Tomorrow morning, the European Parliament legal services will release its long-awaited study on the Court of Justice of the EU’s ruling on the Data Retention Directive. Access obtained a copy of the document, which concludes that the EU’s powers to legislate on data retention matters are now limited.
Last April, the Court of Justice of the EU (CJEU) invalidated the EU Data Retention Directive due to several violations of human rights, in particular the fundamental rights to privacy and data protection. Adopted in 2006, the Data Retention Directive required all telecommunications data – including mobile, landline phones, fax, and email – to be indiscriminately collected and retained by providers for a minimum of six months and up to two years. The CJEU’s landmark decision was broadly welcomed by civil society groups and activists from all around the world.
Following last year’s ruling, the Civil Liberties Committee of the European Parliament (LIBE) requested an opinion from Legal Services to determine its impact on national laws establishing data retention and other existing international agreements that include data retention schemes such Passenger Name Records agreements (PNR) and the Terrorist Finance Tracking Programme (TFTP).
PNR agreements authorises the transfer of passenger flight data between different states where that data can be stored for up to 15 years for the purposes of combating terrorism and serious crime. The EU has signed such agreements with the United States, Canada, and Australia, and is currently in the process of negotiating an EU-wide PNR system.
The Terrorist Financing Tracking Program is an international agreement concluded between the EU and the US which gives authorities access to the SWIFT database, the world’s biggest financial database located in Belgium, for the prevention, investigation, detection, and prosecution of conduct pertaining to terrorism or terrorist financing.
In the study to be released tomorrow, the European Parliament legal services indicates that these agreements, while controversial, are still valid as they benefit from “presumption of legality”. However, the report then adds “That said, the ‘presumption’ of legality of EU acts can also be rebutted and so it cannot be excluded, at this stage, that any other EU act could suffer the same fate as the data retention Directive”. Therefore, all existing agreements currently in place remains valid, however, citizens can request the Commission to look into the validity of these agreements, or they can choose to take legal action to test their validity. In a similar situation, the European Parliament decided last December to send the EU-Canada PNR agreement, currently being reviewed, in front of the CJEU to check its compliance with the EU Charter.
Regarding the ongoing negotiations on an EU PNR system and future EU proposal including data retention measures, the EP legal services reaffirms the CJEU’s assessment that “the EU legislature’s discretion is ‘reduced’” and should therefore strictly follow the instructions laid out by the Court in its ruling. As a result, every time EU institutions consider developing legislative acts putting in place requirement for the “storage of the data of a very large number of unsuspected persons and access to and use of such data by law enforcement authorities”, the legislators will need to strictly apply the principles of proportionality and necessity and must ensure that the proposed measures are in line with the EU Charter. The report adds that “great care must therefore be taken in such cases to ensure full respect, at all stage of the legislative procedure, for the Charter.”
Concerning member states’ existing legislation on data retention, the EP legal services clarifies that, while the ruling does not outlaw these national laws, it does created a “twofold effect”. First, since member states are no longer obliged by law to retain communication data, they can then decide to repeal their related laws – as several countries such as Austria or Romania have done since the ruling. Second, if member states were to decide to keep measures for the retention of communication data, such rules would fall under EU legislation from 2002, the so-called E-privacy Directive.
Therefore, member states must ensure that their national laws on data retention comply with the EU Charter of Fundamental Rights and fulfill the requirements laid down in the E-privacy Directive regarding the principles of proportionality and necessity. And perhaps, most importantly, the report then adds that all the criteria set out by the Court in its ruling on the need for safeguards, proportionality and the “existence of clear and precise rules” must be included in these national laws. As a result all existing national acts on data retention should be examined on a case-by-case basis to check their compliance with those criteria. It is already clear that laws in place in several EU countries – such as France or the UK, which recently expanded its surveillance powers – would have difficulty passing that test.
Access welcomes the European Parliament legal study. This report brings needed clarity on the legality of data retention practices – at a time when the EU is negotiating new legislation such as the EU PNR, and is about to renegotiate existing agreements such as the EU-Canada PNR, the EU-US PNR and the TFTP agreements.
2015 is turning out to be the year of data retention in Europe. It is now up to us all – activists, civil society groups, lawyers, lawmakers – to ensure that any proposal put forward is both in line with the EU Charter of Fundamental Rights and the principles of proportionality and necessity.