A new ruling from the Court of Justice of the European Union (CJEU) has set limits to government collection of mobile and internet data within the bloc's member states, in a push against mass surveillance that is likely to cause trouble for the UK because of Brexit.
As part of the judgement, the CJEU established that the bulk collection and retention of citizen data from internet and phone operators was contrary to the EU's charter of fundamental rights.
What's more, the court confirmed that the rights defined in the charter effectively rule out national legislation, despite member states having previously disputed the supremacy of EU laws over their own on this matter.
SEE: How to become a data scientist: A cheat sheet (TechRepublic)
The only times that governments may be handed their citizens' personal communication data is in the case of a "serious threat" to national security, said the CJEU. With this being the exception, and not the default solution, the EU institution also provided a number of specific criteria and safeguards, such as time limits, that need to be in place to regulate this type of measure.
In the UK, the bulk collection and retention of citizen data is currently legal thanks to the Investigatory Powers Act (IPA), also known as Snoopers' Charter, which controversially came into UK law in 2016 to establish the electronic surveillance powers of the country's intelligence services and police.
The law effectively gives UK government agencies the powers to carry out bulk interception and collection of communications data. For example, the IPA requires CSPs to retain details of their customers' online activities for up to 12 months, and to make this information available to intelligence services.
With Brexit negotiations still ongoing, maintaining the EU's trust in the UK's data protection practices is critical to ensure that digital information is allowed to flow freely between both sides, even once the UK leaves the bloc. The CJEU's decision seems to have thrown cold water on this prospect, instead confirming that the UK's laws are not up to the EU's standards.
The court's ruling came as a result of legal challenges brought by privacy organizations and activists in France and Belgium, in addition to the UK, and all related to surveillance practices carried out by their respective governments.
In the three countries, found the CJEU, governments requiring internet and phone operators to share traffic and location data about citizens "as a preventative measure" goes against the fundamental rights laid out in the EU's charter. The cases will now return to each individual country's court, which are expected to act accordingly to change national legislation.
In the UK, the case was initiated five years ago by Privacy International, which at the time challenged the IPA's predecessor, called the Data Retention and Investigatory Powers Act (DRIPA). DRIPA set the tone for the IPA, with many of the former law's bulk collection powers now incorporated in the new legislation.
In response to the CJEU's ruling, a Home Office spokesperson told ZDNet: "This judgment relates to a previous power that has since been replaced by provisions in the Investigatory Powers Act 2016.
"The judgment has no direct impact on the work of our security and intelligence agencies as it will now be referred back to the UK courts for their interpretation."
The UK government maintains that the use of bulk communications data is essential to the protection of the national security of the country, and that the IPA provides sufficient safeguards against abuse.
Activists disagree. The Open Rights Group, for example, which alongside Privacy International has vocally condemned the UK government's surveillance methods, maintains that with much of DRIPA's functions now incorporated into the IPA, pursuing a legal challenge against the country's national surveillance laws is still relevant.
SEE: GDPR two years on: Why there's still work to be done on data protection
For Estelle Massé, global data protection lead at digital rights organization AccessNow, the UK will have no choice but to reform the IPA if it is to comply with EU standards. "UK laws are not compliant with the EU's rights to privacy, data protection and freedom of expression," she tells ZDNet. "It means that, just like France and Belgium, in order to comply with EU legislation, the UK will have to change its laws."
There is a caveat: while France and Belgium are set to remain firmly under the rule of EU law for the foreseeable future, the UK soon will not.
As tempting as it might be to wait it out until the country isn't subject to EU law anymore, there is a lot more at stake for the UK. Failing to change national surveillance laws could effectively endanger the country's chance of reaching "adequacy" – a status granted by the EU to third-party countries that have sufficient data protection standards in place, and which will be necessary for information to keep travelling unimpeded between the two zones after Brexit.
While the exact terms of the UK's post-Brexit deal with the EU, if there is to be one, are still being negotiated, one thing is certain: when the UK leaves the EU next year, the country will cease to be protected by the bloc's General Data Protection Regulation (GDPR). This means that, should no deal be reached on the matter, data won't be allowed to flow freely from the European bloc to the UK anymore.
The UK government is, therefore, banking on achieving so-called "adequacy" before the Brexit deadline. "The UK government has acted so far as if the adequacy decision was a done deal," says Massé. "But in this case, the EU has said that at least some surveillance measures in the UK regarding access to data are not in line with EU law. This is a big no-go for an adequacy decision."
In other words, unless the UK makes changes to its national legislation, data might not be able to legally enter the country from the EU after Brexit. And while the idea might seem ludicrous, given the ease with which information currently travels between both parties, it is by no means an impossible scenario.
Case in point: only a few months ago, the CJEU invalidated an adequacy agreement in place between the European bloc and the USA, after the court found that national security laws across the Atlantic don't sufficiently protect EU citizens' privacy.
The US provides telling evidence of the economic damage that a similar turn-of-events could cause in the UK. About 75% of cross-border data transfers in the country happen with the EU. Huge disruption, therefore, could soon affect UK businesses, for operations ranging from order tracking to emailing.
SEE: AI bias detection (aka: the fate of our data-driven world)
If adequacy isn't achieved as part of the negotiations leading to Brexit this January, companies in the UK will have to set up new legal mechanisms to enable EU data to flow in. These include Standard Contractual Clauses (SCCs), which need to be signed by organizations on both ends, as well as the EU Data Protection Authority (DPA), for each point-to-point transfer.
"A lot of companies in the UK probably haven't prepared for alternative mechanisms, because they are hoping the UK will get an adequacy decision – which the chances for were already slim but are now really limited," says Massé. "This could create a lot of disruption in the way businesses function from January 1st."
The CJEU's latest ruling is already binding, and although there is no specific time limit, this means that the UK, France and Belgium should already be getting started on changing their national legislation.
As the Brexit deadline approaches, it isn't clear whether there is still time for the UK to bring impactful change to its existing laws – nor is it evident that the government is even contemplating the option of reform.
Massé, for her part, isn't convinced there are problems ahead: "I honestly don't expect the UK to get an adequacy decision by January," she says. "Companies should be getting ready with other mechanisms, because it's just not going to happen."