Blanket data retention: Law enforcement wants it, but they don’t need it


Between 15th-19th of September, 2014, in the week leading up the first year anniversary of the International Principles on the Application of Human Rights to Communications Surveillance, Access and the coalition behind the 13 Principles will be participating in a Week of Action to help explain the foundation for the principles. Every day, we’ll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law.

You can read the complete set of posts at:

Surveillance laws can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright


On April 8, 2014, Europe’s highest court, the ECJ, released a long-awaited decision on the controversial Data Retention Directive, confirming what we all knew: the blanket surveillance mandated by the Data Retention Directive is neither necessary nor proportionate.

Adopted by the European Union in 2006, after the Madrid and London bombings of 2004 and 2005, the Data Retention Directive mandated that all telecommunications data – including data concerning mobile and landline phones, fax, and email – are to be indiscriminately collected and retained by providers for a minimum of six months and up to two years (as decided by national governments).

This mass retention of data concerning the activities of citizens, outside of the context of any criminal investigation, poses significant challenges to the very foundations of the rule of law and international human rights.

Not necessary, not proportionate

This landmark decision from the ECJ invalidated the Directive as a violation of fundamental rights. It was warmly welcomed by civil society groups, academics and an array of European and international institutions (e.g. here, here, here and here). However, one nagging thought remains: If this Directive was such a clear-cut violation of fundamental rights, why did it remain in place for eight years?

Under EU law, any legislation that interferes with fundamental rights must be necessary and proportionate. Article 52(1) of the Charter of Fundamental Rights states, “subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.” This litmus test for proportionality, necessity, and adequacy are also strongly rooted in The International Principles on the Application of Human Rights to Communications Surveillance (the Principles).

That means it’s up to the EU (or the state, in relation to any policy area covered by EU legislation) to demonstrate that a particular measure — including blanket data retention — is necessary in order to achieve a particular goal. In eight years, the European Commission failed to credibly demonstrate the necessity of mandatory, blanket data retention in the European Union.

Weighed, measured, found lacking

A leaked internal memo (courtesy of Austrian digital rights group Quintessenz and translated by AK Vorrat, the working group against data retention) from the Commission in 2012 attests to these failures. The Commission openly admits the number of problems with the Directive, including its illegality and flaws in implementation by the Member States. The memo even goes as far as to question the notion of data retention, admitting, “there is a continued perception that there is little evidence at an EU and national level of the value of data retention.”

The first official report on the evaluation of the Directive, published in April 2011, failed to prove the necessity of the measure. In fact, only 11 out of 27 member states even submitted the obligatory statistics on data retention. The data that was submitted was largely unusable, since the authors were using statistics from data retained for purposes than those given in the Directive. Consequently, the output was more a political document than an independent evaluation with scientifically sound analysis.

Meanwhile, the Directive was successfully challenged in several member states including Romania, Sweden, the Czech Republic, and Germany, on the basis of unconstitutionality. Despite this, the European Commission imposed fines on the member states for failing to implement the Directive, in spite of not being able to credibly demonstrate the legitimacy of the instrument.

Due to the rushed and reactionary nature of the Directive, coming on the heels of major terrorist incidents, many of these essential questions about necessity, adequacy and proportionality were waived. But after eight years, we now know, without a doubt, that mandatory data retention is not a justifiable restriction on our fundamental rights. It’s not necessary to fight crime and to stop terrorism.

A human rights approach

That’s also what makes the International Principles on the Application of Human Rights to Communications Surveillance so important. The Principles have been endorsed by more than 400 civil society organisations and more than 50 legal experts and academics from around the world. They provide more guidance on how communications surveillance should be carried out. For instance, the Necessity Principle says that surveillance must be “strictly and demonstrably necessary to achieve a legitimate aim.” The Data Retention Directive went well beyond what is necessary and into the realm of the unjustifiable.

While this Directive was found illegal, even after being in place for eight years, some countries continue to pursue strict data retention laws. The UK just passed the Data Retention and Investigatory Powers Act, or “DRIPA”, which actually expands the state’s retention requirements. Across the ocean in Australia, mandatory data retention is being considered, despite the fact that Attorney General George Brandis cannot even describe what “meta-data” actually means. In the U.S., some Senators have even refused to support surveillance reform without a mandatory data retention provision. In short, law enforcement wants our data, but they don’t need it, and our politicians want to give them the data, without knowing what it is that they are approving.

Beyond the Data Retention Directive

The Court’s decisive ruling is made more significant by the fact that it looks beyond the validity of just the Directive, and puts into question the necessity and proportionality of data retention as a whole. This means that any future proposals should take a completely different and more targeted approach to combat terrorism and serious crime.

History shows us that attempts to introduce sweeping surveillance measures are not likely to stop. That’s why we must be vigilant in ensuring our governments do not overstep their legal limits. In the wake of this ruling, as policymakers consider how to reform communications surveillance laws, we urge them to turn to the International Principles on the Application of Human Rights to Communications Surveillance, which provide a framework for assessing how human rights obligations apply in the context of communications surveillance.