Overturned data retention law will hamper the NSA, but won't kill mass surveillance

Summary:Proposed laws to allow the bulk collection of data in Europe are now dead in the water. The reality is that the overturning of Europe's retention laws will make transatlantic co-operation a little more difficult — but it won't make it impossible.

thumb-hero

"By today's judgment, the Court declares the directive invalid," the European Court of Justice  said in a statement  on Tuesday.

And Europe can breathe a sigh of relief, knowing that the highest court in Europe effectively gave the middle-finger to the U.S. surveillance system, by overturning a law that required the retention of customer data for up to two years.

Read this

EU 'assessing U.S. relationship' amid PRISM spying claims

In a letter obtained by ZDNet, the EU justice chief hints at consequences to come for the U.S. government if European citizens were targeted by the NSA's PRISM program.

European and national authorities were under the law able to access phone and email data in order to identify who contacted whom and when, without knowing the contents of the communication in question.

The court said the directive covers "all individuals... and all traffic data without any differentiation" — a direct written assault on the U.S. National Security Agency's data vacuuming programs.

One cannot emphasize enough the importance of this ruling for the more than 500 million citizens in the 28 member state bloc — and the important signal this sends to the rest of the world: Bulk retention of data for intelligence and surveillance purposes is not acceptable.

Laws introduced following Europe's 9/11

Overturning of the controversial law by the European Court of Justice (ECJ) will run deep on the continent.

The law was introduced following the Madrid and London bombings in 2004 and 2005 respectively, which sent Brussels-based bureaucrats into a post-9/11 panic, as did Congress with the introduction of the wide-ranging and constitutionally-challenging Patriot Act in 2001.  It was criticized heavily by privacy groups on both sides of the Atlantic. The Electronic Frontier Foundation (EFF) has said before that these laws "support pervasive surveillance of every ordinary citizen and should not be tolerated in countries where freedom is valued."

Different countries took different routes.

Germany, a particularly privacy-minded country in the wake of World War II — challenged the directive in court in order to stave off implementing the law into its own legal system.

Meanwhile,  now that the law has been overturned, it means that laws such as the so-called "snoopers' charter" — which would allow the monitoring and collection of all U.K. Web, email and call traffic — are dead in the water.

The collective knock-on effect to the Five Eyes

Law enforcement agencies are increasingly acquiring the telecoms-held data, the EU said. Some 2.66 million such requests were made in 2012, it said, according to Bloomberg

"The directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime." — European Court of Justice, April 2014

Enter the NSA, whose main British partner in the five countries in this covert coalition falls firmly under the realm of European law.

The U.K. Home Office said in a statement, via The Guardian in London: "The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security."

It does, and it doesn't. 

The overturned European directive can be likened — though not perfectly — to the U.S.' Patriot Act, which permits bulk metadata collection from phone and Internet providers. Meanwhile, in the U.K., the law that governs the covert action by GCHQ is governed under the Regulation of Investigatory Powers Act (RIPA), which can be directly compared to the U.S.' Foreign Intelligence Surveillance Act (FISA). 

While RIPA allows GCHQ — arguably, because the law is broad and some have accused the U.K. government of overstepping and overreaching its legal bounds — to tap into fiber cables and break encryption, it was the overturned European directive that allowed the U.K. government to acquire and hand over vast amounts of European data back to its American intelligence partner, the NSA and its Five Eyes partners. 

Overturned convictions?

Let's also not forget that the intelligence gathering efforts by the U.S. and U.K. governments have led to prosecutions and convictions. Those could now be called into question.

What's more interesting is the legality of the decisions made by national courts under the now overturned European data retention directive.

Any criminal cases which were based and rested on the acquisition of data through the law could be called into question, The Guardian notes. Data retained and used by intelligence agencies and domestic law enforcement could result in voided convictions, because the court decided that "the declaration of invalidity takes effect from the date on which the directive entered into force" — which dates back to 2006.

The overturning of cases — although this will not be automatic, it gives convicts the opportunity to appeal — could be hugely damaging for the countries' legal systems that convicted them in the first place under the old data retention regime. 

Overturned, but not off-limits

The ECJ's judgment will not lead to a blanket ban on data retention, however, the European Commission said. But it does mean member states will have to consider scaling back some rules in order to comply with the court's decision, it added.

Exactly what happens from here remains unclear. Telecom providers will have to seek legal guidance to ensure they dispose of now illegally retained data under existing European data protection and privacy rules.

And while the retention of data would have been valuable and important to the U.K.'s domestic intelligence services, notably MI5, MI6, and crucially and above all else GCHQ, it likely will have little widescale effect on global intelligence operations. 

RIPA still allows (until challenged in court) GCHQ to tap into transatlantic fiber cables, and legally under U.K. law the intelligence agency can continue to pass on collected data to the Five Eyes nations: the U.S., Canada, Australia, and New Zealand. And thanks to the Tempora program, which allows the U.K. to tap into fiber cables and "buffer" the data for a month at a time, that vast amount of metadata and other raw data isn't completely off-limits.

The U.K. and U.S. intelligence agencies working together have been wounded — but it's flesh deep at worst. The NSA will just have to work a little harder if it wants to counteract those difficult, troublesome bureaucrats in Brussels. 

Topics: Security, Privacy

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.