What is the EU’s landmark ruling on privacy and what does it mean for you?

The EU’s highest court says your privacy must be respected – at almost all costs.

The fine line between harnessing the power of data and the vast amounts of information we create with every mouse click, button press and keyboard tap on a given basis and keeping everyone in the world safe is a different one to traverse. Would-be terrorists are brought down through electronic surveillance on a near-daily basis worldwide. Without the ability to monitor communications, security agencies across the globe would be flying blind on what are the latest threats to their countries.

Yet civil liberties are vital. The ability to say what we want, without fear of being arrested, is important – particularly in the digital age. 

A recent ruling by the EU’s highest court appears to set the standard for where a user’s privacy lies – in Europe at least.

In early October, the European Court of Justice ruled that bulk data collection or retention regimes in the UK, France and Belgium was essentially illegal, drawing in too much data compared to EU-wide law.

What are the current EU rules?

At present, EU law applies every time a national government asks telecommunications providers to process data, up to and including when data is collected for national security reasons. The law has established rules and safeguards outlining the collection and retention of data, and countries who are in the EU must abide by those rules.

However, the three countries in question were doing something different, the court judgment alleges. They were collecting data in bulk, and treating everyone as a potential suspect, whose data must have been hoovered up in the event that it needed to be analysed if they did something wrong at some point in the future.

In the UK, for instance, security and intelligence agencies like GCHQ, MI5 and MI6 were gathering and processing data from telecommunications providers en masse. In France similar things were happening.

Years of court action come to a conclusion

The initial opposition to such mass data collection came in the mid-2010s, through campaign groups like Privacy International, who aim to protect end users’ privacy. They appealed the cases through the relevant countries’ courts, and ended up in the highest court in Europe, where the judge ruled in their favour.

The “judgment reinforces the rule of law in the EU,” says Caroline Wilson Palow, Legal Director of Privacy International. “In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.”

The rules as they were sketched out by the countries in question were going too far, reckons Wilson Palow. “While the police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power,” she says. “They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights."

What the ruling means for your rights

The decision was a momentous one, called a “landmark” by Hugo Roy, who fought the French case. “We hope now that the French Conseil d’ État will finally apply European human rights law standards to the French State,” he says.

That means that the bulk data collection and retention regimes used in both countries must be brought in line with EU law. That has a significant impact on the rights of end users in all those nations.

It essentially means that your online conversations and activity are protected under EU law, unless there is a relevant and real requirement to analyse what you’re up to online.

It brings those three countries back into the realm of reality when it comes to safety and ensuring your fundamental rights are kept whole in a world where we increasingly live digitally.