Legal landscape¶

The garden has a planning code. Most of it is publicly available. None of it says what people assume it says.

GDPR Article 2(2)(a) explicitly excludes activities falling outside the scope of Union law, and Article 2(2)(b) excludes common foreign and security policy activities. National security is explicitly carved out. This means that any data processing conducted under a national security mandate operates outside the regulation entirely, regardless of what category of data is involved or who it concerns.

This is the foundational legal fact of the EU surveillance landscape. Consumer data protection and state surveillance operate in parallel legal universes that rarely intersect.

ECHR Article 8 and its exceptions¶

The European Convention on Human Rights Article 8 protects the right to a private life, home, and correspondence. It also specifies the conditions under which that right can be interfered with: in accordance with law, necessary in a democratic society, and in pursuit of legitimate aims that include national security, public safety, the prevention of disorder or crime, and the protection of the rights of others.

“Necessary in a democratic society” has been interpreted by the European Court of Human Rights to mean that there must be a pressing social need and that the measure must be proportionate. The court has found violations in cases involving bulk interception regimes (Big Brother Watch v United Kingdom, Centrum for Rättvisa v Sweden) and concluded that certain surveillance practices lacked sufficient safeguards. The response from states has consistently been to revise legislation to add the required procedural elements while preserving the underlying capability. The capability does not disappear when a judgment arrives. It gets a new legal coat.

Bulk collection and metadata retention¶

Most EU member states have enacted or maintained some form of data retention legislation requiring telecommunications providers to retain metadata (call records, connection logs, IP address assignments) for defined periods and to make it accessible to authorities under specified conditions. The Court of Justice of the EU has repeatedly found blanket retention requirements incompatible with EU law. States have repeatedly responded with narrowed but still extensive retention regimes.

Signals intelligence agencies in EU member states also operate collection programmes that are largely classified, legislatively enabled, and subject to oversight mechanisms that vary substantially in their independence and rigour.

Lawful intercept infrastructure¶

The European Telecommunications Standards Institute (ETSI) has published standards for lawful intercept capability that all telecommunications providers operating in Europe are required to implement. This means every mobile network, every internet service provider, and every relevant platform has built-in interception capability as a condition of operating. The infrastructure for surveillance is not optional equipment. It is part of the network architecture by design.

Several EU member states are formal participants in the Nine Eyes and Fourteen Eyes signal intelligence sharing arrangements alongside the United Kingdom and United States. These include the Netherlands, Denmark, France, Germany, Belgium, Italy, Spain, Norway, and Sweden.

The practical operation is that each agency collects what it characterises as foreign intelligence, including communications transiting its territory or associated with foreign targets, and shares the product with alliance partners. Because “foreign” collection in one jurisdiction captures data about citizens of partner states, the combined effect is a distributed collection system in which domestic legal restrictions on surveilling one’s own citizens can be navigated by receiving data from a partner whose legal threshold is different or whose “foreign” definition covers the citizens in question.

Commercial data acquisition¶

Government agencies can and do purchase data from commercial data brokers. This procurement route acquires location histories, behavioural profiles, social connections, and identity information without the legal threshold that would apply to targeted collection. Because data brokers compile this information from commercial sources (advertising ecosystems, app telemetry, public databases, and data purchases from other brokers), the product is detailed, current, and lawfully obtained by the broker. The subsequent sale to a government agency does not require a warrant.

In the United States, this practice is documented and contested. In Europe, it is less publicly examined and operates in the gap between consumer data protection (where GDPR applies) and national security activities (where it does not).

Cross-border legal instruments¶

Mutual Legal Assistance Treaties (MLATs) and EU frameworks for police and judicial cooperation allow member states to request data or evidence held by another state’s authorities or by companies operating there. These instruments are legitimate tools of law enforcement cooperation. They are also a mechanism by which data collected under the legal regime of one jurisdiction becomes accessible in another.

The speed and transparency of MLAT processes varies. The existence of these instruments means that the strictest domestic privacy protections may not fully contain data once it has moved across a border.

Crisis powers and their persistence¶

Counter-terrorism legislation enacted after the 2001 attacks, and expanded after subsequent attacks on European soil, introduced surveillance powers framed as exceptional and temporary. These powers have generally not contracted when the immediate crisis passed. They have been absorbed into the standard legislative toolkit, normalised through routine use, and in several cases extended.

The pattern is consistent: exceptional powers expand the envelope; the envelope does not return to its original shape.