remains illegal in the European Union. This opinion is in line with EU court rulings against general and indiscriminate data retention in 2014 and 2016. Back then, the European Court of Justice ruled that data retention is incompatible with the EU’s E-Privacy Directive.
While it is non-binding, it is expected that the EU court will follow the adviser's recommendation. A ruling will come in a few months.
This recommendation is the latest battle in an ongoing war over privacy rights between data protectionists and the authorities. While data protectionists fear an institutionalization of mass surveillance of all citizens without legal oversight, the authorities argue that general data retention is necessary to fight terrorism. Even though, it has been proven again and again that mass surveillance does not lead to more security, authorities claim that European privacy laws must not be considered when passing laws concerning national security.
Advocate General Campos Sánchez-Bordona now stated "When the cooperation of private parties, on whom certain obligations are imposed, is required, even when that is on grounds of national security, that brings those activities into an area governed by EU law: the protection of privacy enforceable against those private actors. Accordingly, the Directive is applicable, in principle, where providers of electronic services are required by law to retain data belonging to their subscribers and to allow the public authorities to have access to such data, as in the cases under consideration, irrespective of whether those obligations are imposed on such providers for reasons of national security."
Privacy International has set the ball rolling by bringing the case before the Investigatory Powers Tribunal (IPT) in 2015, even before the UK passed the Snoopers' Charter, a highly criticized surveillance law.
Privacy International has challenged the "acquisition, use, retention, disclosure, storage and deletion of bulk personal datasets (BPDs) and bulk communications data (BCDs) by the UK Security and Intelligence Agencies (SIAs) – specifically Government Communications Headquarters (GCHQ), Security Service and Secret Intelligence Service".
Similar lawsuits were also filed in France and Belgium.
In the end, this lawsuit by Privacy International became a very important challenge to the UK's Snoopers' Charter, the most extreme surveillance law ever passed in a democracy.
This law as well as the surveillance laws in France and Belgium have now been called out as incompatible with EU law. While we still have to wait for the ruling by the European Court of Justice (ECJ), it looks very likely that the surveillance laws in France and Belgium are going to be declared illegel.
The UK is a slightly different story due to the Brexit. Nevertheless, it is expected that also the UK will have to change their laws if they want to continue to share data with other European countries.
Now everyone is waiting for the ruling by the European Court of Justice.