The EU’s top court has ruled to limit national governments’ ability to force tech companies to gather troves of their users’ data for surveillance purposes, further complicating efforts by Brussels to agree on a post-Brexit data-sharing deal with the UK.
The European Court of Justice on Tuesday confirmed that national governments could not force internet and phone companies to store information such as location data and metadata in the name of crime prevention or national security, a practice that is widespread among national security agencies in Europe.
The ECJ’s legal decision, which applies to the “general and indiscriminate” use of such practices in the absence of a “serious threat”, followed challenges brought by privacy advocates, including the UK’s Privacy International and France’s La Quadrature du Net, arguing against policies that they said violated people’s basic rights.
Legal experts warned the ruling represented a setback for the UK when it comes to securing an “adequacy decision” on data transfers from Brussels in time for Brexit, which would allow data to be transferred to the UK without the need to put additional safeguards in place.
“Today’s decision is a blow to the UK’s hope to get an adequacy decision from the EU,” said Estelle Masse, senior policy analyst at Access Now. “The EU court found that UK surveillance measures on bulk retention and access of communication data are incompatible with EU fundamental rights.”
Brussels decides which states it will agree to share data with by assessing their data-privacy regulations and comparing them to its own. Only those countries that meet its criteria are permitted to share data with the EU without additional safeguards.
More than a dozen adequacy decisions have been granted to countries around the world, including Japan, Switzerland and Israel. However experts argue that in light of the new ruling, the UK may struggle to secure an agreement with Brussels in time for December’s Brexit deadline, since such data-gathering practices are still permitted under UK law.
Talks on the issue of post-Brexit data-sharing between the UK and the EU have so far moved slowly. Brussels officials acknowledge that problems have arisen both because of signals from the UK that it wants to diverge from EU rules, and also because of the extremely high bar set by EU jurisprudence.
A failure to reach an adequacy decision would lead to significant additional costs for companies engaged in EU-UK data transfers, said Edward Machin, data privacy and cyber lawyer at Ropes & Gray. In addition to instituting new clauses for data transfers, they could also be required to conduct costly and resource-intensive legal analysis of the UK’s data framework.
Eduardo Ustaran, a privacy lawyer and partner at Hogan Lovells, warned that the chances of the UK and the EU reaching an agreement in time for Brexit were slim. “Reaching a deal on bulk data collection as we approach the December deadline will be a tall order,” he said.
The move by Brussels follows a similar ECJ ruling in July to invalidate parts of a transatlantic agreement on data-sharing known as Privacy Shield, which allowed thousands of companies to transfer information between the EU and the US. Following a complaint from privacy activist Max Schrems, the court found that Europeans did not have sufficient access to legal redress in the US under Privacy Shield.
Even if an adequacy decision were granted for the UK following the latest ruling, privacy activists would still likely bring a court case against it, said Mr Machin.
“The last thing the European Commission will want is to give an adequacy decision and then have someone like Max Schrems launch an action and perhaps a year later for the ECJ to strike it down and leave them with more egg on their face,” he said.