LUXEMBOURG (CN) – European spy agencies should not have free rein to access personal data from internet and phone companies, an adviser to the European Union’s top court said Wednesday.
In a nonbinding opinion at the European Court of Justice, Advocate General Manuel Campos Sánchez-Bordona warned that, under the 2002 Privacy and Electronic Communications Directive, EU member states can’t require telecommunications companies to hand over bulk data to security agencies.
According to Sánchez-Bordona, if nations want to collect data on individuals they must have permission from an independent authority, inform the person and keep the data within the EU.
Though not required, rulings from the Court of Justice often follow the same legal reasoning as advisory opinions.
Wednesday’s opinion encompasses four cases all concerning data privacy: one from the United Kingdom, two from France and one from Belgium. All four cases were brought by digital privacy and legal advocacy organizations.
“The opinion is a win for privacy. We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed,” Privacy International, the organization that brought the case in the U.K., said in a statement.
Should the EU’s highest court agree with Sánchez-Bordona’s reasoning, it would invalidate a U.K. law that requires telecommunications companies to hand over bulk data to British security agency MI6 and others, as well as Belgian and French laws requiring technology companies like Facebook to retain location data on their users in case that data is needed in an investigation.
The three countries involved contend that the collection of data is imperative to fighting terrorism in their countries. The U.K. argued at a hearing before the Luxembourg-based court in 2019 that the aggregation of such data is crucial to discovering previously unknown terror plots.
A ruling limiting access to data would create a complicated legal situation for the U.K., which is currently scheduled to leave the EU on Jan. 31, after numerous delays. Should the U.K. leave the bloc at the end of the month, it would still be subject to EU regulations until the end of the year, as part of the transition out of the political and economic union.
The Court of Justice has been skeptical of the arguments made by the U.K. and others in the past. In 2014, the court invalidated the European Union Data Retention Directive, which required companies to maintain personal data in case it was needed by security authorities. The judges found it didn’t offer sufficient privacy protections for users. Then, in a 2016 ruling, the court held that indiscriminate location data collection is also illegal in the European Union.
A final ruling in all four cases is expected later this year.