Time’s up! …for data retention mandates across the EU

The practice of data retention — that is, when electronic communications providers retain and store your data for varying amounts of time — continues to be a dominant focus of discussions on surveillance across the globe. And rightfully so. It poses some of the most complex questions related to the surveillance state (and industry). Specifically, it raises the issue of what is necessary and proportionate when the government has the capacity to flip back through time to spy on citizens (has your data been retained for 6 months or 3 years?). How far can our fundamental rights be stretched online? What level of privacy do we require in our use of everyday digital services? Governments continue to claim that data retention is useful in the fight against crime (and society’s many other ailments, such as terrorism), often without providing evidence of its necessity and proportionality. This has been stirring debate — and the occasional court challenge.

In December 2016 the Court of Justice of the European Union (CJEU) put an end to much of the debate surrounding the retention of telecommunications data in Europe. The CJEU gave a clear-cut interpretation of EU law regarding data retention, clarifying how it should be interpreted in national-level EU legislation. The ruling was in the joint cases of Tele2 Sverige (from Sweden) and Davis and others (from the UK), each of which stemmed from the 2014 Digital Rights Ireland (known as DRI) case. The specific questions in the two cases were slightly different, but involved the same issues. How does the DRI ruling impact member state regimes? And how do we apply the rights to data protection and privacy (guaranteed under Article 7 and 8 of the EU Charter of Fundamental Rights) in these regimes?

So without further do, let’s recap the major findings of the CJEU ruling.

Blanket data retention is not compatible with EU law

The court found that the general obligation to retain traffic and location data is NOT compatible with EU law, and reaffirms clearly that blanket, indiscriminate data retention is unlawful. The court pointed out that communication metadata can be so specific, that it is often no less sensitive than the actual content, and therefore represents the same — if not greater — violation of the right to privacy. The ruling directly points to the danger of using communications data to profile individuals, revealing details of their private lives such as “everyday habits, permanent or temporary places of residence, daily or other movements, activities, the social relationships and environments frequented by them”.

Targeted retention may be authorised, but only if it is necessary and proportionate

The court, however, indicated that targeted retention of data could be authorised under EU law if, and only if, a series of clear safeguards are put in place by the state to ensure that a measure is necessary and proportionate, as articulated by Article 15 of the e-Privacy Directive. Among the safeguards the court established is that law enforcement may request that data be retained only if the request is targeted to users who are suspects of serious crime; if it is on the basis of “objective evidence”; if the retention is for a limited time; and if these users are notified (once the disclosure no longer affects the investigation).

Safeguards must be in place for targeted retention, lest we risk both privacy and free expression

The CJEU went on to define specific safeguards, both for law enforcement simply to request that an electronic communications provider retain the data, and to gain access to it. Interestingly, the court argued that the authorities’ access to retained traffic data not only raises questions in light of Article 7 and 8 of the Charter (these are the rights to data protection and privacy), but also with the freedom of expression guaranteed under Article 11 of the Charter.

But, if mass data retention is not permissible, for what purpose can targeted retention be “strictly necessary”?

While the court upheld combatting crime as a legitimate objective, it reiterated that it is only in the fight against serious crime that the retention of traffic and location data can be justified, and then only when necessary and proportionate. The court went on to specify that even the fight against terrorism cannot in itself serve to justify indiscriminate retention of all traffic and location data. The targeted retention of traffic and location data, for the purpose of fighting serious crime or terrorism, can be permitted as a preventative measure — but only IF safeguards are in place. The retention must, for instance, be limited to specific categories of data, and authorities must specify the means of communication affected, clearly define the length of the retention period, and target identified suspects. These safeguards are what the court considers “strictly necessary”.

Even if data are retained to fight terrorism, affected individuals must have remedy

Regarding the use of data retention in the fight against terrorism, the court further specified that law enforcement could be granted access to data when there is objective evidence that the information might (in a specific case) make an effective contribution to combating terrorism-related activities. In fact, all law enforcement access to data must be specific in intent and extent, always subject to an ex ante review by an independent body, and the court stressed that once the investigation can no longer be jeopardised, the affected individuals should be notified so they can exercise their right to remedy.

What’s next? One ruling to dismantle them all

While this ruling gives us answers regarding what is authorised for data retention under EU law, we don’t know yet how it will impact existing legal instruments across the EU. The UK no longer has DRIPA, its previous data retention law, but recently adopted the infamous Investigatory Powers Act (amicably known as the Snooper’s Charter). This law is now open to legal challenge based on the CJEU ruling. There are also a number of Passenger Name Records (PNR) systems in place with the broadest of scopes and blanket data retention mandates of between 4 and up to 15 years. The legality of these systems is (once more) in question.  Same goes for current legislative proposals such as the Smart Borders Package, which foresees a generalised 5-year retention period of data from all travellers to the EU. These instruments blatantly contradict the jurisprudence of the court.

In short, this ruling is very good for fundamental rights in the EU. It will be an essential tool to challenge the legality of greedy data retention mandates now on the table across member states (and at the EU level), as well as for dismantling some of the existing data retention mandates.