LUXEMBOURG (CN) — European spy agencies can only keep bulk personal data in the event of a serious emergency, the EU’s high court ruled Tuesday.
European Union privacy rules prevent governments from requiring telecommunications companies to collect and retain bulk traffic and location data unless there is a “serious threat to national security that proves to be genuine and present,” the European Court of Justice’s ruling states.
“National legislation requiring providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society,” the 13-judge panel wrote.
The decision consolidates four cases brought by privacy advocacy groups in France, Belgium and the United Kingdom. The three countries involved argued that the collection of data is imperative to fighting terrorism. The U.K. told judges at a hearing before the Luxembourg-based court last year that the aggregation of such data is crucial to discovering previously unknown terror plots.
But the court held that even in the event of serious threats to national security, governments must still safeguard any personal data that they collect.
“The legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse,” the ruling states.
Caroline Wilson Palow, legal director for Privacy International, one of the groups that brought the case, applauded the court’s decision.
“Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies,” she said.
The ruling isn’t a total surprise. An magistrate for the Court of Justice wrote in a nonbinding advisory opinion earlier this year that if EU member states wanted to collect data on individuals, they must have permission from an independent authority, inform the person and keep the data within the EU. The court follows the legal reasoning of its advisers in four out of five cases.
The court has been largely skeptical of the national security argument in the past. In 2014, it invalidated the European Union Data Retention Directive, which required companies to maintain personal data in case it was needed by security authorities. The judges found it didn’t offer sufficient privacy protections for users. Two years later, the court held that indiscriminate location data collection is also illegal in the EU.
The telecommunications surveillance cases now return to their national courts for final rulings.