One of Europe’s top legal advisers thinks the data retention laws in Sweden and the U.K. may be legit—with strict conditions.
Data retention laws are a form of mass surveillance that involves forcing telecoms operators to keep logs of who contacted whom and when (though not usually the contents of conversations). The idea is to have records available for investigations by law enforcement and intelligence agencies.
Remember when Edward Snowden revealed in mid-2013 that the U.S. National Security Agency was secretly forcing Verizon to hand over its call records? At the time, a European Union law called the Data Retention Directive openly mandated something comparable across EU member states.
However, in 2014 the EU’s top court, the European Court of Justice, struck down the directive because it didn’t include enough safeguards for the protection of citizens’ fundamental rights. As a general requirement to store communications data seriously violates the rights to privacy and data protection, it should only be used to fight serious crime. And the directive didn’t ensure that “interference is actually limited to what is strictly necessary.”
Get Data Sheet, Fortune’s technology newsletter.
Most EU countries were left with national data retention laws that were based on an EU law that no longer existed. Citizens challenged those laws and, in many countries such as Belgium and Austria, got them struck down too. However, some governments resisted.
Notably, the Swedish government pressed on with its data retention legislation and the British government passed “emergency” legislation called the Data Retention and Investigatory Powers Act (DRIPA) to ensure that it could keep forcing telecoms providers to retain records of customers’ activities.
So campaigners in Sweden and the U.K. took their cases to the ECJ, to see whether these national laws were compatible with European privacy legislation, or if they should fall in the same way the Data Retention Directive fell. The two cases were merged.
The Swedish case was lodged by Tele2 Sverige, a telecoms operator, while the British case was spearheaded by pro-civil-liberties politicians from the two major opposing parties: Labour’s Tom Watson, now his party’s deputy leader, and the Conservatives’ David Davis, now Theresa May’s minister for Brexit. (Davis removed his name from this suit against the British government, after he was given a role in it.)
On Tuesday, one of the ECJ’s advocates general, Henrik Saugmandsgaard Øe, gave his opinion in the joined case. These opinions are intended as advice to the court, which will at some point give its verdict (the judges usually but not always follow the advocate general’s recommendations).
Øe said that he thinks national data retention laws “may be compatible with EU law [but] subject to satisfying strict requirements.”
Most importantly, he said that such laws can only be aimed at fighting serious crime, and must be “strictly necessary” for and proportionate to this fight. He noted that “combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings” are not acceptable objectives for data retention laws.
Are the Swedish and British data retention laws in line with the requirements? That, according to the Danish advocate general, is for the national courts to decide.
We have to remember that this is just expert advice, and the court might go another way.
However, if the court does agree with Øe, then a degree of mass surveillance will be deemed acceptable, in principle. After all, serious crime does exist and countries and their courts could decide that the fight against it warrants the collection and retention of everyone’s communications records.
The big question is how heavy the restrictions on the data’s use should be. The advocate general highlighted the access limitations laid out in the judgement striking down the Data Retention Directive. Specifically, in 2014 the court objected to the fact that the directive gave no clear definition of “serious crime” and no strict conditions for authorities accessing the data.
For more on privacy and surveillance, watch our video.
National laws must respect the conditions set out in that judgement, Øe said, in order to limit privacy violations to what is strictly necessary.
In the case of the U.K.’s data retention law, national courts have already struck down part of DRIPA on the basis that it didn’t properly define “serious offences” and didn’t allow for oversight to ensure data is only accessed when strictly necessary.
However, being “emergency” legislation, DRIPA is only temporary—it will cease to apply at the end of this year. The British government is currently trying to pass a new Investigatory Powers (IP) Bill that would be a bit like DRIPA on steroids, with extra requirements for logging people’s Internet usage, forcing organizations to hand over bulk data sets on their customers and users, and compelling tech firms to remove encryption on communications going over their networks.
The new law would almost certainly fail the tests set out by the ECJ and its advisors—it would allow data retention not only for serious crime, but also preventing or detecting crime and disorder, protecting people’s health, tax collection and financial regulation.
Would this even apply to the U.K. once the country leaves the EU, as voters demanded in the Brexit referendum? As experts have pointed out, the country would still need to stick to EU privacy rules in order to get clearance for the painless transfer of personal data between the U.K. and the EU.
“It may be too late to end data retention under DRIPA, which expires at the end of the year, but the government has the opportunity to ensure that the IP Bill complies with EU law,” said Jim Killock, the executive director of the Open Rights Group. “In particular, they should end the extension of mass data retention proposed in the bill, which would see the U.K. become one of the only democracies to record its citizens’ web browsing history and provide a police search engine to scour it.”
Even if civil liberties campaigners are unhappy about the idea of national mass surveillance laws being approved in principle, the restrictions on them might provide a silver lining. Stay tuned for the ECJ’s actual verdict on this case.
