Europe’s Data Retention Saga and its Risks for Digital Rights

It seems that despite several Court of Justice of the European Union (CJEU) decisions in this area, the data retention saga is unlikely to come to an end any time soon. After the invalidation of its previous instrument, the 2006 Data Retention Directive, the European Commission is currently trying to devise a new plan for the retention of traffic and location data for law enforcement and security purposes in the European Union (EU). The Commission stands at a crossroad: to intervene or not to intervene, that is the question.

By EDRi · August 2, 2021

Long story short

Indeed, the EU lawmaker’s margin for manoeuvre is slim. The volume of European case law on mass surveillance has steadily increased, providing an ever-clearer picture of the possible extent and limits of retention and access to communications data.

In 2014, the CJEU brought down the Data Retention Directive in the Digital Rights Ireland decision for its incompatibility with the EU Charter of Fundamental Rights. That Directive had required providers of electronic communications services to retain metadata about its customers’ communications, i.e. data (“communications data”) that identify the “who”, “where” and “when” of those communications rather than their content.

The Directive was controversial with many digital rights organisations which argued that communications data provided just as much information about an individual as content data and that the Directive, therefore, interfered with individuals’ right to privacy.

The 2014 decision concerned two cases (later merged by the court) brought by EDRi’s members DRI and a large number of complainants organised by Austrian organisation AK Vorrat (now called epicenter.works). The court’s reasoning set out in this ruling was confirmed and reinforced in Tele2/Watson two years later, when the court held again that any indiscriminate data retention obligation on telecommunications providers was unjustified in a democratic society.

The volume of European case law on mass surveillance has steadily increased, providing an ever-clearer picture of the possible extent and limits of retention and access to communications data

Unfortunately, this was not the end of the story. In contempt of these two very clear judgments, several EU Member States decided to willfully ignore the Court and persisted in implementing or creating new national data retention legislation. In most cases, they argued that their respective national regime was, in fact, compliant because it was either “restricted” in some sense or outside of EU competence and thus the Court’s jurisdictional remits.

In practice, however, those claims were false, as demonstrated by Privacy International in its 2017 report, which showed that those laws were actually still general and indiscriminate. Meanwhile, at the EU level, the Council continued to explore all possible options to keep, and even expand, current data retention schemes, notably by creating a dedicated expert working group.

Rogue Member States left unpunished

While the personal data of millions of Europeans are still being stored illegally, the Commission has been reluctant to intervene, although its role of guardian of the treaties would normally require it to do so. Despite EDRi’s repeated calls, the Commission refused to launch a single infringement procedure against (likely) infringing Member States. Instead, it promised to “monitor” national data retention laws, meaning individuals had to rely on civil society organisations and other stakeholders to protect their rights and challenge mass surveillance laws in different Member States, such as France, Belgium, Ireland, Austria, Sweden, Germany, etc (as summarised in EDRi’s latest comparative report on data retention).

While the personal data of millions of Europeans are still being stored illegally, the Commission has been reluctant to intervene

More recently, the CJEU was asked a third time to confirm its position and strongly incentivised to water down existing protections. The Court at least partially relented in 2020 in three connected cases brought by La Quadrature du Net, Privacy InternationalOrdre des barreaux francophones et germanophone and others from Belgium.

In its decision in La Quadrature du Net, the Court introduced an exception to the “general and indiscriminate data retention” prohibition where there is a genuine and present or foreseeable serious threat to national security, justifying the enactment of a state of emergency in a Member State. Moreover, the Court gave in to the possibility of preventively retaining all IP addresses to tackle serious crime, public and national security, despite this measure being considered a serious interference with fundamental rights.

…the Court gave in to the possibility of preventively retaining all IP addresses to tackle serious crime, public and national security

Even with these concessions, the Belgian, French and British laws were deemed illegal and needed to be expressly changed or repealed. This conclusion reinforced our position that many more national regimes are certainly not compliant with the Court’s rulings.

Nevertheless, while acknowledging this non-compliance, the European Commission confirmed in a European Parliament’s hearing that it does not plan to act on it, referring to the “dynamic of a cooperative spirit with all Member States” as justification of its lack of political courage.

Striving for harmonisation

That “cooperative spirit” also saw the Commission consulting with the Member States about the way forward and exploring possible approaches and solutions for responding to law enforcement and judiciary needs in line with the Court’s case law. A recently leaked non-paper (meaning a document prepared by the Commission’s staff but not approved as an official Commission’s position) drafted by the Commission services shows that the EU lawmaker is considering three policy approaches: no EU initiative, non-binding guidance or EU legislative initiative.

Because the uncertainties are manifold, the Commission is walking on eggshells. Choosing one option over the other would have great implications on the policy objectives of harmonisation, enforceability but also legality – with considerable risks that the future EU framework fails to stand the test of the Court if the Member States succeed in introducing more intrusive proposals into the text at later stages of the legislative process.

Under the third of these options, the Commission’s non-paper delineates five combinable proposals for an EU regulation in accordance with the Court’s graduation system, which determines what law enforcement authorities may do depending on the data category, the type of processing (retention, access) and the purpose pursued (protecting national/public security, fighting crime):

…the “state of emergency” declared in France after the 2015 terrorist attacks was misused as a tool of social and political control

The first proposal would seek to harmonise criteria for the generalised retention of and access to metadata for national security purposes, while then leaving it up to the Member States to conduct a risk assessment. This is not particularly reassuring since, for example, the “state of emergency” declared in France after the 2015 terrorist attacks was misused as a tool of social and political control, used to conduct surveillance and arrests of climate activists.

Furthermore, the French Conseil d’Etat, when releasing its decision on mass telecom surveillance, reinterpreted the notion of “national security” to extend it far beyond the fight against terrorism and to include, for example, economic espionage, drug trafficking or the organisation of undeclared demonstrations.

The second proposal takes a shot at devising a targeted data retention regime according to the factors indicated by the CJEU: categories of persons and geographical areas. The Commission goes into extensive detail on what those “objective” factors could encompass, while trying to avoid discriminatory effects.

However, some categories may already raise eyebrows. For example, the specific targeting of “individuals convicted of a serious crime” arguably conflicts with the principle of ne bis in idem, while “areas with above-average crime rates” can lead to the stigmatisation of entire communities.

These categories, therefore, risk reifying existing, potentially discriminatory, surveillance priorities, often centred around policing behaviour more associated with poorer, racialised and working-class areas. There are well-documented concerns that data-driven and predictive policing techniques will give false objectivity to racial profiling and the over-policing of certain neighbourhoods.

The third proposal specifically deals with the quick-freeze solution, whereby authorities could be allowed to order service providers to expeditiously retain traffic and location data in their possession in order to fight serious crimes.

The fourth proposal would permit the general retention of source IP addresses for serious crimes while the final proposal suggests the same for civil identity data to fight ordinary crimes.

All these proposals would include so-called over-the-top services (OTT) such as WhatsApp, Facebook or Skype

All these proposals would include so-called over-the-top services (OTT) such as WhatsApp, Facebook or Skype, which collect much more data for business purposes than traditional telecommunications operators. This would be a notable difference from most national data retention laws, which only cover telecommunications providers.

The non-paper leaves many questions open, such as how to commonly define serious crimes or what the term civil identity data could cover in terms of (non-)technical data – bearing in mind the latest CJEU ruling requiring that access to retained data should be confined to cases of serious crimes when such data allows precise conclusions to be drawn about the users’ private lives.

Regardless of which option Member States will pick or if new ones emerge in the future, civil society should be prepared to engage actively in the debate. We know that EU governments’ aspirations to circumvent the Court’s requirements are great as many still maintain illegal data retention schemes years after the first judgment in 2014. It is therefore essential that we use our best efforts to prevent the worst plans from materialising in light of the far-reaching impacts on fundamental rights this form of mass surveillance entails.

If we are unsuccessful in doing this, it may be “once more unto the breach” for digital rights organisations and the CJEU.

The article was first published by Digital Freedom Fund here.

Image credit: Cottonbro/ Pexels

(Contribution by:)

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy