Security and intelligence agencies will no longer be able to collect bulk data on citizens unless it is a serious national threat, the Court of Justice of the European Union (CJEU) ruled in a historical judgement. 

This means that EU member states cannot access our metadata on “a general and indiscriminate” basis from telecommunication companies such as like Vodafone, Melita and GO.

In 2017, rights advocacy group Privacy International launched a legal challenge involving four cases on mass data retention in the UK, France and Belgium.

National surveillance laws in countries like the UK, France and elsewhere in Europe require telecommunication companies to store large amounts of client data for security and intelligence agencies to access. This latest ruling claimed that mass data retention is unnecessarily intrusive and against EU rights of privacy, data protection and freedom of expression.

In its judgement, the court precludes “national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies.”

Member states can, however, request metadata on specific people when there exists an evident and genuine threat to national security.

What is metadata?

Metadata is essentially data about data, everything about the information stored on your phone and internet devices, like your IP address, time, location and so on.

For example, if you sent an e-mail, the metadata will be all about the e-mail but not its actual contents. In the hands of the government, they can know when you sent it and who the recipient was.

And while it is anonymously a myriad of zeros and ones, it is very possible to form a very accurate, intimate picture of the who, where, what and how of someone’s identity.

With a judicial block on data surveillance on the entire population, governments must now seek particular, less invasive ways of accessing information. They must request a warrant and specify a timeframe limited to “what is strictly necessary”, which may be subject to review by a court or administrative body.

How does this affect Malta?

In order to gain access to metadata including client’s names, addresses, device locations and details on calls and messages, a warrant signed by the Home Affairs Minister is needed. A single warrant can target hundreds of people, while several warrants can be issued for one person.

According to the ruling, such warrants should only be approved for serious crimes and exceptional circumstances like threats to national security.

A staggering 3,773 warrants filed by Malta’s government agencies in 2013, but Home Affairs insisted that the absolute majority related to criminal investigations.

As it stands, wiretapping is conducted by the Malta Security Services and regulated by the Security Services Act, which was last amended in 1997. The law allows for broad discretion of the Prime Minister and the Home Affairs Minister with regards the use of their techniques, which could pose a conflict of interest should authorities need to investigate people at the highest positions of power.

The European anti-corruption body GRECO had flagged this system as problematic and said the Maltese police force should be empowered to wiretap people when investigating corruption and other forms of serious crime.

What do you make of the EU courts’ ruling?