EU Member States willing to retain illegal data retention
With its judgments in April 2014 (Digital Rights Ireland ) and December 2016 (Tele2 ), the Court of Justice of the European Union (CJEU) ruled that blanket data retention was illegal under EU law. Rather than repealing their illegal data retention laws, EU Member States have instead adopted a tactic of ignoring the highest court of the European Union under the pretence of a “common reflection process” with an expert data retention working group under the Working Party on Information Exchange and Data Protection (DAPIX).
At the Justice and Home Affairs (JHA) Council meeting on 6-7 December 2018, the state of play of the expert working group on data retention was discussed. Council document 14319/18 prepared for the meeting reveals that the common reflection process has produced no tangible results towards compliance with the Tele2 judgment: replacing general and indiscriminate (blanket) data retention with targeted data retention. Member States appear to be happy with their current and illegal data retention regimes and do not want to make any changes. A recurring element in the Council document is the unwillingness of Member States to accept the Tele2 judgment, often disguised under a very selective reading of the judgment.
The expert working group has considered the concept of “restricted data retention”, previously analysed in the EDRi-gram. The main novelty is that Member States are supposed to limit the data categories to be retained to what is strictly necessary. No limitation is foreseen with respect to the persons concerned, which means that data about the entire population is retained, as with the current data retention regimes. Therefore, restricted data retention cannot possibly comply with the Tele2 judgment. However, even the token gesture of limiting the data categories has no support among Member States. They claim that the data categories which are not necessary for law enforcement purposes are already excluded. Based on this premise, Member States even contend that “there is no general and indiscriminate retention of data as referred to in the Tele2 judgment”, which is rather remarkable since the CJEU has stated the exact opposite in the Tele2 judgment.
The renewable retention warrant (RRW) proposal is another attempt by Member States to circumvent the Tele2 judgment. While the warrant only covers a single provider of electronic communications services for a fixed period of validity, all providers are expected to be covered by different warrants that are constantly renewed because the RRW would be rendered ineffective for law enforcement purposes if not all providers are covered. In practice, the RRW will be indistinguishable from the current blanket data retention regimes. With the exception of one Member State, which uses a similar system (undoubtedly the United Kingdom), there is no support for the RRW since the system would be too complex and inefficient and would require changes to national laws on criminal procedure.
After two years of “reflection” on the Tele2 judgment, Member States and their expert working group have not come up with a single realistic alternative to the current blanket data retention regimes that the CJEU has ruled to be illegal under EU law. The Council document does not describe a single suggestion which would actually make the data retention scheme targeted and limit the persons concerned by the measure, even though this is expressly required by the CJEU in paragraph 110 of the Tele2 judgment.
The second part of Council document 14319/18 deals with access to the retained data. According to the Tele2 judgment, access to the retained data must be limited to investigations involving serious crime and must be subject to review by a court or an independent administrative authority. As a general rule, only data of individuals suspected of being involved or implicated in a crime can be accessed.
Once again, Member States are reluctant to accept the restrictions imposed by the CJEU. Since there is no EU law or CJEU guidance defining “serious crime”, this task is left to Member States. Some Member States have a very broad definition, even to the point of including crimes that cannot be regarded as serious because of their low maximum sentence, but are nonetheless claimed to be perceived as serious by the general public. It is also noted in the Council document that without access to retained data, criminal investigations in cybercrime cases would often “turn out to be futile because digital evidence would be unavailable”. However, when data retention of electronic communications metadata is a particularly serious interference with fundamental rights, as the CJEU has established (Tele2 paragraph 100), access to the retained data must be subject to strict rules and will not always be available for law enforcement authorities. Since more and more activities are related to the online environment, making a complete carve out for crimes committed online would deprive the privacy and data protection safeguards at the access level of almost any meaning.
The Council document notes that the judicial review regimes of most Member States are in line with the prerequisites set out by the CJEU, through a prior review by a court/judge, an independent administrative authority or the prosecution office. However, by silently adding the prosecution office, which is not an independent judicial authority, to the list, Member States are rather misleadingly overstating their compliance with the Tele2 judgment regarding the requirement of independent review of access requests.
Finally, Member States are very reluctant to limit the access to the retained data to persons that are suspects or accused persons, as required by the CJEU, except in special cases involving terrorism (paragraph 119 of the Tele2 judgment). The main reason for this is that “proceedings are commenced not against certain individuals, but against (at least in the beginning) unknown perpetrators.” This suggests that law enforcement authorities routinely use data retention to find possible suspects of a crime, for example through cell phone tower inquiries where information is obtained about all persons that are present in a certain area. Data-mining investigations like this affect a large number persons, some of whom may become suspects simply because of their presence in a certain area (location data). The Tele2 judgment only allows broad access to the retained data as an exception in particular cases involving terrorism, but Member States want to turn the exception into the general rule by only requiring a connection to criminal investigations when retained data is accessed.
At the JHA Council meeting in December, ministers agreed to continue “the work at experts level to explore avenues to develop a concept of data retention within the EU.” However, this is precisely what the expert working group has been doing for the past two years, without delivering a single proposal for data retention that respects the requirements of the Tele2 judgment.
This puts the European data retention situation at a stalemate. Member States refuse to even think of alternatives to their current blanket data retention regimes, but they cannot have blanket data retention, at least not legally, because the CJEU has ruled that it is illegal under EU law. The European Commission is the “guardian of the Treaties”, but appears unwilling to start infringement proceedings against Member States even if it is “monitoring” them. Legal action at the national level against data retention laws is, of course, a potential way out of the stalemate. Litigation is currently being pursued in some Member States, and in the past has been successful in a number of Member States.
However, Member States are fighting for their blanket data retention regimes at other levels than ignoring the Tele2 judgment. One possibility is that the future ePrivacy Regulation will present a more “favourable” environment for data retention than the current ePrivacy Directive – something that the Council is actively working on. This could give Member States a “fresh start” on data retention since the CJEU would have to assess the national data retention laws against the new ePrivacy Regulation, but still interpreted in light of the (unchanged) Charter of Fundamental Rights. There is also the risk that the CJEU could revise its stance on data retention in some of the new cases that are pending before the Court (C-623/17 from UK, C-520/18 from Belgium, and C-511/18 and C-512/18 from France). The first question in C-520/18 is very similar to the first question in the Tele2 case, that is whether Article 15(1) of the ePrivacy Directive, read in the light of the Charter of Fundamental Rights, precludes a general obligation to retain traffic data for providers of electronic communications services. Member States would undoubtedly see this as an opportunity to “retry” the Digital Rights Ireland and Tele2 cases before the CJEU.
Data retention – state of play. Council document 14319/18 (23.11.2018)
EU Member States plan to ignore EU Court data retention rulings (29.11.2017)
EU Member States fight to retain data retention in place despite CJEU rulings (02.05.2018)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)