The recently passed Investigatory Powers Act in the UK has been declared invalid by the European Court of Justice, arguing that “Member States may not impose a general obligation to retain data on providers of electronic communications services” announced The Guardian.
Described as a surveillance law, it allowed ISPs to document all of their customers’ web histories, including location, phone calls, web sites visited and applications used, store it for 12 months and share it with dozens of public institutions in the UK such as the CGHQ, NHS or the health department. Only under suspicion of terrorism would such type of surveillance be legitimate, said ECJ.
EU surveillance law is not clear, especially concerning standards on data retention. As the UK prepares to leave the EU following Brexit, it may soon leave the jurisdiction of the European Court and won’t have to abide by European law. This mostly affects companies in the UK when doing business with those in member states, as they won’t follow the same data privacy standards.
“EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary,” reads the judgement. “Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.”
When asked about the ruling, human rights organization Liberty said it “upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant.”