The Strategist

EU Court outlaws massive collection of user data

10/07/2020 - 03:52

The Court of Justice of the European Union, the highest court in the EU, has severely restricted mass continuous collection and storage of user data via mobile and internet providers for EU governments, including law enforcement agencies and intelligence services.

An exception is permitted only if national security is threatened. The court emphasized, however, that the collection of data to counter such a threat must be limited in time and be accompanied by effective guarantees of supervision by courts or independent administrative authorities.

The Court's decision states that "EU law excludes the use of national law provisions that require electronic communication service providers to provide mass transmission or storage of Internet traffic and location data to combat crime in general or to protect national security in general". The decision of the EU Court of Justice states that " EU State may partially derogate from its data privacy obligations in situations where an EU State is facing an immediate and serious threat to national security, which is real at the moment or in the near future".

However, the EU Court of Justice noted that "such data collection and storage should be limited in time and within the limits necessary to prevent this particular threat".

In addition, the EU Court ruled that "such interference with fundamental rights  must be accompanied by supervision by courts or independent administrative authorities".

The EU Court thus took the side of human rights organizations, which demanded clarification of the Court's position in a number of cases where some EU countries have passed laws allowing law enforcement and/or intelligence agencies to collect massive amounts of user data in a timelimited manner in the fight against terrorism. Reference is made in particular to the British law 2016 on the legal regulation of investigative agencies, the French decree on the powers of intelligence agencies adopted in 2015 and the Belgian law 2016 which allows the collection and storage of data from providers.