Unrestrained mass surveillance of phone and internet data by the UK, French and Belgian governments is unlawful, the European Court of Justice (CJEU) stated on Tuesday, in a ruling that could curtail the powers of law enforcement agencies in EU member countries.
The CJEU said that local legislation in these countries, which allow governments to demand users' location and traffic data from ISPs in an "indiscriminate way", violate the European Union's data privacy laws.
The Court ruled that such laws, including UK's Investigatory Powers Act (IPA) 2016, cannot legally require telecommunication firms to retain users' location and traffic on an ongoing basis.
It clarified that national security concerns do not exclude the bloc's member states from the need to abide by the general principles of EU laws, which command respect for their fundamental rights to privacy and freedom of expression.
"The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security," the CJEU said in its decision.
The court added that the retention of users' phone and internet data can only be allowed when governments face a "serious threat to national security". Even in such situations, full access to users' data should be limited to a period that is "strictly necessary".
The ruling by the CJEU is the result of a legal challenge jointly bought by different privacy groups in the UK, France and Belgium, who argued that the data retention programmes in those countries were violating citizens' human rights.
"The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state's surveillance law requires a telecommunications provider to process personal data," Privacy International said in a statement.
"The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as 'safeguards', are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public."
The CJEU's decision has come nearly three months after its previous ruling that quashed a transatlantic data transfer deal because of concerns about US surveillance.
That ruling effectively ended the privileged access that American firms had to personal data from Europe. The ruling meant that data transfers to the US firms are now more likely to face closer scrutiny in Europe.
Facebook has threatened to halt operations in Europe, after Ireland's data regulator told it to stop sending citizens' data to the USA
Schrems 'pretty much done with waiting' for a resolution to the Facebook privacy case after seven years and five court cases
We need a single digital identity to authenticate us at work, prove who we are to our energy company, and let us log in seamlessly to our favourite news site
The government skipped essential data privacy impact assessments in its rush to get the system up and running
Why companies don't need to turn to surveillance technologies to push for remote-working productivity
There are ways to promote collaboration without having to resort to micromanaging or using intrusive surveillance tools