EU: Data retention strikes back? Options for mass telecoms surveillance under discussion again

In June 2021 the European Commission sought the views of member states on ways to reintroduce the bulk retention of telecoms traffic, location and internet connection data on everyone in the EU. Responses from seven member states, published here, show a divergence of views on what data to retain and when, but a majority in favour of new EU legislation.

By Statewatch (guest author) · December 15, 2021

The ‘data retention question’ has now been on and off the agenda for seven years, following a 2014 Court of Justice ruling that struck down the 2006 ‘Data Retention Directive‘.

In its judgement, the court found that Directive – which required telecoms companies to retain metadata about all communications for a minimum of six months, in case the data was sought by law enforcement agencies – required “an interference with the fundamental rights of practically the entire European population,” which was not “limited to what is strictly necessary.”

Since then, a patchwork of different data retention laws have been applied by the member states, who have held multiple discussions on how to reintroduce data retention at EU level whilst meeting requirements set out by the court.

The Commission’s June paper was the most recent step in the process of finding a consensus. In response to an access to documents request from Statewatch, seven member states agreed to release their responses to the Commission’s questionnaire, while another 13 (listed below) refused to release the information on the grounds that it would undermine public security.

The seven responses that were made public – from Denmark, Finland, Germany, Luxembourg, the Netherlands and Sweden – are summarised below.

Approaches to data retention

Types of approach proposed by the Commission:

  • EU legislative initiative (Leg.): A binding legislative initiative on an EU level.
  • Non-legislative initiative (Non-leg.): A non-binding EU guidance document.

Proposed EU legislative approaches:

  • Data retention for national security: General and indiscriminate data retention could be allowed when there is a “serious, genuine and present or foreseeable” risk to national security.
  • Targeted data retention: Would allow for retention targetting specific persons, groups or geographical locations.
  • Quick freeze approach: Would allow for authorities to issue an order (subject to effective judicial review) to retain data of an individual for a fixed (renewable) period of time.
  • IP retention (IP): General and indiscriminate retention of information on each Internet connection allowing to identify Internet users and trace their online actions.
  • Civil identity data: General and indiscriminate retention of identity data on all subscribers of communications services.
  • Finland

Finland are yet to put forward a position, but stressed that data retention should not be general and indiscriminate, that it should respect the principle of strict necessity, and that appropriate safeguards should be put in place.

See: Response from Finland (pdf)

  • Germany

Note: The paper released by the Commission represents the position of Germany before the recent general elections. It is expected the new government will have a different position.

Germany supports general and indiscriminate data retention and does not see targeted or quick freeze approaches to be effective. Germany supports IP retention, and believes it to be legal under current ECJ case law.

See: Response from Germany (pdf)

  • Hungary

Hungary supports general and indiscriminate data retention. They also add that any attempt to regulate matters of national security is a red line. Hungary does not see a targeted approach to be effective, and sees the quick freeze approach as an “additional tool”. They see the IP retention and subscriber data approaches as being insufficient to reach their goals.

  • Luxembourg

Luxembourg did not set out its position on individual approaches, however it is supportive of EU-legislation in line with the ECJ case law.

See: Response from Luxembourg (pdf)

  • Netherlands

The Netherlands is in favour of an EU solution, and not against a non-legislative one. They underline that national security remains a national competence. They believe that the targeted and IP retention approaches face major technical hurdles and may not be possible. They support retention of subscriber data but believe retention must go further than just subscriber data.

See: Response from Netherlands (pdf)

  • Sweden

Sweden underlines that national security should remain a national competence. They believe targeted retention may not be effective or technically possible, and could be discriminatory. They do not put forward a position on quick freeze, however they do stress the need for retention of IP data, and subscriber data.

See: Response from Sweden (pdf)

Upholding secrecy

Thirteen other member states also responded to the Commission’s questionnaire – Belgium, Croatia, Cyprus, the Czech Republic, Estonia, France, Ireland, Italy, Latvia, Lithuania, Poland, Portugal and Spain (see the list of documents provided by the Commission (pdf)).

However, they have refused the public release of the documents in question. The response from the Commission to our access to documents request said:

“The documents contain the replies to a questionnaire drawn up by the Commission, which includes diverse considerations related to the prosecution of crimes and the protection of public security. The answers given in the questionnaire provide important indicators of the emerging approach to dealing with retained data.

Disclosure of the documents would undermine the protection of the public interest as regards public security. The answers given in the questionnaire could be used to reveal how powers of relevant authorities may be circumvented, and consequently could jeopardize the course of on-going national investigations. Therefore the exception laid down in Article 4(1)(a) [public security] of Regulation (EC) No 1049/2001 applies to these documents.

The documents explore various technical and legal elements that will contribute to define the positions of the Member States and of the Commission at a later stage. The process of making a decision on way forward on data retention at EU level is still in its early stages. The Member States authorities are engaged in open and frank communication with the Commission for the purpose of identifying preliminary exchange of views and information. The replies of the Member States were intended for internal use by the Commission only. Disclosure of the documents would undermine the trust between the Member States and the Commission, and prevent the national authorities from sharing detailed reasoning in this area in the future, and would thus undermine the ongoing decision-making process. Therefore the exception laid down in Article 4(3) [protection of the decision-making process] of Regulation (EC) No 1049/2001 applies to these documents.”

Some member states also invoked further exceptions – namely, commercial interests (because their responses included information provided by telecoms companies) and the protection of legal proceedings (because cases against various data retention measures are ongoing in some member states).

(Contribution by: EDRi member Statewatch, article first published here)