Telcos should only retain metadata to fight serious crime, EU judge says

The legal opinion threatens the UK's Investigatory Powers Bill, say digital rights campaigners

Governments may order telcos to retain customer data, but only to fight serious crime, a top European Union judge has advised.

Lobby groups European Digital Rights (EDRi) and Privacy International welcomed the recommendation, saying it adds to a growing body of legal opinion opposing mass data retention. It could even, said Privacy International, derail the U.K.'s Investigatory Powers Bill, introduced in March by Theresa May, then home secretary and now prime minister.

Advocate General Henrik Saugmandsgaard Øe advised that a general obligation to retain data may be compatible with EU law, but cautioned that laws imposing such obligations should respect personal privacy and impose strict controls on access to the retained data, its security, and the period it is kept. Furthermore, such obligations can only be justified when strictly necessary in the fight against serious crime.

Øe gave his opinion Tuesday on two cases before the Court of Justice of the EU challenging data retention laws in Sweden and the U.K. Such opinions are only advisory but are often followed by the full court, which is now beginning its deliberations on the cases.

The CJEU was called on to rule on legal questions referred by national courts in Sweden and the U.K. regarding the retention of telecommunications metadata: information about who contacted whom, when, how, and for how long. Such information can be useful in investigating crimes, but its mass retention without good reason is considered by some a breach of privacy rights.

That was the view of the CJEU when, in 2014, it struck down the 2006 EU Data Retention Directive in a case involving Digital Rights Ireland.

However, since then, EU member states have continued to introduce or enforce data retention legislation in conflict with the CJEU's ruling, according to EDRi.

"It is time for EU member states to start respecting the law. It is time for the European Commission to do its job to ensure that the law is respected," EDRi executive director Joe McNamee said via email. "Data retention is an extreme measure which can only be implemented if the criteria repeatedly laid down by the court are respected."

Privacy International general counsel Caroline Wilson Palow hopes the CJEU will follow the advocate general's opinion, which she sees as a serious blow to the U.K.'s Investigatory Powers Bill, she said via email.

The mass surveillance powers the bill would introduce go far beyond the tackling serious crime that the advocate general sees as acceptable.

"They would give a range of public bodies, not just the police and intelligence agencies, the power to access the personal data of innocent people, often without any form of warrant," she wrote.

The fate of the Investigatory Powers Bill depends on a number of factors. The upper house of the U.K.'s parliament, the House of Lords, still has a final say in its content.

Beyond that, even if the CJEU declares its surveillance powers illegal under EU law, there remains the question of whether the U.K. will remain part of the EU for long enough for it to matter. In the wake of the June 23 "Brexit" referendum vote, Prime Minister May plans to lead the U.K. out of the EU and, perhaps, beyond the reach of the CJEU's rulings.

Join the CSO newsletter!

Error: Please check your email address.

More about BillEUEuropean CommissionPrivacy International

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place