Governmental mass surveillance is illegal, says top European court

National security concerns do not exclude the bloc's members from the need to abide by EU laws, says the EU Court of Justice

Unrestrained mass surveillance of phone and internet data by the UK, French and Belgian governments is unlawful, the European Court of Justice (CJEU) stated on Tuesday, in a ruling that could curtail the powers of law enforcement agencies in EU member countries.

The CJEU said that local legislation in these countries, which allow governments to demand users ' location and traffic data from ISPs in an "indiscriminate way", violate the European Union ' s data privacy laws.

The Court ruled that such laws, including UK ' s Investigatory Powers Act (IPA) 2016, cannot legally require telecommunication firms to retain users ' location and traffic on an ongoing basis.

It clarified that national security concerns do not exclude the bloc ' s member states from the need to abide by the general principles of EU laws, which command respect for their fundamental rights to privacy and freedom of expression.

"The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security," the CJEU said in its decision.

The court added that the retention of users ' phone and internet data can only be allowed when governments face a "serious threat to national security". Even in such situations, full access to users ' data should be limited to a period that is "strictly necessary".

The ruling by the CJEU is the result of a legal challenge jointly bought by different privacy groups in the UK, France and Belgium, who argued that the data retention programmes in those countries were violating citizens' human rights.

"The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state ' s surveillance law requires a telecommunications provider to process personal data," Privacy International said in a statement.

"The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as ' safeguards ', are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public."

The CJEU ' s decision has come nearly three months after its previous ruling that quashed a transatlantic data transfer deal because of concerns about US surveillance.

That ruling effectively ended the privileged access that American firms had to personal data from Europe. The ruling meant that data transfers to the US firms are now more likely to face closer scrutiny in Europe.