The EU’s top court has ruled that unrestrained mass surveillance of phone and internet data is unlawful, in the latest blow to the UK’s chances of securing a post-Brexit data-sharing agreement with the EU.
The European Court of Justice (ECJ) today handed out its much-anticipated verdict on government surveillance, ruling that the indiscriminate retention of data is illegal under EU law unless there is a “serious threat to national security”.
The Luxembourg-based court said large amounts of data can only be held by governments for the “limited” amount of time that is “strictly necessary”.
The decision is the result of legal proceedings brought by courts in Belgium, France and the UK, which called for the free transfer and retention of data by authorities to protect citizens.
The verdict will likely land a huge blow for spying agencies in those countries and further afield, which will see their data surveillance powers significantly quashed.
It also marks the latest upset for Britain’s chances of being handed a data adequacy decision by the European Commission when the UK formally leaves the bloc.
Currently, data transfers between EU countries go largely unhindered because nations are subject to the same GDPR laws.
However, the UK must ink a separate data sharing agreement with the EU once it leaves the single market at the end of the Brexit transition period in January.
The Prime Minister in February said the UK was planning to set up sovereign controls over its data sharing policies, and that Britain could diverge from EU rules once it leaves the bloc.
An adequacy decision would provide a de facto certification that data protection standards in the UK meet EU requirements.
However, experts have warned that today’s ruling significantly scuppers the UK’s chances of achieving such a decision.
Mark Taylor, partner and data protection lawyer at Osborne Clarke, said the decision “has broader ramifications for UK business than might first appear”.
“This reinforces previous ECJ rulings that the UK security services’ powers around personal data are in scope of EU law, and do not fully align with it,” said Taylor.
“This is very likely to be a point of contention in the European Commission’s consideration of whether to give the UK data adequacy status on Brexit.
“Without an adequacy decision, UK businesses would be faced with the issue that their extensive, ‘business as usual’ transfers between the EU and UK of personal data concerning employees, customers, suppliers would cease to be compliant with the GDPR’s rules on data transfers.”
Estelle Massé, senior policy analyst at digital rights NGO Access Now, said the decision rendered the chances of the UK achieving an adequacy decision as “slim”.
“Today’s decision is a blow to the UK’s hope to get an adequacy decision from the EU,” she said. ‘The EU court found that UK surveillance measures on bulk retention and access of communication data are incompatible with EU fundamental rights.”
It comes after the ECJ in July banned Privacy Shield — a data sharing deal between the EU and US — in a sweeping judgement that set the groundwork for the UK’s data agreement with the bloc.
Mark Lubbock, partner in the innovation and technology group at law firm Brown Rudnick said the decision would cause a headache for all governments, but in particular would make it much more difficult to ferry data cross the Channel post-Brexit.
“Large swathes of EU-US data transfers may be in breach of GDPR [rules] and, once the transition period is over, data transfers between the EU and the UK will become much more difficult,” he said.
Lubbock told City A.M. the combination of the Privacy Shield ban and today’s judgement by the ECJ “could have significant consequences for British commerce and industry and especially for the UK’s world leading financial services sector”.
“Businesses and banks operating in the EU after 1 January may not have a easily available mechanism to transfer personal data to the UK,” he said.
“This could… mean that messaging networks used by banks and other financial institutions to send and receive information, such as money transfer instructions will not be able to operate through London.”