In a case brought forward by newly appointed Brexit Minister David Davis and Labour's deputy leader Tom Watson the ECJ has ruled that law enforcement agencies may only collect data en-masse if it is used to tackle ‘serious crime'.
The case was brought to the Luxembourg-based court by the newly appointed Brexit Minister David Davis and Labour's deputy leader Tom Watson, as the pair seeked to challenge the legality of GCHQ's bulk interception powers.
The Danish advocate general, Henrik Saugmandsgaard Øe, chief justice of the court, clarified EU law, alongside 15 other European judges. This opinion is likely to be followed by the full court.
Saugmandsgaard Øe said only: “The fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences … are not.”
The court's final decision will be delivered in the coming months. The majority of judgments follow the line set out by the advocate general.
Javvad Malik, security advocate at AlienVault told SCMagazineUK.com, “It's an interesting opinion delivered by the Advocate General and one to keep an eye on to see how it pans out. This doesn't necessarily change anything from a technical perspective on how the data is collected or stored. What it does do is introduce safeguards into ensuring the data is only used where appropriate for serious crime.”
“For the UK, the implications will not be fully realised until the Brexit process has been undertaken. Depending upon the agreements put in place, it could be that European privacy laws will remain somewhat unchanged in their impact on the UK, or alternatively, they could mean nothing altogether.”
This ruling is followed by the two MPs, supported by the Law Society, successfully arguing in British courts that the Data Retention and Investigatory Powers Act (DRIPA) 2014 is illegal. .
Despite the win, the government appealed and the case was referred to the ECJ. Davis travelled to Luxembourg this spring to hear the case being argued at the ECJ.
He argued that the British government is “treating the entire nation as suspects” by ignoring safeguards on retaining and accessing personal communications data. Simultaneously, the Interception of Communications Commissioner's Office (IOCCO) released secret documents showing 15 secret “directions” in force under the Telecommunications Act enabling the intelligence services to collect bulk data.
The final outcome of the case is likely to impact the outcome of the highly controversial Investigatory Powers Bill which is now up for debate before parliament.
Looking closer to home
This preliminary ruling appears to bring European data retention practices closer into line over what safeguards should be imposed for bulk interception and retention of data. The issue was whether there are EU standards on data retention that need to be respected by member states in their domestic legislation.
However, concerns remain given that the Guardian newspaper recently reported how the watchdog which monitors government interception allowed MI5 to escape regular scrutiny of its bulk collection of communications data, according to documents released by Privacy International
A debate in the House of Lords revealed that the IP Bill will grant the UK's Secretaries of State, including the new Home Secretary Amber Rudd, the power to force communication service providers (CSPs) to block end-to-end encryption.
Nic Scott, managing director of UK&I at Code42, told SC that, “The Investigatory Powers Bill has been a long time coming, yet very little has been given away in terms of technical specifications. Until now. The government has made the first explicit admission that the bill will give Secretaries of State the power to have CSPs bypass encryption. This is a profoundly troubling statement both from a privacy and cybersecurity perspective.
“While tools to crack down on terrorism are more important than ever, the thing with encryption is that there are no half measures with it. You either have encryption in place or you don't. Once you create a backdoor for law enforcement purposes, you are also opening the door to other, potentially malicious, parties.
“Encryption is an absolutely essential element of securing any electronic communication and data protection. We cannot afford to lower the standards of privacy and data protection at the cost of individual and business safety.”