EU discusses future of data retention: “Indiscriminate retention no longer possible”

This is a translation of an article originally written by Anna Biselli on netzpolitik.org. Translation: Anna Biselli, Kirsten Fiedler.

The German government is maintaining its unswerving commitment to make communications data retention obligatory from July 2017 onwards. Meanwhile, different EU level groups and institutions are discussing if or how data retention measures are compatible with EU law. The reason for this is a ruling of the European Court of Justice (CJEU) in December 2016. It ruled the implementation of data retention in Sweden and the UK to be contrary to EU law, following its decision to invalidate the former EU Directive in 2014. According to the ruling, a “general and indiscriminate” retention is impossible – be it at the EU or the national level. The retention of communications data (who communicates, when, with whom and where) would only be permitted if there is a connection between the data and a specific purpose. Furthermore, data can only be retained for a specific time period and/or geographical area and/or a group of persons likely to be involved in a serious crime.

Photo: Luis Marina

In January 2017, the EU’s interior ministers tried to find a solution to make data retention measures compatible with these restrictions. Then, in February, the Legal Service of the Council of the EU delivered an assessment of the ruling’s consequences on national data retention schemes and how traffic data can be used for law enforcement in the future. The Legal Service concluded that Member States can still retain data for the protection of national security or law enforcement after Article 15 of the current e-Privacy directive.

General and indiscriminate retention obligation no longer possible

This conclusion is included in the version that is publicly accessible. However, two relevant paragraphs of the Legal Service’s assessment are missing and only available in the classified version published by netzpolitik.org. The Legal Service states unambiguously

[…] that a general and indiscriminate retention obligation for crime prevention and other security reasons would no more be possible at national level than it is at EU level, since it would violate just as much the fundamental requirements as demonstrated by the Court’s insistence in two judgements delivered in Grand Chamber.

This means national laws for indiscriminate data retention will no longer be possible. The Legal Service also points out that the Commission’s proposal for a new e-Privacy Regulation would still allow providers to retain communications data for billing reasons.

Currently, a Council working group, the Working Party on Information Exchange and Data Protection (DAPIX), is working on an evaluation – according to their agenda for 10 April 2017 published by netzpolitik.org. One of the questions discussed was: “What kind of measures could satisfy the Court’s criteria on access to data to meet the requirement of limiting the intervention of competent authorities to what is ‘strictly necessary and justified within a democratic society’?”

The working group wants to discuss which limitation factors could be considered regarding the geographical region and the time period of data retention and how independent oversight, demanded by the CJEU, could be implemented.

No analysis from the EU Commission yet

The Council of the EU is not the only institution discussing the future of data retention at EU level. Following the CJEU ruling in December 2016, the EU Commission asked the Member States to submit descriptions of the current situation in their countries. But according to a summary by the German Permanent Representation of a meeting of the Coordinating Committee in the area of police and judicial cooperation in criminal matters (CATS), the Commission was unable to indicate a date when their analysis would be ready and when it could issue specific guidelines on how to proceed further.

In 2015, EDRi contacted the Commission after the initial CJEU ruling and asked to investigate the data retention laws in EU Member States which appeared to be illegal. But, at that time, the Commission did not act and stated in a meeting with EDRi representatives that the CJEU ruling was too ambiguous to allow it to take legal action against specific Member States. This argument is hardly tenable after the second ruling.

Member States do not want to abandon illegal data retention practices

According to the German Permanent Representation’s summary, Slovenia and Austria assume that the only possibility for legal data retention would be the “quick freeze” method. According to this method, communications traffic data is not retained preventively but only after a judicial warrant. Usually, providers delete data in a timely manner, but if they receive a warrant they would “freeze” this data to make it available for law enforcement purposes.

The document highlights that most Member States do not want to abstain from data retention and now try to find a solution that cannot be instantly declared invalid by a court again. The options currently discussed are “quick freeze” and data retention through the back door.

German solo run

Germany did not wait for the consultations at EU level to introduce preventive and indiscriminate data retention. The German government is ignoring the fact that all indicators suggest that the German text is incompatible with EU law. The German implementation neither contains a time or geographical references, links to to serious crime nor does it limit the number of persons affected – which is why the Research Services of the German Bundestag already concluded that it is in violation of EU law.

Nevertheless, the German government claims that the law is constitutional and in line with EU law. This is rather puzzling because it also states that the assessment of the consequences of the CJEU ruling was not completed in February. And it still isn’t completed today – one month before the start of the retention obligation for providers in Germany.

Despite all concerns, the German Minister of the Interior Thomas de Maizière demanded to expand data retention to online messaging services and other media services. However, this is unlikely to happen during the remaining legislative term. The will to continue indiscriminate and patently illegal data retention appears to be strong both at the German and the EU levels.