Privacy vs. Surveillance

France, Belgium Battle EU on Key Law

By Robert Bateman

Privacy and protecting data are core values of the European Union — but recent legal cases involving privacy and surveillance have pitted EU institutions against national governments, most recently those of France and Belgium.

Some activists and academics warned Digital Privacy News that these tensions threatened to undermine the bloc’s commitment to privacy as a fundamental right.

“After years of advancement of rights-centric proposals, such as the GDPR (General Data Protection Regulation, which passed in 2016), the current trend in the EU is towards the limitation of rights,” said Estelle Massé, a senior policy analyst in Brussels for Access Now, a global human rights organization.

“There is an increasing tension in the EU between surveillance and the protection of human rights,” she added. “It is visible in nearly all member states, as well as in the (European) Council, commission and Parliament.

“Strong statements and actions from data-protection regulators are important to push back against this ill-conceived trend and to protect privacy rights,” Massé told Digital Privacy News.

There long have been disputes over the extent to which EU states are permitted to surveil their citizens.

“There is an increasing tension in the EU between surveillance and the protection of human rights.”

Estelle Massé, Access Now.

State governments repeatedly have argued for greater access to private communications on national security grounds. Belgium and France recently have joined the debate.

But two regulators, the Court of Justice of the European Union (CJEU) and the European Data Protection Board (EDPB), have argued that extensive state surveillance powers violate EU law.

Retaining Data

“Data-retention” is one of several issues that is splitting the EU on privacy. 

National laws in France and Belgium require telecom companies to retain data about their customers’ cellphone calls, internet protocol (IP) addresses and location in bulk — and to allow access to this data by intelligence services.

Last October, CJEU, the EU’s top court, considered a case brought by two advocacy groups, Privacy International in London and the Paris-based La Quadrature du Net, alleging that France and Belgium’s data-retention practices violated EU law.

The EU “said explicitly that it will simply do nothing.”

Diego Naranjo, European Digital Rights.

Those governments retorted that their practices were justified on national security grounds and were not, therefore, within CJEU’s remit.

But CJEU disagreed, stating that the governments were imposing unlawful requirements on private companies by forcing internet service providers to retain user data in bulk — and, as such, their national security laws would need to be rewritten.

“The CJEU did not say that any matter of national security falls within EU law,” explained Ilia Siatitsa, Privacy International’s program director. “If the intelligence agencies were directly intercepting communications, that wouldn’t have fallen within EU law.”

French Court Rebuff

But the French government reportedly had hoped to defy CJEU by asking the Conseil d’État, France’s top court, to ignore the ruling.

On April 21, however, the court sided with CJEU — at least in part — and ordered the government to re-write its security rules to bring them in line with EU law.

The French court’s decision represented a partial victory for the two advocacy groups.

“We are pleased that the Conseil d’Etat has upheld the CJEU judgment and will ensure it is implemented at the national level,” Siatitsa told Digital Privacy News.

Some experts attributed the split over data-retention to weak enforcement by the European Commission, the executive body that acts as the “guardian” of the EU’s treaties.

Diego Naranjo, head of policy at the Brussels-based nonprofit European Digital Rights (EDRi), long has urged the commission to act on data-retention and government surveillance.

“If the intelligence agencies were directly intercepting communications, that wouldn’t have fallen within EU law.”

Ilia Siatitsa, Privacy International.

“The European Commission told us in 2015 that it would ‘monitor’ the development of potentially illegal national data-retention laws,” Naranjo told Digital Privacy News.

“That was after we spent time analyzing national legislation — a job that the commission should be doing — and telling them which ones were the worst examples,” he said. 

“Since then, nothing has been done.”

Last month, the EU Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (the LIBE Committee) asked the commission whether it would act against states, through a process known as “infringement proceedings,” if they failed to follow the law on data-retention.

“The commission said explicitly that it will simply do nothing,” Naranjo said, “since it doesn’t have intentions to launch infringement proceedings — as it is in a ‘dynamic of cooperation’ with law enforcement agencies.”

Portugal Move Under Fire

As well as defending legal challenges in court, EU states have sought to use legislation to resolve the conflict between their national security policies and the EU’s fundamental values.

In February, Portugal presented the European Council’s proposed version of the long-awaited ePrivacy Regulation, which would bring new rules on privacy and communications.

Progress on the regulation has been slow. It was supposed to pass in tandem with GDPR but has faced repeated amendments.

But Subhajit Basu, associate professor of information technology law at the University of Leeds, said Portugal had included “compromises” to accommodate France’s desire “to ensure that mass surveillance is legal” under national law.

“The new proposed ePrivacy Regulation waters down the current protection given to our communication data,” Basu told Digital Privacy News. “It does not guarantee the confidentiality of communication.

Basu said Germany, which had been advocating for “strong privacy safeguards,” had received Portugal’s proposals particularly poorly.

“The new proposed ePrivacy Regulation waters down the current protection given to our communication data.”

Subhajit Basu, University of Leeds.

The European Data Protection Board (EPDB) also criticized the proposals, warning in March that the regulation “must under no circumstances lower the level of protection” currently ensured by EU law.

For Access Now’s Massé, the weakened ePrivacy proposals are another sign of the EU’s general shift away from privacy protection.

“It is particularly worrying to have states like France fighting tooth and nail for data-retention, to the point of suggesting modifying the application of core EU values and rights,” she said.

Robert Bateman is a writer in Brighton, U.K.