» ISP News » 

Questions for UK Gov as EU Court Rules on Internet Data Snooping

Tuesday, October 6th, 2020 (10:28 am) - Score 2,256
ip address Fiber optic cables for backbone lines on blue network background

The Court of Justice of the European Union (CJEU) has this morning issued a ruling that appears to impose restrictions on the general and indiscriminate retention of phone and internet data, which raises some new questions for the UK Government’s Investigatory Powers Act (IPAct) – also known as the “snoopers charter.”

At present the IPAct forces broadband ISPs and mobile operators into logging the Internet Connection Records (ICR) of all their customers for up to 12 months (e.g. the IP addresses of the servers you’ve visited and when), which can be accessed without a warrant and occurs regardless of whether or not you’re suspected of a crime. However, obtaining the actual content of a communication, still requires a warrant.

The Home Office have long maintained that such powers are needed to “protect national security and investigate serious crimes” and they’re “only used where it is absolutely necessary and proportionate and are independently authorised by the Office for Communications Data Authorisations, except in urgent or national security cases.”

However, in recent years, the CJEU has ruled, in several judgements, on the retention of and access to personal data in the field of electronic communications. The resulting case-law found that EU Member States “could not require” providers of such services to “retain traffic data and location data in a general and indiscriminate way“, which prompted some challenges from the affected states (UK, France, Belgium etc.).

The CJEU has today ruled (PDF) that EU law “precludes” national legislation requiring a provider of electronic communications services to carry out the “general and indiscriminate transmission or retention of traffic data and location data” for the “purpose of combating crime in general or of safeguarding national security,” but there are some exceptions to this.

CJEU Summary

However, in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.

As regards combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of that data as well as its expedited retention. Such an interference with fundamental rights must be accompanied by effective safeguards and be reviewed by a court or by an independent administrative authority.

Likewise, it is open to a Member State to carry out a general and indiscriminate retention of IP addresses assigned to the source of a communication where the retention period is limited to what is strictly necessary, or even to carry out a general and indiscriminate retention of data relating to the civil identity of users of means of electronic communication, and in the latter case the retention is not subject to a specific time limit.

The UK could perhaps argue that their current rules are still compatible with this as they don’t strictly provide for the “general and indiscriminate” retention, but that may precipitate further challenges through the courts. At the same time others may well point to the fact that we’re due to completely leave the EU at the end of 2020 (Brexit), but that by itself doesn’t completely resolve the issue.

Part of the UK’s future relationship with the EU revolves around data adequacy, which is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law.

A final decision on the UK’s data adequacy status is expected as part of any Trade Deal, assuming one can be reached, by the end of this year. How much today’s ruling plays into that negotiation is an interesting one to consider.

UPDATE 1:59pm

We’ve had a useful opinion from a data protection lawyer.

Mark Taylor, Partner and Data Protection Lawyer for Osborne Clarke, told ISPreview.co.uk:

“The ruling is a setback, rather than a full defeat. The judgment does not prevent all data retention, nor all security service access to data. However, it indicates that the extent of current retention, and the legal controls around it, need adjustment to align with EU data protection laws.

It reinforces previous ECJ rulings that the UK security services’ powers around personal data are in scope of EU law, and do not fully align with it. This is very likely to be a point of contention in the European Commission’s consideration of whether to give the UK data adequacy status on Brexit. As such, this national security ruling has broader ramifications for UK business than might first appear.

Without an adequacy decision, UK businesses would be faced with the issue that their extensive, “business as usual” transfers between the EU and UK of personal data concerning employees, customers, suppliers etc would cease to be compliant with the GDPR’s rules on data transfers. For compliance to be restored, businesses would need to insert specific contractual provisions into their contracts – so called ‘standard contractual clauses’ – governing those transfers of personal data. Clearly this process would be a significant and disruptive project, requiring the investment of time and money.”

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
12 Responses
  1. A welshman says:

    An i right in thinking that Once brexit is complete the uk gov can do what they like and snoop on everyone . And i bet they will put into place mp’s are excluded

    1. CarlT says:

      As long as they either:

      1) Don’t get caught or
      2) Don’t mind not being able to handle EU information


      Actually strictly speaking they can and always have been able to do this anyway. The UK has always been sovereign and has always had the ability to tell the ECJ to go rotate. It just comes with consequences.

    2. joe says:

      The EU position is in any sense risible. Asking for data transferred from the EU to be handled compliantly is not that unusual. You see this in biz all the time with international data in many deals/countries. But domestic data in the UK in quite another.

    3. Bob2002 says:

      Mass surveillance is collecting a haystack … that probably doesn’t have a needle in it in the first place(I’d be surprised if the NSA weren’t more capable than the British, and they were total failures) –

      >The NSA phone surveillance program was illegal and expensive: And it did not stop a single terrorist attack. – Mass surveillance costs millions of Dollars. Yet, it does not improve security.

    4. AnotherTim says:

      “i bet they will put into place mp’s are excluded” – I suspect they are among the ones the security services watch most closely.

    5. CarlT says:

      Joe – company handling of data is quite irrelevant if the state whose jurisdiction they are in is dodgy. It can carry out actions that are perfectly legitimate under domestic laws but expose the data.

      Nothing risible about the position at all. A legal framework to protect it is sensible.

    6. joe says:

      @Carl and that would terminate the agreement

    7. 125us says:

      @Joe I don’t think it’s risible. In the context of wanting a trade deal, it’s entirely sensible to demand equality on data protection because presumably an outcome of any trade deal would be the ability for British businesses to sell to customers in the EU. The means holding data on EU citizens, and the choices are to insist on alignment or ban the processing of data about EU citizens within the U.K. and move the processing into the EU. Lots of my customers have done the latter because they don’t trust the British government not to mess it up.

  2. Buggerlugz says:

    Looking at the governments track record with this, certainly how the country isn’t kept safe, most especially from foreign criminals and terrorists I can’t see how its viable, let alone legal to snoop on everyone “just in case”.

    1. Mike says:

      They’ll use software to collect and analyse data, people seem to have this idea that government does everything manually and therefore will leave them alone, little do they know…

    2. baaaa says:

      Get your covid app now to be tracked like a good little sheep in 2021

  3. Mark says:

    The second they announced that the “Snoopers Charter” was coming in I subscribed to a VPN!

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £20.00
    Speed: 150Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00
    Speed: 158Mbps, Unlimited
    Gift: Promo code: HYPERSALE
  • Virgin Media £25.00
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
Large Availability | View All
New Forum Topics
Morecambe fttp
Author: Gingeee85
Huawei B818-263
Author: teleman6868
Anyone on Giganet?
Author: jalzoo
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 33Mbps, Unlimited
    Gift: Promo code: HYPERSALE
  • NOW £20.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99
    Speed 35Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
  • Plusnet £22.99
    Speed 36Mbps, Unlimited
    Gift: £70 Reward Card
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (4126)
  2. BT (3154)
  3. Politics (2121)
  4. Building Digital UK (2028)
  5. Openreach (1970)
  6. FTTC (1923)
  7. Business (1836)
  8. Mobile Broadband (1607)
  9. Statistics (1513)
  10. 4G (1380)
  11. FTTH (1371)
  12. Virgin Media (1277)
  13. Ofcom Regulation (1242)
  14. Fibre Optic (1235)
  15. Wireless Internet (1234)
  16. Vodafone (927)
  17. EE (907)
  18. 5G (899)
  19. TalkTalk (821)
  20. Sky Broadband (787)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact