Legal experts have warned that a European court ruling could spell trouble for the UK’s digital economy unless the government modifies its mass surveillance regime.
The Court of Justice of the European Union (CJEU) ruled yesterday that bulk collection or retention regimes in the UK, France and Belgium must be brought within EU law, even in cases of national security.
The ruling was a victory for Privacy International, which brought a case against the British security services after the government argued that EU privacy laws don’t apply in cases of national security.
“Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies,” said Privacy International legal director, Caroline Wilson Palow.
“While the police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights."
Given that the UK’s mass surveillance law, the Investigatory Powers Act or “Snooper’s Charter,” allows for “general and indiscriminate” data collection on citizens with few safeguards, there may be trouble ahead for UK businesses.
That’s because the UK needs to agree a data protection “adequacy decision” with the EU to enable seamless data flows to and from the continent, something vital to its thriving digital economy.
Edward Machin, a lawyer in Ropes & Gray’s Privacy, Data Protection and Cybersecurity team, was pessimistic of this happening after yesterday's ruling.
“Today’s judgment means that the UK’s chances of receiving a data adequacy decision from the European Commission, which were already on life support, are now close to being read their last rites,” he argued.
“Even if it wanted to, a finding that Britain’s surveillance laws don’t align with EU standards makes it hard for the European Commission to green light a UK adequacy decision — particularly as its most high-profile adequacy framework, the EU-US Privacy Shield, was also recently struck down by the ECJ over concerns about government mass data collection.”
There is some potential legal wriggle room, however: the CJEU ruling allows for some bulk collection of data in specific national security cases up to “what is strictly necessary.” Further rulings may be required to clarify what this actually means in the eyes of EU judges.