'Mandatory data retention is unlawful'

By EDRi · October 22, 2003

A legal opinion commissioned by EDRI-member Privacy International and
provided by the law firm Covington & Burling concludes that mandatory data
retention plans in the EU are unlawful.

The opinion, which relates to an EU framework directive on the retention
of communications data, has profound ramifications for ten EU states that
have implemented, or are planning to implement, measures to place
communications users under blanket surveillance.

The opinion states: “The data retention regime envisaged by the (EU)
Framework Decision, and now appearing in various forms at the Member State
level, is unlawful. Article 8 of the European Convention on Human Rights
(ECHR) guarantees every individual the right to respect for his or her
private life, subject only to narrow exceptions where government action is
imperative. The Framework Decision and national laws similar to it would
interfere with this right, by requiring the accumulation of large amounts
of information bearing on individuals’ private activities. This
interference with the privacy rights of every user of European-based
communications services cannot be justified under the limited exceptions
envisaged by Article 8 because it is neither consistent with the rule of
law nor necessary in a democratic society.”

The opinion continues: “The indiscriminate collection of traffic data
offends a core principle of the rule of law: that citizens should have
notice of the circumstances in which the State may conduct surveillance,
so that they can regulate their behaviour to avoid unwanted intrusions.
Moreover, the data retention requirement would be so extensive as to be
out of all proportion to the law enforcement objectives served. Under the
case law of the European Court of Human Rights, such a disproportionate
interference in the private lives of individuals cannot be said to be
necessary in a democratic society.”

A series of regulations (Statutory Instruments) recently laid before the
UK Parliament intends to create a legal basis for comprehensive
surveillance of communications. The regulations will allow an extensive
list of public authorities access to records of individuals’ telephone and
Internet usage. This ‘communications data’ — phone numbers and e-mail
addresses contacted, web sites visited, locations of mobile phones, etc. –
will be available to government without any judicial oversight. Not only
does government want access to this information, but it also intends to
oblige companies to keep personal data just in case it may be useful.

Privacy International