The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.
On 10 February 2020, EDRi member Digitalcourage published the German government’s plea in the data retention case at the European Court of Justice (ECJ). Dated 9 September 2019, the document from the government explains the use of retained telecommunications data by secret services, the question whether the 2002 ePrivacy Directive might apply to various forms of data retention, which exceptions from human rights protections apply to secret service operations, and justifies its plans for the use of data retention to solve a broad range of crimes with the example of a case of the abduction of a Vietnamese man in Berlin by Vietnamese agents. However, this case is very specific and, even if then the retained data was “useful”, that is not a valid legal basis for mass data retention, and therefore can not justify drastic incisions into the basic rights of all individuals in Germany. Finally, the German government also argues that the scope and time period of the storage makes a difference regarding the compatibility of data retention laws with fundamental rights.
Digitalcourage calls for all existing illegal data retention laws to be declared invalid in the EU. There are no grounds for blanket and suspicion-less surveillance in a democracy and under the rule of law. Whether it is content data or metadata that is being stored, data retention (blanket and mass collection of telecommunications data) is inappropriate, unnecessary and ineffective, and therefore illegal. Where the German government argues that secret services need to use telecommunications data to protect state interests, Digitalcourage agrees with many human rights organisations that activities of secret services can be a direct threat to the core trust between the general public and the state. The ECJ has itself called for the storage to be reduced to the absolutely required minimum – and that, according to Digitalcourage, can be only be fulfilled if no data is stored without individual suspicion.
On 30 January 2020, the European Court of Human Rights (ECtHR) issued its judgment on the Breyer VS Germany case. The case was brought by Patrick Breyer (currently a Member of the European Parliament, MEP) and Jonas Breyer (herewith “the applicants”), who complained about the obligation introduced by the Telecommunications Act in Germany to register all customers of pre-paid SIM cards. Similar obligations have been imposed in Romania and elsewhere. In total, there are 15 Council of Europe (CoE) Member States requiring subscriber registration of pre-paid SIM customers, versus 32 that do not have such laws. The applicants claimed a violation of Articles 8 and 10 of the European Convention of Human Rights – right to privacy and freedom of expression, respectively.
Indiscriminate collection of personal data? This time it is ruled legal.
to the Court, the scope of the applicants’ complaint was not
sufficiently grounded regarding freedom of expression and, therefore,
analysed the application solely on a potential violation of the right
to private life. The Court, by six votes to one, declared that there
was no violation of the right to private life. According to the
majority of the Court, even though there was a clear interference
with the right to private life, the interference was legitimate
because of reasons of public safety and prevention of disorder or
crime. It was also necessary in a democratic society because it
“strongly simplifies and accelerates investigation by
law-enforcement agencies” and it can “contribute” to more
“effective law enforcement”. Furthermore, it added the data
stored and the interference deriving from it
was “while not trivial, of a rather limited nature”.
But is efficiency the right approach? In the recent Advocate General (AG) Opinion on four data retention cases before the Court of Justice of the European Union (CJEU), the AG points out that the argument of efficiency cannot lead to watering democracy and that the fight crime (or terrorism in that case) cannot be analysed just in terms of “efficiency”. Indeed, installing CCTV cameras in every room in every house in order to prevent violence against women may be very “efficient”, but efficiency cannot be the ultimate reason (or even a legal basis) to implement any measures we could imagine.
Dissenting Opinion: Sensitive data and lack of effective safeguards
not all judges agreed. The dissenting Opinion of judge Carlo Ranzoni
raises relevant questions and arguments which could well lead to a
referral of the case to the Grand Chamber. In his dissenting Opinion,
Ranzoni argues that he found a violation of Article 8 for various
reasons. First, in the case in question, the measures are not
confined to the fight against terrorism or other serious crimes (and
even when investigating serious crimes, not all measures are
Ranzoni also argues
that, even though the information stored was not sensitive in
the majority of the Court overlooked the possibilities of
“identification of the parties to every telephone call
or message exchange and the attribution of possibly sensitive
information to an identifiable person”, which in his opinion makes
it comparable to similar interferences in the right to private life,
as it did in Benedik v. Slovenia,
which were not described then
as of a “rather
limited nature” by the
ECtHR (para. 5 of the
further suggests that the law in question allows for the storage of
(and access to) data of all SIM card subscribers, without a link to
the investigation of any serious crime, for a long period of time.
This is a serious interference, and not a light one. However, the
“crux of the case” is, according to Ranzoni, the analysis of the
quality of the safeguards and how effectively they can prevent
abuses. According to him, supervising authorities do not have real
capacity to investigate possible abuses, because as the
Constitutional Court itself pointed out, “the retrieving authority
does not have to give reasons for its request”, and therefore the
Federal Network Agency (that is in charge of the retrieval of data of
phone users from companies for requesting authorities) would not be
able to analyse if the request is admissible (para. 22). Therefore,
effective review and supervision of retrieval requests by a judicial
or otherwise independent authority are nonexistent.
Finally, according to Ranzoni, the vast majority of victims of the
interference “are left without any possibility of review” since
“it appears unrealistic [for Data Protection Authorities] to review
some 35 million data sets consulted by a wide range of different
authorities” (para. 25 of the dissenting Opinion).
The applicants can still apply for a referral of the case to the Grand Chamber that could still overturn this judgment. The dissenting opinion brings strong arguments justifying such a referral. In the meantime, the pending cases Privacy International, C-623/17 and Ordre des barreaux francophones et germanophone et al. C-520/18 are also awaiting a judgment. If the CJEU judgment follows the AG Opinion, the obligation on private companies to perform mass blanket data retention of communications data would be considered once again illegal. If that happens in the CJEU, some of the arguments put forward by the majority of judges in the present ECtHR Breyer case (such as the “efficiency” for law enforcement argument) may help the applicants to overturn the arguments of the majority in this case.
On 15 January, Advocate General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU), issued his Opinions (C-623/17, C-511/18 and C-512/18 and C-520/18) on how he believes the Court should rule on vital questions relating to the conditions under which security and intelligence agencies in the UK, France and Belgium could have access to communications data retained by telecommunications providers.
The AG addressed two major questions:
When states seek to impose obligations on electronic communications services in the name of national security, do such requirements fall within the scope of EU law?
If the answer to the first question is yes, then what does EU law require of the national schemes at issue, which include: a French data retention regime, a Belgian data retention regime, and UK regime for the collection of bulk communications data?
The AG’s short answers to those questions are:
Yes, EU law applies whenever states seek to impose processing requirements on electronic communications services, even if those obligations may be motivated by national security concerns; and
Accordingly, the national regimes at issue must all comply with the CJEU’s previous judgments in Digital Rights Ireland and Others, Cases C-293/12 and C-594/12 (“Digital Rights Ireland”), and Tele2 Sverige and Watson and Others, Cases C-203/15 and C-698/15 (“Tele2/Watson”). None of them do, which leads the AG to advise that none of the regimes are compatible with EU law.
The AG’s Opinion is an affirmation of the basic principle at the heart of EDRi member Privacy International’s work: national security measures must be subject to the rule of law and respect our fundamental rights.
Central to all three Opinions is the question of whether EU law applies when Member States are acting to protect their national security. The AG concludes that the national security context does not disapply EU law. Instead, one must look to the effect of the proposed requirement – data retention or collection – on electronic communications services. Requiring these service providers to retain and/or transmit data to the security and intelligence agencies (SIAs) falls under EU law because such practices qualify as the “processing of personal data”.
Stating this principle in the negative, the AG says: “The provisions of the directive will not apply to *activities* which are intended to safeguard national security and are undertaken by the public authorities themselves, without requiring the cooperation of private individuals and, therefore, without imposing on them obligations in the management of business” (UK Case C-623/17, paragraph 34/79) (emphasis in original).
Is the UK Bulk Communications Data Regime compatible with EU law?
In the UK case, Privacy International challenged the bulk acquisition and use of communications data by Government Communications Headquarters (GCHQ and the Security Service MI5. That case began in the Investigatory Powers Tribunal (IPT), which referred to the CJEU the questions that the AG is addressing. The IPT asked the CJEU to decide, first, whether requiring an electronic communications network to turn over communications data in bulk to the SIAs falls within the scope of European Union law; and second, if the answer to the first question is yes, what safeguards should apply to that bulk access to data?
As noted above, the AG’s answer to the first question is yes, which brings the second question into play. In short, the AG declares that the UK bulk communications and data retention regime (as implemented under section 94 of the Telecommunications Act 1984) “does not satisfy the conditions established in the Tele2 Sverige and Watson judgment, because it involves general and indiscriminate retention of personal data” (UK Case C-623/17, paragraph 37).
The AG re-emphasises that access to retained data “must be subject to prior review by a court or an independent administrative authority” (UK Case C-623/17, paragraph 139). The value of this authority lies in its commitment “to both safeguarding national security and to defending citizens’ fundamental rights” (Id.).
The AG further endorses the application of the other conditions from the Tele2/Watson judgment, including:
the requirement to inform affected parties, unless this would compromise the effectiveness of the measure; and
the retention of the data within the European Union. (UK Case C-623/17, paragraph 43)
Is the French Data Retention Regime compatible with EU law?
The French case similarly asked whether general and indiscriminate data retention was permissible under EU law for the purposes of combating terrorism.
The AG concluded that the French regime amounts to generalised and indiscriminate data retention and as such it is not compatible with EU law (French Cases C-511/18 and C-12/18, paragraph 111). The French legislation at issue imposes a one-year retention obligation on all electronic communications operators and others with regard to all data of all subscribers for the purpose of the investigation, finding, and prosecution of criminal offenses.
The AG reiterates the conclusion of the Tele2/Watson judgment that the fight against terrorism or similar threats to national security cannot justify generalised and indiscriminate retention of data. He suggests that data retention should be targeted and permissible only if certain criteria are satisfied, for example targeting a specific group of people or a particular geographical area (French Cases C-511/18 and C-12/18, paragraph 133). The Belgian opinion elaborates on possible types of targeting criteria. On the question of access to retained data, he advises that access should depend on previous authorisation of a judicial or independent administrative authority following a reasoned request by the competent authorities.
The AG, furthermore, concluded that that real-time collection of traffic and location data of individuals suspected to be connected to a specific terrorist threat would be permissible under EU law so long as it does not impose on the service providers an obligation to retain additional data beyond what it is already required for billing or marketing services. Independent authorisation is also necessary for accessing this data (French Cases C-511/18 and C-12/18, paragraphs 142-3).
Similarly to the UK Opinion above, the AG reaffirms the requirement to inform affected parties, unless this would compromise the effectiveness of the measure that was already established in Tele2/Watson case and concludes that the French law is not compatible with the EU requirements (French Cases C-511/18 and C-12/18, paragraph 153).
Are AG’s opinions the judgments of the CJEU?
The AG’s opinions are not binding on the CJEU. The Court will issue its Opinion in the coming months.
What comes next?
Following the CJEU judgment, each case will be sent back to each state’s national courts. If the CJEU agrees with the Advocate General, then national courts will have to apply the CJEU judgment and accordingly find domestic regimes incompatible with EU law.
On 15 January, Advocate General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU) delivered his opinions on four cases regarding data retention regimes in France, Belgium and the UK, in the context of these Members States’ surveillance programmes.
The AG endorsed the previous case law on data retention, confirming that a general and indiscriminate retention of personal data is disproportionate, even when such schemes are implemented for national security reasons.
An interesting take from his Opinions is how he challenged EU Member States who tend to consider national security as their get-out-of-jail-free card.
National security cannot be used as escape route from EU law
One of the questions the AG had to answer concerned the applicability of the ePrivacy Directive, which Member States contested. They argued that EU law was not applicable, as the surveillance programmes were a matter of national security, in the context of terrorism threats, and therefore not within the EU’s jurisdiction.
Even though the matter had already been solved in the Tele 2 case, the AG, faced with determined Member States, provided for a clear and hopefully once and for all analysis on the national security argument. In all three opinions, the AG stresses that, in these cases, national security reasons could not prevent the applicability of EU law. For the AG, the notion of “national security” is too vague to be invoked to oppose the application of safeguards regarding the protection of personal data and confidentiality of citizens (C-511/18 and C-512/18, para. 74).
He therefore proceeded to define this notion in light of the ePrivacy Directive. The Directive would not apply when activities related to “national security” are undertaken by the public authorities directly themselves, by their own means and for their own account. But as soon as the States impose obligations on private actors for these same reasons, the Directive applies (C-511/18 and C-512/18, para. 79 to 85).
In these cases, telecom operators are obliged, under the law, to retain the data of their subscribers and to allow public authorities access to it. It does not matter that these obligations are imposed for national security reasons.
…and neither can the fundamental right of security
To add another layer to the “security” argument, the French case mentioned the right to security under Article 6 of the Charter of Fundamental Rights of the European Union as a justification to the data retention scheme. This could be a valid argument, but as the AG points out, the right to security protected in the Charter is the right to personal security against arbitrary arrest or detention and does not cover public security in the sense of terrorism threats and attacks (C-511/18 and C-512/18, para. 98, 99).
Terrorism as an excuse?
As part of the “national security” argument, France also argued that the general and indiscriminate retention of personal data was put in place to fight terrorism, in a context of serious and persistent threats to national security.
The AG, however, rightly points out that in the French legislation, terrorism is only one of the justifications possible for such a data retention regime. Terrorism threats are part of the factual context and the excuse for imposing such a regime, while in reality, the regime applies generally, for the purpose of fighting crime (C-511/18 and C-512/18, para. 119 & 120).
Moreover, the CJEU had already rejected, in the Tele2 case, the possibility of having a general and indiscriminate data retention regime for antiterrorism reasons. The AG underlines that this is not incompatible with the view of the Court that fighting terrorism is a legitimate and vital interest for the State. But the case law of the CJEU is clear that, such an objective of general interest, as vital as it can be, cannot in itself justify the necessity of a general and indiscriminate retention regime.
In response to Member States arguing against anything less than a general and indiscriminate retention for this purpose, the AG explains that the fight against terrorism cannot only be contemplated in regards to its efficiency. Because of the scale and the means put into this issue, it must be part of the Rule of Law and must respect fundamental rights. Relying only on efficiency would mean ignoring other democratic issues and could potentially, in extreme cases, lead to harms done to citizens. (C-511/18 and C-512/18, para. 131).
The AG succeeds in debunking the Member States’ arguments, but stops short of preventing abuse.
The danger of “state of emergency” exceptions
Indeed, at the end of his analysis, the AG very briefly (C-511/18 and C-512/18, para. 104 and C-520/18, para. 105 & 106) explains that regardless of what he argued, Member States could be allowed to impose an obligation to retain data, as wide and general as needs be. This could only be done in really exceptional situations, where there is an imminent threat or an extraordinary risk justifying the enactment of a state of emergency in a Member States.
The only safeguard mentioned is the “limited period” that these kind of schemes could run for. This is not enough as we saw how a “state of emergency” can be abused. In France, after the terrorist attacks of November 2015, l’état d’urgence, state of emergency, was enacted and went on for two years. It has been shown that this scheme was not only used for antiterrorism purposes, but also as a tool of social, security and political control, used to conduct surveillance and arrests of, for example, climate activists who are considered “extremists” .
More globally, this has been demonstrated by the various electronic surveillance programmes implemented by the USA after 9/11 in the name of the “war on terror”.
The AG’s opinions are not binding but usually influence the final judgments of the CJEU, which will be issued in the upcoming months. EDRi will be following the development of these cases.
EDRi’s initial reaction on the press release of the AG Opinion on data retention
Today’s Court of Justice of the European Union (CJEU) Advocate General’s Opinions continue the firmly established case-law of the CJEU considering mass collection of individuals communications data incompatible with EU law. The Advocate General reaffirms that blanket retention of telecommunication data is disproportionate to its purported goal of national security and combating crime and terrorism.
Today, on 15 January, the CJEU Advocate General Campos Sánchez-Bordona delivered his Opinionsn on four cases regarding data retention regimes in France, Belgium and the UK. These cases focus on the compatibility of these Member States’ surveillances programmes with the existing case law on data retention and the applicability of the ePrivacy Directive in those cases.
Once again, the Advocate General of the CJEU has firmly sided to defend the right to privacy, and declared that indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate.
said Diego Naranjo, Head of Policy at EDRi.
The European Commission needs to take note of yet another strong message against illegal data retention laws. While combating crime and terrorism are legitimate goals, this should not come at the expense of fundamental rights. It’s crucial to ensure that the EU upholds the Charter of Fundamental Rights and prevents any new proposal for data retention legislation of a general and indiscriminate nature.
The Opinions respond to four references for a preliminary ruling, sent by the French Council of State (joined cases C-511/18 and C-512/18, La Quadrature du Net and Others), Belgian Constitutional Court (Case C-520/18, Ordre des barreaux francophones et germanophone and Others) and the UK Investigatory Powers Tribunal (Case C-623/17, Privacy International). The Advocate General confirms that the ePrivacy Directive and EU law applies to data retention for the purpose of national security. He proposes to uphold the case-law of the Tele2 case and stressed that “a general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate” and that only limited and discriminate retention with limited access to that data is lawful. He states that “the obligation to retain data imposed by the French legislation is general and indiscriminate, and therefore is a particularly serious interference in the fundamental rights enshrined in the Charter” and similar criticism is raised on the Belgian and UK laws.
Following the invalidation of the data retention Directive in the Digital Rights Ireland case in 2014, Member States have been relying on the ePrivacy Directive to enact national data retention legislation. In 2016, the CJEU clarified this possibility and ruled in the Tele2 case that blanket data retention measures are incompatible with the Charter of Fundamental Rights of the European Union. Since then, as the Commission has been reluctant to intervene, civil society organisations have been challenging unlawful data retention legislation in different Member States.Blanket data retention of telecommunications data is a very invasive surveillance measure of the entire population. This can entail the collection of sensitive information about citizens’ social contacts, movements and private lives, without any suspicion. Telecommunications data retention also undermines professional confidentiality, the protection of journalistic sources and compromises the freedom of the press, and prevents confidential electronic communications. The retained data is also of high interest for criminal organisations and unauthorised state actors from all over the world – several successful data breaches have been documented. Overall, blanket data retetion damages preconditions of open and democratic societies.
The Danish police and the Ministry of Justice consider access to electronic communications data to be a crucial tool for investigation and prosecution of criminal offences. Legal requirements for blanket data retention, which originally transposed the EU Data Retention Directive, are still in place in Denmark, despite the judgments from the Court of Justice of the European Union (CJEU) in 2014 and 2016 that declared general and indiscriminate data retention illegal under EU law.
In March 2017, in the aftermath of the Tele2 judgment, the Danish Minister of Justice informed the Parliament that it was necessary to amend the Danish data retention law. However, when it comes to illegal data retention, the political willingness to uphold the rule of law seems to be low – every year the revision is postponed by the Danish government with consent from Parliament, citing various formal excuses. Currently, the Danish government is officially hoping that the CJEU will revise the jurisprudence of the Tele2 judgment in the new data retention cases from Belgium, France and the United Kingdom which are expected to be decided in May 2020. This latest postponement, announced on 1 October 2019, barely caught any media attention.
However, data retention has been almost constantly in the news for other reasons since 17 June 2019 when it was revealed to the public that flawed electronic communications data had been used as evidence in up to 10000 police investigations and criminal trials since 2012. Quickly dubbed the “telecommunications data scandal” by the media, the ramifications of the case have revealed severely inadequate data management practices by the Danish police for almost ten years. This is obviously very concerning for the functioning of the criminal justice system and the right to a fair trial, but also rather surprising in light of the consistent official position of the Danish police that access to telecommunications data is a crucial tool for investigation of criminal offences. The mismatch between the public claims of access to telecommunications data being crucial, and the attention devoted to proper data management, could hardly be any bigger.
According to the initial reports in June 2019, the flawed data was caused by an IT system used by the Danish police to convert telecommunications data from different mobile service providers to a common format. Apparently, the IT system sometimes discarded parts of the data received from mobile service providers. During the Summer of 2019, a new source of error was identified. In some cases, the data conversion system had modified the geolocation position of mobile towers by up to 200 meters.
Based on the new information of involuntary evidence tampering, the Director of Public Prosecutions decided on 18 August 2019 to impose a temporary two-month ban on the use of telecommunications data as evidence in criminal trials and pre-trial detention cases. Somewhat inconsequential, the police could still use the potentially flawed data for investigative purposes. Since telecommunications data are frequently used in criminal trials in Denmark, for example as evidence that the indicted person was in the vicinity of the crime scene, the two-month moratorium caused a number of criminal trials to be postponed. Furthermore, about 30 persons were released from pre-trial detention, something that generated media attention even outside Denmark.
In late August 2019, the Danish National Police commissioned the consultancy firm Deloitte to conduct an external investigation of its handling of telecommunications data and to provide recommendations for improving the data management practices. The report from Deloitte was published on 3 October 2019, together with statements from the Danish National Police, the Director of Public Prosecutions, and the Ministry of Justice.
The first part of the report identifies the main technical and organisational causes for the flawed data. The IT system used for converting telecommunications data to a common format contained a timer which sometimes submitted the converted data to the police investigator before the conversion job was completed. This explains, at least at technical level, why parts of the data received from mobile service providers were sometimes discarded. The timer error mainly affected large data sets, such as mobile tower dumps (information about all mobile devices in a certain geographical area and time period) and access to historical location data for individual subscribers.
The flaws in the geolocation information for mobile towers that triggered the August moratorium were traced to errors in the conversion of geographical coordinates. Mobile service providers in Denmark use two different systems for geographical coordinates, and the police uses a third system internally. During a short period in 2016, the conversion algorithm was applied twice to some mobile tower data, which moved the geolocation positions by a couple of hundred meters.
On the face of it, these errors in the IT system should be relatively straightforward to correct, but the Deloitte report also identifies more fundamental deficiencies in the police practices of handling telecommunications data. In short, the report describes the IT systems and the associated IT infrastructure as complex, outdated, and difficult to maintain. The IT system used for converting telecommunications data was developed internally by the police and maintained by a single employee. Before December 2018, there were no administrative practices for quality control of the data conversion system, not even simple checks to ensure that the entire data set received from mobile service providers had been properly converted.
The only viable solution for the Danish police, according to the assessment in the report, is to develop an entirely new infrastructure for handling telecommunications data. Deloitte recommends that the new infrastructure should be based on standard software elements which are accepted globally, rather than internally developed systems which cannot be verified. Concretely, the reports suggests using POL-INTEL, a big data policing system supplied by Palantir Technologies, for the new IT infrastructure. In the short term, some investment in the existing infrastructure will be necessary in order to improve the stability of the legacy IT systems and reduce the risk of creating new data flaws. Finally, the report recommends systematic independent quality control and data validation by an external vendor. The Danish National Police has accepted all recommendations in the report.
Deloitte also delivered a short briefing note about the use of telecommunications data in criminal cases. The briefing note, intended for police investigators, prosecutors, defence lawyers and judges, explains the basic use cases of telecommunications data in police investigations, as well as information about how the data is generated in mobile networks. The possible uncertainties and limitations of telecommunications data are also mentioned. For example, it is pointed out that mobile devices do not necessarily connect to the nearest mobile tower, so it cannot simply be assumed that the user of the device is close to the mobile tower with almost “GPS level” accuracy. This addresses a frequent critique against the police and prosecutors for overstating the accuracy of mobile location data – an issue that was covered in depth by the newspaper Information in a series of articles in 2015. Quite interestingly, the briefing note also mentions the possibility of spoofing telephone numbers, so that the incoming telephone call or text message may originate from a different source than the telephone number registered by the mobile service provider under its data retention obligation.
On 16 October 2019, the Director of Public Prosecutions decided not to extend the moratorium on the use of telecommunications data. Along with this decision, the Director issued new and more specific instructions for prosecutors regarding the use of telecommunications data. The Deloitte briefing note should be part of the criminal case (and distributed to the defence lawyer), and police investigators are required to present a quality control report to prosecutors with an assessment of possible sources of error and uncertainty in the interpretation of the telecommunications data used in the case. Documentation of telecommunications data evidence should, to the extent possible, be based on the raw data received from mobile service providers and not the converted data.
For law enforcement, the October 16 decision marks the end of the data retention crisis which erupted in public four months earlier. However, only the most imminent problems at the technical level have really been addressed, and several of the underlying causes of the crisis are still looming under the surface, for example the severely inadequate IT infrastructure used by the Danish police for handling telecommunications data. The Minister of Justice has announced further initiatives, including investment in new IT systems, organisational changes to improve the focus on data management, improved training for police investigators in the proper use and interpretation of telecommunications data, and the creation of a new independent supervisory authority for technical investigation methods used by the police.
On 19 August 2019, Austrian EDRi member epicenter.works lodged a complaint with the Austrian data protection authority (DPA) against the Passenger Name Records (PNR) Directive. After only three weeks, on 6 September, they received the response from the DPA: The complaint was rejected. That sounds negative at first, but is actually good news. The complaint can and must now be lodged with the Federal Administrative Court.
Why was the complaint rejected?
The DPA has no authority to decide whether or not laws are constitutional. Moreover, it cannot refer the matter to the Court of Justice of the European Union (CJEU), which in this case is necessary, because the complaint concerns an EU Directive. It was to be expected that the DPA would decide in this way, but the speed of the decision was somewhat surprising – in a positive way. It was clear from the outset that the data protection authority would reject the complaint, but it was a necessary step that could not be skipped, as there is no other legal route to the Federal Administrative Court than via the DPA. All seven proceedings of the complainants lodged with the aid of epicenter.works were merged, and the organisation was given the power of representation. This means that epicenter.works is allowed to represent the complainants.
What are the next steps?
Meanwhile, epicenter.works is still waiting for a freedom of information (FOI) request they have sent to the Passenger Information Unit (PIU) that processes the PNR data in Austria. While an answer to one request was received within a few days, another one has been overdue since 23 August. The unanswered request concerns data protection framework conditions for the PNR implementation.
epicenter.works will file the complaint with the Federal Administrative Court within four weeks. It is to be expected that the court will submit legal questions to the Court of Justice of the European Union (CJEU).
September 2019 brought us long-awaited developments regarding the situation of data retention in Portugal. The Justice Ombudsman decided to send the Portuguese data retention law to the Constitutional Court, following the Court of Justice of the European Union’s (CJEU’s) case law on blanket retention of data that lead to invalidation of Directive 2006/24/EC. This decision comes after a complaint presented by EDRi observer Associação D3 – Defesa dos Direitos Digitais, in December 2017.
The Ombudsman had first decided to issue an official recommendation to the government, urging it to propose a legislative solution for the problematic law that originated from the now invalidated Data Retention Directive. Faced with a refusal from the Minister of Justice to find a solution through legislative means, the Ombudsman has now decided to concede to D3’s original request, and has sent the matter for the appreciation of the Constitutional Court, which will have to provide a ruling on the constitutionality of the Portuguese data retention scheme.
A few days later, the same Constitutional Court partially stroke down, for the second time, a law that granted the intelligence services’ access to retained data. In 2015, the Constitutional Court had already declared the unconstitutionality of a similar law, after the president had requested a preventive ruling by the Court before signing it into law. However, in 2017, a new law that addressed some of the problems raised by the Constitutional Court was approved in the Parliament. As the new president opted not to request a preventive decision, the law came into force. 35 Members of the Parliament (MP) from three parties then requested a Constitutional Court ruling on the law, which was now issued.
The fundamental reasoning of this decision is that the Portuguese Constitution forbids public authorities from accessing citizen’s correspondence and telecommunications, except in the context of a criminal procedure. Given that the intelligence services have no criminal procedure competences, they cannot access such data within the existent Constitutional framework. However, the Court did allow access to user location and identification data (in the context of the fight against terrorism and highly organised crime), as such data was not considered to be covered by the secrecy of communications.
This case has also lead to the resignation of the original judge rapporteur due to disagreements related to the reasoning reflected in the final version of the text of the decision.
In the digital space, “postal services” often snoop into your online conversations in order to market services or products according to what they find out from your chats.
A law meant to limit this exploitative practice is stalled by the Council of European Union
We all expect our mail to be safe in the hands of a mailman. We have confidence that both the post office and the mailmen working there will not take a sneak-a-peak into our written correspondence. Neither we expect mailmen to act like door-to-door salespersons.
The need for
encrypted mail in storage *and* in transit
The WhatsApp case is
a good example. Currently, WhatsApp seals the message right after you
press “send”. The message goes to WhatsApp’s servers, is stored
encrypted, and then sent to its recipient, also encrypted. This means
that, technically, the mail is encrypted both in storage and in
transit and nobody can reads its content. However, as Forbes
points out, future ads plans might modify WhatsApp’s encryption
so that they “first identify key words in sentences, like
“fishing” or “birthday,” and send them to Facebook’s
servers to be processed for advertising, while separately sending the
There’s a law
for it, but it’s stalled by the EU Council
The ePrivacy Regulation, which is currently under negotiation, is aimed at ensuring privacy and confidentiality of our electronic communications, by complementing and particularising the rules introduced by the General Data Protection Regulation (GDPR). The EU Parliament adopted a good stand for ePrivacy that would ensure your online messages are protected both in storage and in transit (Art.5), that would consider “consent” as the only legal basis for processing data (Art 6), that would make privacy–by–design and privacy–by–default core principles in software design (Art. 10), and that would protect encryption from measures aimed at undermining it (Art. 17). However, the Council of the European Union is yielding under big tech lobby pressure and drafted an opinion that threatens our rights and freedoms. More, the text adopted by the EU Parliament in October 2017 has been stuck in the EU Council, behind closed-door negotiations for soon two years. We have sent several letters (here, here and here) calling for the safeguarding our communications and for the adoption of this much needed ePrivacy Regulation.
Will our voices be heard? If you are worried about being targeted based on your private conversations, join our efforts and stay tuned for more updates coming soon.
On 22 July 2019, 30 civil society organisations sent an open letter to the European Commission President-elect Ursula von der Leyen and Commissioners Avramopoulos, Jourová and King, urging the commissions of the EU Commission to conduct an independent assessment on the necessity and proportionality of existing and potential legislative measures around data retention. Furthermore, signatories asked to ensure that the debate around data retention does not prevent the ePrivacy Regulation from being adopted swiftly.
By email: President-elect von der Leyen First Vice-President Timmermans
CC: Commissioner Avramopoulos Commissioner Jourová Commissioner King
Dear First Vice-President Timmermans, Dear President-elect von der Leyen,
The undersigned organisations represent non-governmental organisations working to protect and promote human rights in digital and connected spaces. We are writing to put forward suggestions to ensure compliance with the EU Charter of Fundamental Rights and the CJEU case law on data retention.
EU Member States (and EEA countries) have had different degrees of implementation of the CJEU ruling on 8 April 2014 invalidating the Data Retention Directive. EDRi’s 2015 study reported that six Member States1 have kept data retention laws which contained features that are similar or identical to those that were ruled to be contrary to the EU Charter. Other evidence pointed in the same direction.2 While personal data of millions of Europeans were being stored illegally, the European Commission had not launched any infringement procedures. On 21 December 2016, the CJEU delivered its judgment in the Tele2/Watson case regarding data retention in Member States’ national law. In the aftermath of this judgment, the Council Legal Service unambiguously concluded that “a general and indiscriminate retention obligation for crime prevention and other security reasons would no more be possible at national level than it is at EU level, since it would violate just as much the fundamental requirements as demonstrated by the Court’s insistence in two judgments delivered in Grand Chamber.”3
On 6 June 2019 the Council adopted “conclusions on the way forward with regard to the retention of electronic communication data for the purpose of fighting crime” which claim that “data retention is an essential tool for investigating serious crime efficiently”. The Council tasked the Commission to “gather further information and organise targeted consultations as part of a comprehensive study on possible solutions for retaining data, including the consideration of a future legislative initiative.”
While the concept of blanket data retention appeals to law enforcement agencies, it has never been shown that the indiscriminate retention of traffic and location data of over 500 million Europeans was necessary, proportionate or even effective.
Blanket data retention is an invasive surveillance measure of the entire population. This can entail the collection of sensitive information about social contacts (including business contacts), movements and private lives (e.g. contacts with physicians, lawyers, workers councils, psychologists, helplines, etc.) of hundreds of millions of Europeans, in the absence of any suspicion. Telecommunications data retention undermines professional confidentiality and deters citizens from making confidential communications via electronic communication networks. The retained data is also of high interest for criminal organisations and unauthorised state actors from all over the world. Several successful data breaches have been documented.4 Blanket data retention also undermines the protection of journalistic sources and thus compromises the freedom of the press. Overall, it damages preconditions of open and democratic societies.
The undersigned organisations have therefore been in constructive dialogue with the European Commission services to ensure that the way forward includes the following suggestions:
The European Commission commissions an independent, scientific study on the necessity and proportionality of existing and potential legislative measures around data retention, including a human rights impact assessment and a comparison of crime clearance rates;
The European Commission and the Council ensure that the debate around data retention does not prevent the ePrivacy Regulation from being adopted swiftly;
The European Commission tasks the EU Fundamental Rights Agency (FRA) to prepare a comprehensive study on all existing data retention legislation and their compliance with the Charter and the CJEU/European Court of Human Rights case law on this matter;
The European Commission considers launching infringement procedures against Member States that enforce illegal data retention laws.
We look forward to your response and remain at your disposal to support the necessary initiatives to uphold EU law in this policy area.
European Digital Rights (EDRi) Access Now Chaos Computer Club (CCC) Bits of Freedom Asociatia pentru Tehnologie si Internet (ApTI) Epicenter.works Electronic Frontier Norway (EFN) Dataskydd.net Digital Rights Ireland Digitalcourage Privacy International Vrijschrift FITUG e.V. Hermes Center for Transparency and Digital Human Rights Access Info Aktion Freiheit statt Angst Homo Digitalis Electronic Privacy Information Center (EPIC) Iuridicum Remedium (IuRe) La Quadrature du Net Associação D3 – Defesa dos Direitos Digitais IT-Political Association of Denmark (IT-Pol) Panoptykon Foundation Open Rights Group (ORG) Electronic Frontier Finland (Effi ry) Državljan D Deutsche Vereinigung für Datenschutz e. V. (DVD) //datenschutzraum Föreningen för Digitala Fri- och Rättigheter (:DFRI) AK Vorrat