Data Retention is NOT here to stay

On December 21th, the Advocate General of the European Union Court of Justice (ECJ), Pedro Cruz Villalón delivered a landmark opinion on the Data Retention Directive, finding it to be a “serious interference with the enjoyment of the fundamental rights guaranteed to European citizens by the [European] Charter.”

Access commends the opinion by the Advocate General, as it confirms the serious concerns repeatedly raised by civil society (see here, here and here, for example) and other institutions on the necessity and proportionality of mandatory blanket data retention in the EU. The mass retention of the activities of citizens, outside of the context of any criminal investigation, poses significant challenges to the very foundations of the rule of law and international human rights, including Article 7 of the Charter of Fundamental Rights of the EU.

The Advocate General’s opinion is based on two ongoing cases: One brought before the Court by EDRi-member Digital Rights Ireland and the Seitlinger and Others case (the court decided to hear these cases together). The opinion deals with the proportionality and the compatibility of the Data Retention Directive with the Charter of Fundamental Rights, a legally binding instrument in the EU.

The European Union Court of Justice is expected to give its judgment by April 2014. In most cases, the ruling from the ECJ follows the opinion given by its Advocate General. Such a decision would be extremely positive for European citizens’ rights, and indeed would be an international precedent.

 

Background

The Data Retention Directive was adopted by the European Union on March, 15 2006 – shortly after the Madrid and London train bombings which occurred in 2004 and 2005 respectively. Intended to be a tool to fight terrorism and serious crime, it creates an obligation for communications providers to store all citizens’ telecommunications data such as emails, phone calls, and text messages, for a minimum of 6 months up to a maximum of 2 years.

Since its adoption, the Data Retention Directive has proven to be one of the most contentious and criticised pieces of legislation in the EU. Europe’s privacy watchdog, the European Data Protection Supervisor (EDPS), has described the Directive as the “most privacy invasive Directive in the history of the European Union.”

The legitimacy of the Directive continued to be undermined over the years as the European Commission has never been able to credibly demonstrate the necessity and proportionality of blanket data retention and the need for harmonisation in the police and law enforcement sector.

This lack of evidence was one of the main arguments presented by the plaintiffs in the July 2013 hearing, along with the fact that data retained under the Directive is routinely used for investigating crimes for which the Directive was not intended to cover (see a more detailed summary of the hearing here).

 

AG: The Directive constitutes a “serious interference with the right to privacy”

The Advocate General found that the obligation for member states to retain data in the Directive constitutes a “serious interference with the right to privacy” and that the “collection of such data establishes the condition for surveillance which […] constitutes a permanent threat throughout the data retention period to the right of citizens.”

The Advocate General based its conclusions on four major problems with the Directive:

  • the lack of requirements in the Directive concerning the storage of data retained by services providers,
  • the absence of a clear definition of “serious crime,”
  • the lack of principles required for governing the guarantees needed to regulate access to the data and their use;
  • the requirement to retain data is too long and the justification for the retention period is not supported by evidence.

As a consequence, the Directive is found to be “as a whole incompatible with Article 52(1) of the Charter” which requires that any limitation on the exercise of fundamental rights has to be “provided for by law” and to respect the principle of proportionality. The Directive is also incompatible with Article 7 of the Charter on the right to privacy, and this interference is “manifestly disproportionate” to ensure the functioning of the internal market.

These two cases are not the first time the Directive has been challenged. In several Member States, including Romania, Sweden, the Czech Republic, and Germany, the laws transposing this Directive have been successfully challenged on the grounds of constitutionality.

Moreover, as Access pointed out in a report submitted to the Council of Europe’s Council of Ministers, the European Court of Human Rights (ECHR) has weighed in on communications surveillance, with a number of rulings concluding that the surveillance of traffic data violates Article 8 of the Convention; that the retention of records on past activities constitutes an interference with the right to private life; that surveillance is “unlawful” if it is indiscriminate and lacks a specific legal regime; and finally, that surveillance can only be considered lawful when effective safeguards have been established that ensure minimum infringement of rights and when all other alternative means have been exhausted.

Alternative and more proportionate means of surveillance than data retention exist and could prove more effective and less harmful to human rights. Data preservation, or “data freeze,” would entail, for instance, judicial authorisation for preservation, on a case-by-case basis, where the target is reasonably believed to be engaged in criminal activities or legitimately under criminal investigation. We welcome the inclusion of such alternative approaches such as “data freeze” by Advocate General Pedro Cruz Villalón in its opinion.

 

The AG’s Recommendations

The Advocate General suggests that rather than immediately invalidating the Directive, EU Member States should be given a ‘reasonable period’ of time to bring this legislation in line with the Charter. The opinion also highlighted the “urgency” of the situation since citizens fundamental rights are actively being infringed.

Access believes that the only way this Directive can be brought in line with the Charter of Fundamental Rights is to immediately suspend state obligations to engage in suspicionless surveillance. Indeed, the worldwide adoption of communications data retention represents one of the biggest challenges facing the protection of privacy in the digital age. When citizens are under surveillance they change their behaviour; they are less likely to feel comfortable expressing themselves and therefore self-censor, or refrain from using certain channels of communication.

This chilling effect isn’t just speculation. A study conducted in Germany after the transposition of the Data Retention Directive in 2008 revealed that 11% of respondents had already abstained from using the phone, email or mobile on certain occasions. Furthermore, 52% said that they probably would not use telecommunication for confidential purposes, “contacts like drug counsellors, psychotherapists or marriage counsellors” because of data retention.

 

Conclusion

In 2010, Commissioner for Home Affairs, Cecilia Malmtröm said that “data retention is here to stay,” however, the conclusions of this historic opinion have shown that this may not be the case. Civil society groups and European organisations’ concerns on the legality of the Data Retention Directive have been validated by the Advocate General’s findings, and we look forward to the Court’s ruling, which is expected to be sometime in April 2014.