Home
 » ISP News » 
Sponsored Links

Questions for UK Gov as EU Court Rules on Internet Data Snooping

Tuesday, Oct 6th, 2020 (10:28 am) - Score 2,280
ip address Fiber optic cables for backbone lines on blue network background

The Court of Justice of the European Union (CJEU) has this morning issued a ruling that appears to impose restrictions on the general and indiscriminate retention of phone and internet data, which raises some new questions for the UK Government’s Investigatory Powers Act (IPAct) – also known as the “snoopers charter.”

At present the IPAct forces broadband ISPs and mobile operators into logging the Internet Connection Records (ICR) of all their customers for up to 12 months (e.g. the IP addresses of the servers you’ve visited and when), which can be accessed without a warrant and occurs regardless of whether or not you’re suspected of a crime. However, obtaining the actual content of a communication, still requires a warrant.

The Home Office have long maintained that such powers are needed to “protect national security and investigate serious crimes” and they’re “only used where it is absolutely necessary and proportionate and are independently authorised by the Office for Communications Data Authorisations, except in urgent or national security cases.”

However, in recent years, the CJEU has ruled, in several judgements, on the retention of and access to personal data in the field of electronic communications. The resulting case-law found that EU Member States “could not require” providers of such services to “retain traffic data and location data in a general and indiscriminate way“, which prompted some challenges from the affected states (UK, France, Belgium etc.).

The CJEU has today ruled (PDF) that EU law “precludes” national legislation requiring a provider of electronic communications services to carry out the “general and indiscriminate transmission or retention of traffic data and location data” for the “purpose of combating crime in general or of safeguarding national security,” but there are some exceptions to this.

CJEU Summary

However, in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.

As regards combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of that data as well as its expedited retention. Such an interference with fundamental rights must be accompanied by effective safeguards and be reviewed by a court or by an independent administrative authority.

Likewise, it is open to a Member State to carry out a general and indiscriminate retention of IP addresses assigned to the source of a communication where the retention period is limited to what is strictly necessary, or even to carry out a general and indiscriminate retention of data relating to the civil identity of users of means of electronic communication, and in the latter case the retention is not subject to a specific time limit.

The UK could perhaps argue that their current rules are still compatible with this as they don’t strictly provide for the “general and indiscriminate” retention, but that may precipitate further challenges through the courts. At the same time others may well point to the fact that we’re due to completely leave the EU at the end of 2020 (Brexit), but that by itself doesn’t completely resolve the issue.

Part of the UK’s future relationship with the EU revolves around data adequacy, which is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law.

A final decision on the UK’s data adequacy status is expected as part of any Trade Deal, assuming one can be reached, by the end of this year. How much today’s ruling plays into that negotiation is an interesting one to consider.

UPDATE 1:59pm

We’ve had a useful opinion from a data protection lawyer.

Mark Taylor, Partner and Data Protection Lawyer for Osborne Clarke, told ISPreview.co.uk:

“The ruling is a setback, rather than a full defeat. The judgment does not prevent all data retention, nor all security service access to data. However, it indicates that the extent of current retention, and the legal controls around it, need adjustment to align with EU data protection laws.

It reinforces previous ECJ rulings that the UK security services’ powers around personal data are in scope of EU law, and do not fully align with it. This is very likely to be a point of contention in the European Commission’s consideration of whether to give the UK data adequacy status on Brexit. As such, this national security ruling has broader ramifications for UK business than might first appear.

Without an adequacy decision, UK businesses would be faced with the issue that their extensive, “business as usual” transfers between the EU and UK of personal data concerning employees, customers, suppliers etc would cease to be compliant with the GDPR’s rules on data transfers. For compliance to be restored, businesses would need to insert specific contractual provisions into their contracts – so called ‘standard contractual clauses’ – governing those transfers of personal data. Clearly this process would be a significant and disruptive project, requiring the investment of time and money.”

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
12 Responses
  1. Avatar photo A welshman says:

    An i right in thinking that Once brexit is complete the uk gov can do what they like and snoop on everyone . And i bet they will put into place mp’s are excluded

    1. Avatar photo CarlT says:

      As long as they either:

      1) Don’t get caught or
      2) Don’t mind not being able to handle EU information

      Certainly.

      Actually strictly speaking they can and always have been able to do this anyway. The UK has always been sovereign and has always had the ability to tell the ECJ to go rotate. It just comes with consequences.

    2. Avatar photo joe says:

      The EU position is in any sense risible. Asking for data transferred from the EU to be handled compliantly is not that unusual. You see this in biz all the time with international data in many deals/countries. But domestic data in the UK in quite another.

    3. Avatar photo Bob2002 says:

      Mass surveillance is collecting a haystack … that probably doesn’t have a needle in it in the first place(I’d be surprised if the NSA weren’t more capable than the British, and they were total failures) –

      >The NSA phone surveillance program was illegal and expensive: And it did not stop a single terrorist attack. – Mass surveillance costs millions of Dollars. Yet, it does not improve security.
      >
      >https://tutanota.com/blog/posts/nsa-phone-surveillance-illegal-expensive/

    4. Avatar photo AnotherTim says:

      “i bet they will put into place mp’s are excluded” – I suspect they are among the ones the security services watch most closely.

    5. Avatar photo CarlT says:

      Joe – company handling of data is quite irrelevant if the state whose jurisdiction they are in is dodgy. It can carry out actions that are perfectly legitimate under domestic laws but expose the data.

      Nothing risible about the position at all. A legal framework to protect it is sensible.

    6. Avatar photo joe says:

      @Carl and that would terminate the agreement

    7. Avatar photo 125us says:

      @Joe I don’t think it’s risible. In the context of wanting a trade deal, it’s entirely sensible to demand equality on data protection because presumably an outcome of any trade deal would be the ability for British businesses to sell to customers in the EU. The means holding data on EU citizens, and the choices are to insist on alignment or ban the processing of data about EU citizens within the U.K. and move the processing into the EU. Lots of my customers have done the latter because they don’t trust the British government not to mess it up.

  2. Avatar photo Buggerlugz says:

    Looking at the governments track record with this, certainly how the country isn’t kept safe, most especially from foreign criminals and terrorists I can’t see how its viable, let alone legal to snoop on everyone “just in case”.

    1. Avatar photo Mike says:

      They’ll use software to collect and analyse data, people seem to have this idea that government does everything manually and therefore will leave them alone, little do they know…

    2. Avatar photo baaaa says:

      Get your covid app now to be tracked like a good little sheep in 2021

  3. Avatar photo Mark says:

    The second they announced that the “Snoopers Charter” was coming in I subscribed to a VPN!

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5472)
  2. BT (3505)
  3. Politics (2524)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1778)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon