EU Court Rules Users’ Data Can't Be Collected by ISPs for Surveillance

In a blow to countries that require Internet Service Providers (ISPs) to store and make their customers' data available to national intelligence agencies, the Court of Justice of the European Union (CJEU) struck down the practice in a ruling against France, the United Kingdom and Belgium.

The decision, however, affects any country in the EU following the same practice, with an exception being made in cases of clear and immediate danger to national or public security.

It came amid growing surveillance by governments on their citizens in a digital age, making it technically easier to gather information based on the sites that users follow, many not knowing the ISP's are logging their traffic.

The court said the UK's data retention laws, the so-called “Snooper's Charter” which forces ISPs and mobile operators to store customer data up to a year even if there is no suspicion of a crime, break the EU's privacy laws, Fortune reported.

The UK's Investigatory Powers Act allows British authorities to examine, without a warrant, which servers a customer connects to and when, the magazine site's report noted. The practice is among the most intrusive in the EU.

Privacy groups are fighting government surveillance programs they said are designed to spy on citizens and let national intelligence agencies cull information and build dossiers, almost always without targets knowing.

The ruling said the EU’s 2002 ePrivacy Directive “precludes national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

Caroline Wilson Palow, Legal Director of Privacy International, one of the activist groups that launched the cases, told the news site that, “Today’s judgment reinforces the rule of law in the EU.”

She added that, “In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.”

In 2014 the CJEU struck down an eight-year-old EU law that mandated similar activity across Europe, saying the Data Retention Directive did not include enough safeguards for people’s privacy, undermined its purpose.

Some countries kept their data retention laws anyway, arguing it was a sovereign question outside the jurisdiction of the EU.

At the end of 2016, the CJEU again ruled national laws were not acceptable without safeguards to protect privacy, which is such a paramount issue in the EU that even the names of suspected killers and terrorists haven't been revealed.

Curiously, countries still collecting data were supported by the European Commission against the EU's own court, but the CJEU decision reiterated that can't be done, absent compelling evidence of national or public security needs.

The court went beyond that, ruling that national courts have to disregard evidence gathered through the “general and indiscriminate” retention of traffic and location data although it wasn't clear if that would be obeyed or ignored.

There was an out though, a potential loophole that could further irk privacy groups fighting the growing tendency of governments to become Big Brother data gatherers.

The court said ISPs could still be required to collect and turn over information on Internet use if it's proved a government faces “a serious threat to national security that proves to be genuine and present or foreseeable.”

That can also be done “on the basis of objective and nondiscriminatory factors, according to the categories of persons concerned or using a geographical criterion,” although it wasn't said who would decide that.

Countries can even force electronic communications providers to collect traffic and location data in real time, as long as it’s limited to suspected terrorists, and a court or independent body has authorized the measure, the report said.