BT, Virgin Media, Sky and TalkTalk have been quizzed over how they gather and store customers' data in light of a recent EU ruling declaring such practices unlawful.
On Tuesday the Court of Justice of the European Union (CJEU) ruled that the Data Retention Directive, which requires internet service providers (ISPs) to retain “traffic and location data” for at least two years, was unlawful.
Privacy campaigners in Austria and human rights advocacy group Digital Rights Ireland had challenged the Directive by arguing it abused individuals' rights to privacy. The cases were referred to the CJEU.
In its ruling the CJEU said that, despite being introduced for national security purposes, the requirements “may provide very precise information on the private lives of the persons whose data are retained” such as where they live, social relationships and daily activities. As such it said they were incompatible with wider EU law.
“The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” it said.
The decision does not mean the law has changed immediately, but member states will be required to ensure their legislation comes into line with the judgment. "National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice," the European Commission explained.
In light of this fact, industry body the Internet Service Providers Association (ISPA) has called on the government to outline its response to the decision.
“The CJEU ruling has the potential for major changes to the data-retention regime, however we believe that for the time being that obligations remain in place," said Nicholas Lansman, ISPA secretary general. "It is crucial that the European Commission and Home Office provide guidance and clarity to industry."
In response, the Home Office made a statement saying the department was reviewing the judgment and added that it believes the law is a vital part of national security. "The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security.”
Pressure on ISPs
Nevertheless, the UK's biggest ISPs – BT, Virgin Media, Sky and TalkTalk – are already being asked how they intend to abide by the ruling, with the Open Rights Group (ORG) writing a letter asking how they will ensure they are not collecting data any more.
"These regulations no longer have a valid basis in UK law. It is our understanding that ISPs therefore should not be retaining user data unless there is some other legal basis for doing so,” wrote ORG executive director Jim Killock.
He asked the firms to clarify that they are not abiding by the Data Retention Directive any more, as well as what data they are still collecting for their own purposes, why they are doing so, and for how long the data is stored.
V3 contacted BT, Sky and TalkTalk for response to the judgment but no response had been received at the time of publication. Gareth Mead, a spokesperson for Virgin Media, said: "We are seeking clarification on what this means for us under UK law."
Killock from the ORG told V3 that TalkTalk confirmed to him that they have written to the government to ask for their position, but have not changed their setup as yet.
The judgement by the CJEU comes amid ongoing revelations into the spying carried out by agencies such as the UK Government Communications Headquarters (GCHQ) and the US National Security Agency (NSA).
The professor of EU and Human Rights Law at the University of Essex Steve Peers wrote in a blog post on the ruling that the CJEU had "seized the chance to give an 'iconic' judgment on the protection of human rights in the EU" amid these concerns.
"The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance," he wrote. "Its reference to the retention of data by third states is a thinly disguised allusion to the spying scandals emanating from the United States."
Bridget Treacy, head of the UK Privacy and Cybersecurity practice at law firm Hunton & Williams, agreed. “These criticisms [by the CJEU] are consistent with European concerns voiced in the wake of last summer’s revelations of the NSA’s covert surveillance activities," she wrote.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches