On 2 March the Court of Justice of the European Union (ECJ or CJEU) delivered a judgment [1] in a new Estonian case on data retention obligations for electronic communications services.

From the press release:

Access, for purposes in the criminal field, to a set of traffic or location data in respect of electronic communications, allowing precise conclusions to be drawn concerning a person’s private life, is permitted only in order to combat serious crime or prevent serious threats to public security
In addition, EU law precludes national legislation that confers upon the public prosecutor’s office the power to authorise access of a public authority to such data for the purpose of conducting a criminal investigation

In an article [2] on this judgment on the site of EDRi [3] Jesper Lund observes that in the new judgment CJEU provides clarity:

For traffic and location data that allows precise conclusions to be drawn, law enforcement access must always be confined to cases of serious crime, even for access to small subsets of the data.

The judgment according to Lund highlights “the increasing tension between CJEU case law and Member States’ national data retention laws“.

The general trend is in the opposite direction. EU and member states create laws that make it possible to analyze all sorts of private data of people and organisations, without any suspicions. Analysis is done both by authorities and by private organisations.

One of the most important examples is the privatization of crime detection under anti money-laundering laws, in which banks play an important rule. Banks are supposed to analyze all financial transactions, small and large, to find criminals. For banks every client is a suspect. It is questionable whether banks and their systems / employees have the competence to fulfill this task adequately. Adequate democratic supervision lacks here.

It looks as if the surveillance society is definitely coming. It is not sure that the European fundamental rights legislation is going to prevent that.

Notes
[1] ECLI:EU:C:2021:152, C‑746/18, press release, general information, abstract, English version of the judgment.
[2] CJEU upholds strict requirements for law enforcement access to electronic communications metadata, by IT-Pol Denmark, 10 March 2021.
[3] EDRi is a European human rights organisation involved with dataprotection and privacy.