New Belgian data retention law: a European blueprint?
On 21 April 2021, the Belgian Constitutional Court canceled the country’s data retention law, which has allowed every Belgian’s telecom, location and internet metadata to be retained for 12 months, for its potential use in criminal investigations. The Belgian Constitutional Court followed the Court of Justice of the European Union’s (CJEU) judgment released a few months earlier, which declared that practice of general and indiscriminate retention of personal data illegal (for the third time).
This blogpost is based on EDRi member Liga voor Mensenrechten’s Q&A (in Dutch only) which can be found here.
A month later in May, the Belgian government, feeling pressured by the complaints of its police authorities, proposed a new text. This legislation is an intricate balancing act. It tries to accommodate the Courts’ guidelines for lawful data retention, while providing law enforcement authorities with as much retained data as possible. This is the third law that Belgium has introduced after two previous attempts that failed. Both were struck down by the Constitutional Court in 2015 and 2021.
Episode III: has the legislator learned their lesson?
The third legislation attempts to propose a more differentiated data retention regime, in line with the observations of the Constitutional Court and the CJEU. Contrary to a general and indiscriminate data retention which unjustifiably infringes the right to privacy and the presumption of innocence, “Data Retention III” proposes a “targeted approach” based on geographical areas and individuals.
In places with greater risks of certain types of crime or that are particularly sensitive for state and “public security”, personal data retained by telecommuniactions company could still be preemptively retained. Some of the examples mentioned in the draft law are airports, train and metro stations, border zones, hospitals, motorways, research centers, judicial and police buildings and all municipalities where “critical infrastructures” (energy production and transport, indispensable links in electronic payment systems and electronic communication networks) are located. In addition, data is retained in places with high crime rates. The retention period there can be longer or shorter depending on the number of serious crimes in that particular area.
The retention can also be aimed at specific persons who are, for example, the subject of an investigation or where there are clear indications that they have committed serious crimes.
The issue is that, while this approach claims to be “targeted”, in practice data would be retained on a fairly large scale given all the areas potentially covered by the text. The government designates so many areas as sensitive or with high probability of serious crimes that this de facto almost amounts to the general data retention that was imposed in two previous laws. In the areas within which data will be retained, every individual will still be seen as a possible suspect.
What it means for the average citizen is that they will have a high chance to live or pass through areas where all their data about who they call, where, when, for how long, which websites they visit, whom they send text messages to, etc. will be retained. Although this relates only to metadata (and not the content of messages), the Court of Justice already showed that it is possible to create individual profiles and infer very sensitive information on the basis of this data, which therefore violates people’s privacy.
A nasty surprise: encryption backdoors
The draft legislation also requires that encryption service providers must allow identification, traffic or location data to be stored. In other words, the content of encrypted messages will not be stored in clear text but metadata – data on when, where and with whom a person communicated, etc. will be unencrypted. However, the metadata that we generate during our daily activities online contains an immense amount of information. As stressed multiple times by the Court of Justice of the European Union, metadata can provide a fairly good picture of the user’s private life, social relationships and habits.
Worse still, the Belgian draft text requires that encryption systems should not prevent ‘legal’ interception operations. Judicial entities could order telecom operators to ‘switch off’ encryption for certain users. However, it is not clear how this legal requirement is technically achievable. This ‘switch off’ function would therefore lead to the introduction of some sort of backdoor in encrypted systems.
Encryption backdoors make entire encrypted systems insecure, as even ill-intentioned actors can easily exploit these vulnerabilities. People can therefore no longer be confident that when they use encrypted communication, that this communication is truly private. The draft legislation will have detrimental consequences on the security of Belgium’s communications.
On 28 September 2021, a coalition of more than 100 organisations and individual cybersecurity experts, joined by EDRi, wrote an open letter to the Belgian Ministers, calling on them to drop mandatory data retention and encryption backdoors in the new draft law.
EDRi agrees with the Belgian Data Protection Authority (APD), which stated in its advisory opinion that the retention of encrypted data constitutes a disproportionate interference with the right to privacy and therefore goes beyond what is necessary in a democratic society. According to the APD, private operators should not be legally forced to enable legal interception of their encrypted systems.
We will continue to monitor the situation with the help of our Belgian member Liga voor Mensenrechten to ensure that Belgium’s government respects human rights and gives up on mass surveillance measures under the guise of fighting serious crime.