European court says telcos should not retain mass personal data

European court says telcos should not retain mass personal data

Telecoms companies in the European Union (EU) should not be forced to retain mass data about their customers and hand it over to the authorities.

The Court of Justice of the European Union (ECJ) ruled today in favour of an opinion given in June 2016 by the advocate general, Henrik Saugmandsgaard Øe, that communications data should be retained only if strict controls are in place.

The judgement specifically affects the UK’s Data Retention and Investigatory Powers Act 2014, though that is being replaced by a new law, the Investigatory Powers Act 2016.

Peter Church, counsel at law firm Linklaters, said: “This has little effect on the Data Retention and Investigatory Powers Act, which will be repealed at the end of the year in [any] event. However, it could have significant implications for the new Investigatory Powers Act, which was only passed by [the UK] Parliament in November.”

Ironically, one of the main opponents of the 2014 law was UK politician David Davis, who was originally a party to the ECJ case. He is now Secretary of State for Exiting the EU in UK prime minister Theresa May’s post-referendum government.

The decision follows a 2014 ruling by the ECJ that the EU Data Retention Directive – which obliged telcos to retain communications data of their users for up to two years – was invalid.

Even though the UK voted in June 2016 to leave the EU, the country is still one of the 28 members of the Union, so the ECJ ruling applies to UK telecoms companies – and may continue to apply after the UK leaves, depending on negotiations, which are expected to start in early 2017.

Richard Cumbley, partner at Linklaters and global head of technology, media and telecoms at the firm, said: “This is all about the balance between individual privacy and the use of people’s information to fight crime. A key question is whether access to the data is subject to sufficient safeguards.”

The ruling does not cover the 2016 UK law, which requires telecoms companies to store details of the websites visited by users for up to 12 months. However, the principles set out in the judgement might mean the latest Act is incompatible with the EU’s law.

But the ruling will also have implications for all telecoms companies operating within the EU. In particular it will reinforce demands that personal data should be kept within national boundaries and should be subject to strict rules on security.

Gift this article