There is a lot of controversy surrounding mass surveillance programs.
Governments around the world insist they’re necessary for state security and crime prevention. But, oftentimes, they’re overreaching and become privacy nightmares to citizens.
And the Court of Justice of the European Union would seem to agree because it ruled that that the mass surveillance programs in the UK, France, and Belgium must respect privacy.
EU’s top court rules in favor of privacy
On October 6, 2020, the Court of Justice of the European Union, CJEU, issued judgments in three cases.
The ruling results from four cases in France, Belgium, and the United Kingdom in which governments have called for the extension of surveillance tools for the protection of their citizens. They revolved around a series of national laws that allow agencies access to phone and internet users’ data.
Rights advocacy groups filed the cases:
- Privacy International brought legal challenges to bulk collection powers from the UK’s Investigatory Powers Act.
- A La Quadrature du Net (and others’) challenged a 2015 French decree related to specialized intelligence services.
- There was also a challenge to Belgium’s 2016 law on the collection and retention of comms data.
The CJEU made it clear that national security concerns do not exempt EU state members from complying with the general principles of EU law. They need to respect the fundamental rights to privacy, data protection, and freedom of expression.
Governmental access to information like traffic and location data will have to be restricted.
NEWS! Ruling by EU’s highest court finds that UK, French and Belgian mass surveillance regimes must respect privacy, even in the context of national security: https://t.co/mxqCCgP2fc pic.twitter.com/I8O2YdGBTA— Privacy International (@privacyint) October 6, 2020
The governments of EU countries are legally compelled to ensure that the retention, access, and use of any data meets specific requirements. And these requirements act as safeguards meant to balance the personal privacy and protection of citizens.
Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies. While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.Caroline Wilson Palow, Legal Director, Privacy International
In addition to this, the ruling raised some interesting questions over the UK’s chances of gaining a data protection agreement from the European Commission. Seeing as how the UK will leave the EU in 2021, this might play an essential role in ensuring digital data flows in the future.
Mass surveillance in the EU
Data collection poses one of the biggest threats to privacy in this digital age, now that every app collects user data to varying degrees.
In the EU, legislating bodies have been trying to regulate how much data private companies can access. The Data Protection Directive regulates personal data processing within the EU countries, with the General Data Protection Regulation being an excellent example of this.
So, what made France, the UK, and Belgium stand out in the EU?
Let me tell you all about it.
The Intelligence Act of July 24, 2015, is what justifies extrajudicial surveillance in the name of state security, including:
- Surveillance through telephone or Internet wiretaps,
- Access to identifying data and other metadata,
- Computer network exploitation.
The act authorized the use of network scanning devices and allowed them to be installed on telecom operators and hosting providers’ infrastructures. These devices were colloquially referred to as black boxes, enabling real-time data collection.
One of the worst things the act turned into a reality is the authorized computer network exploitation. The government made hacking legal in the name of monitoring.
And considering that for nearly fifteen years, the French government has been requiring Internet Service Providers, ISPs, and phone carriers to log metadata of the entire population, that’s quite a lot of data for state security.
Traffic and location data are also logged and stored for up to three years. If the interval sounds scary, buckle up: The Intelligence Act wants to up that to six years.
Web hosting services, social media, and online forums also have to monitor their users and keep track of their data, DM contents, IPs, and timestamps.
The United Kingdom
The UK is notorious for its Government Communications Headquarters, GCHQ. Over the years, the organization’s increase in surveillance capabilities has not gone unnoticed, reaching new heights with the Investigatory Powers Act 2016.
The bill introduced new powers for:
- Targeted interception of communications
- Bulk collection of communications data
- Bulk interception of communications.
ISPs are also required to keep a list of internet connections and website visits for a year. Police and intelligence officers may seek approval for access to these records without a warrant as part of a targeted investigation.
Back then, the CJEU ruled that the retention and acquisition of communications data can only be justified when fighting a serious crime. Only strictly necessary data is retained and kept within the EU’s borders.
It looks like that ruling did not age well.
The Belgian Intelligence and Security Agency was established in 1830. As one of the world’s oldest agencies, it had a lot of time to refine its methods.
Now, Belgium’s State Security Service keeps quite a bit of data.
Data retention requirements apply to companies providing or reselling any electronic communication services in Belgium, like:
- Phone services
- Mobile phone services
- Internet-access services
- Email services
- Internet telephony services.
Generally, these providers need to retain identification data regarding the end-users, the communication equipment and the communication service they used, and traffic and location data.
What’s more, in 2013, Belgium tried pushing the Royal Decree of September 19 Executing Article 126 of the Electronic Communication Act of June 13, 2005, turning the EU Data Retention Directive into Belgian law.
Through this act, authorities wanted telecom companies to retain even more data on their users, including invoice details, and give judicial authorities more access to information.
The decree also looked to increase retention periods significantly.
The EU directive proposed a retention period of a minimum of six months but not more than two years.
However, the Royal Decree asked for all data to be retained for 12 months after the last contact with the service.
As you can imagine, the Royal Decree was met by massive backlash from privacy activists and citizens alike.
Striking a balance between national security and privacy
Should national security outweigh privacy? The debate has been going on for quite some time now.
Modern liberal democracies aim to protect the rights of their citizens, including privacy and public safety.
But does national security increase public safety?
After the tragic events of 9/11, the law enforcement and intelligence community were criticized for not preventing the attacks. Intelligence agencies were familiar with the attackers and even had them registered in some databases.
Yet history unfolded as it did.
Since then, increases in surveillance have been justified as necessary for combating terrorism. And the UK, France, and Belgium; they’ve all been plagued by such attacks.
For example, France’s Intelligence Act was a result of the Charlie Hebdo shooting. But Jean-Yves Le Drian, the former French Minister of Defense, has previously dismissed privacy concerns in the fight against terrorism, claiming surveillance is necessary to curb such attacks.
However, the connection between an increase in surveillance and a drop in terrorist attacks has yet to be proven.
Find more statistics at Statista
Please note the graph doesn’t take into account the number of victims and the scale of the attack.
Critics argue that terrorism is a complex topic with cultural, social, and economic influences that cannot be fixed by surveillance. Plus, bulk data collection is problematic, especially in the context of increased data breaches.
The CJEU stated there’s insufficient oversight on the filtering, search, and selection of intercepted communications for examination. This means bulk data collection is unavoidable with our current state of technology.
There are no adequate safeguards to ensure that citizens’ data doesn’t fall into the government’s hands, but it’s necessary to look at:
- The nature of the offenses
- Who are the people having their communications intercepted
- A limit on the duration of interception
- The procedures of examining and using data
- What precautions should be taken when sharing data with other parties
- The circumstances for data erasure.
Some of these measures could prevent government overreach, but they could prove difficult to turn into standards.
At the moment, it’s not clear how Frace, the UK, and Belgium will change their legislation to account for more privacy. But the CJEU’s ruling is a step in the right direction.
What do you think? Can a surveillance program that doesn’t affect the citizens even exist? Do you value privacy or security more, and where do you draw the line?
Let me know in the comments below!
Until next time, stay safe and secure!