Blogs

Data retention: "We ask the Court to rule in favour of Freedom"

By EDRi · July 17, 2013

This article is also available in:
Deutsch: [Vorratsdaten: “Das Gericht soll zugunsten der Freiheit entscheiden” | https://www.unwatched.org/EDRigram_11.14_Vorratsdaten_Das_Gericht_soll_zugunsten_der_Freiheit_entscheiden?pk_campaign=edri&pk_kwd=20130717]

On 9 July 2013, the European Court of Justice held a hearing before the
Grand Chamber on the validity of the data retention directive
(2006/24/EC). In line with the questions the involved parties received
from the Court, the hearing focused on Art. 7 and 8 of the Charter of
Fundamental Rights of the European Union.

The representatives of the parties who initiated the cases in Ireland
and Austria, Digital Rights Ireland, Human Rights Commission Ireland, AK
Vorrat Austria and an individual Austrian citizen argued that the data
retention directive is incompatible with the Charter. There still is no
evidence available, they argued, that the excessive collection of
communication data is a necessary and proportionate measure for
combating organised crime and terrorism in the EU. Furthermore, the
data available proves that retained data is used for the investigation
of crimes not foreseen in the directive, like theft, drug trafficking
and stalking.

The lawyer of AK Vorrat, Ewald Scheucher, referred to the ruling of the
German Constitutional Court, which stated that the cumulative effect of
fundamental rights restrictions need to be taken into consideration when
judging the legitimacy of a single measure. Given the revelations
regarding PRISM, this cumulative effect now clearly provides a different
result that at the time when the German Court took its decision.
Furthermore, he stated that the Austrian implementation of the directive
clearly showed that a Charter-compatible national implementation of the
data retention directive is not possible. This argument is bolstered by
the fact that the main author of the Austrian implementation is among
the 11 139 Austrian plaintiffs who challenged data retention before the
Austrian Constitutional Court.

Mr. Scheucher closed his statement with the words: “We ask the Court to
rule in favour of Freedom. Security already has enough advocates.”

Following the statements of the plaintiffs, a number of member states
and EU institutions were asked to deliver their answers to the questions
of the court. Many of them referred to the evaluation report the
Commission published in 2011. This was remarkable, as this report
suffered itself from a lack of evidence as, amongst other shortcomings,
many member states were unable to provide any statistically relevant
data on the use of retained data for the purposes defined in the
directive. On the contrary, it showed an excessive number of uses in
Poland in the context of minor offences.

New statistical data were presented by the representative of Austria. He
explained that between 1 April 2012 and 31 March 2013 retained data has
been accessed by Austrian prosecutors in 326 cases. Out of these 326
cases, 139 are already closed. In 56 of these 139 cases, the data
retained contributed to solving the case. The offences of these cases
were: theft (16), drug offences (12), stalking (12), fraud (7), robbery
(7) and others. Following an ad hoc question of a judge, it was further
stated that none of the cases involved terrorism and that the question
whether organised crime was involved needed further investigation.

The statements of the other member states followed the lines that data
retention is necessary and proportionate, the opposition against data
retention is caused by fears of data breaches (Ireland), the anonymity
of the communication needs to be avoided (Spain), the ECJ should focus
on the core contents of the directive and not on the room it leaves for
the implementation by member states (Italy) and that anonymous uses –
like prepaid mobile phones – are not damaging the value of data
retention, as additional means like video surveillance can be used to
identify individuals.

The representative of the European Parliament stated that the directive
was valid and in line with the Charter. Being a directive harmonising
the internal market, he argued, it only regulates the obligations of
providers and does not deal with the law enforcement aspects, which need
to be defined by the member states. This statement led to questions by
one of the judges who wanted to know if it was due to the chosen legal
basis that the protection of fundamental rights could not be regulated
in more detail. This was confirmed by the EP representative, whereupon
the judge asked whether the legal basis should rather be chosen based on
the compliance with fundamental rights. The representative of the
Parliament agreed but stated that while it was important to protect
fundamental rights, it was not possible to do such regulation in an
internal market directive.

The representative of the Council argued – like some member states
before – that the use of retained data can only be judged in the context
of national laws and that therefore the directive needed to be seen in
isolation rather than in context of national implementations. The
maximum retention period of two years also reflects the different
traditions of member states and is needed to analyse the communication
of terrorists in the context of bomb attacks.

Also, the representative of the European Commission argued that the
directive was only about the obligation to retain data, while the use of
the data needed to be regulated by the member states. Furthermore the
directive needed to be judged on the basis of the legal situation in
2006. Following this statement a judge asked whether the position of the
Commission was that the Charter were not applicable. This was denied.

Finally, the representative of the European Data Protection Supervisor
delivered his statement. He stated that the necessity of data retention
has not been proven and that no alternative, less intrusive measures
have been evaluated. In addition, the directive was not sufficiently
clear in limiting the purpose of the data processing. Furthermore the
use of the retained data should not be left over to be regulated by
member states without further guidance by the European legislator.

The hearing continued with a number of detailed questions by the judges
which also included whether data retention could be
lawfully outsourced to other data processors within the EU or in third
countries. According to a report, 36 percent of the retained data is
subject to outsourcing and the third largest provider is based in a
third country operating on the basis of the Safe Harbor agreement. Being
asked whether the national laws of third countries concerning the access
to data by national authorities could negatively affect the lawfulness
of the processing, the representative of the Commission could not answer
immediately and he also failed to provide a clear answer to whether the
websites accessed by users are to be retained on the basis of the
directive.

The Advocate General will provide his opinion on the 7 November 2013.

EDRi-gram 11.13: European Court of Justice data retention cases to be
heard on 9 July (including the questions asked by the Court, 3.07.2013)
http://www.edri.org/edrigram/number11.13/ecj-data-retention-case-9-july-2013

EDRi-gram 9.8: Top 10 misleading statements of the European Commission
on data retention (20.04.2011)
http://www.edri.org/edrigram/number9.8/data-retention-evaluation

EDRi shadow data retention report (17.04.2011)
http://www.edri.org/files/shadow_drd_report_110417.pdf

Live-Ticker on the ECJ hearing on the data retention directive (only in
German, 09.07.2013)
http://netzpolitik.org/2013/live-ticker-vom-eugh-verfahren-gegen-die-vorratsdatenspeicherung/

(Contribution by Andreas Krisch – EDRi member VIBE!AT – Austria)