EU court slams indiscriminate data collection, opening challenge to British cyber law

The law requires telecommunications companies to store the web and message history of Britons for the government to access. But Europe's highest court ruled such a law is unjustifiable in a democratic society. 

First Look

The general and indiscriminate collection and storage of data such as internet search histories and usage of messages and apps is not justifiable in a democratic society, Europe's highest court ruled Wednesday.

The decision by the European Court of Justice in Luxembourg is a defeat to Britain’s new cyber-surveillance law, which requires telecommunications companies to keep records and web activity of Britons for one year, and allows government officials unprecedented access to this database. The 15-judge panel found it unlawful for European governments to force communication companies to retain all user data, presenting challenges for laws such as Britain's Investigatory Powers Act, which gave such access to a range of departments – one of several countries wrestling with security and privacy concerns amid terrorist threats that some argue demand more data tracking.

The high court's decision stems from a legal challenge in Britain over the law, which opponents dubbed the "snooper's charter." The Investigatory Powers Act was first introduced in British parliament in May 2015 to replace the expiring Data Retention Investigatory Powers Act. One part of the legislation required telecommunications companies to create a database of websites Britons visited and messages and apps they used. This information would remain in a database officials could access for up to a year. Excluded from the database, however, were specific pages Britons visited or the contents of the messages they sent.

But British politicians David Davis and Tom Watson, backed by civil liberties groups, challenged the legality of the law. They won that legal challenge in the British High Court, but the government appealed the decision and the case was referred to the European Court of Justice.

In its summary ruling, the Luxembourg court found electronic communications allow “very precise conclusions to be drawn concerning the private lives of persons whose data has been retained,” as The Guardian reported.

“The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance,” wrote the court. “Legislation prescribing a general and indiscriminate retention of data … exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society.”

Instead, the court said only “fighting serious crime” such as terrorism could justify such state interference. In that case, officials must request a court or independent body authorize the access of such data.

The case will now return to a British court of appeal to resolve the country’s cyber-surveillance law.

In the ECJ case, lawyers for the British government argued cyber-communications have been central to recent terror investigations. British Home Secretary Amber Rudd put forth a similar argument when she described the purpose of the law in November, after the bill received Royal Assent.

“At a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe,” Secretary Rudd said, adding that the internet “presents new opportunities for terrorists” that the country must now address.

But Liberty, the civil liberties group that backed the legal challenge, said the ruling meant Britain’s law must be changed right away.

“Today’s judgement upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant,” said Liberty director Martha Spurrier.

The ruling applies to the British law as long as the Kingdom remains a member of the European Union. But once the government carries through with a successful referendum to leave the EU, the ruling could become merely “academic” in the privacy vs. security debate, according to The Guardian.

The ruling comes at a time when Europe and the United States are testing the boundaries of surveillance to thwart perceived terrorist attacks.

“In the wake of the [Paris attack] that left 130 dead, European governments bemoaned an intelligence ‘black hole’ stemming from countries failing to share intelligence. Now, lawmakers are considering ways of enhancing surveillance practices and rethinking many privacy safeguards designed to prevent pervasive data tracking and collection across Europe,” Rachel Stern reported for The Christian Science Monitor in February.

Such considerations have included governments having a so-called “master key that officials could use to unlock encrypted communications to disrupt terrorists’ use of the Internet,” an idea harshly criticized by digital rights and civil liberties groups.

Apple's chief executive, Tim Cook, offered a similar argument in refusing to comply with the US government's order to unlock the iPhone of Syed Rizwan Farook, who, with his wife, killed 14 people in an attack in San Bernardino, California last December.

If Apple built the software to do so, it would risk creating an unacceptable "master key," Mr. Cook said, compromising the encryption of all the company's devices.

This report contains material from Reuters and the Associated Press.