On 15 September 2017, the EU Counter-Terrorism Coordinator (EU CTC) submitted a new data retention proposal to Member States. The proposal was discussed at a meeting of the Working Party on Information Exchange and Data Protection (DAPIX) Friends of the Presidency (FoP) on 18 September 2017. A partial report of the discussions at the DAPIX FoP meeting can be found in Council document 13845/17.
The judgement of 21 December 2016 by the Court of Justice of the European Union (CJEU) in the Tele2 case (joined cases C-203/15 and C-698/15) concerned the national data retention laws that are still in place after the annulment of the Data Retention Directive in 2014. The EU CTC notes that data retention cannot be ”general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” since this would violate paragraph 134 of the Tele2 judgement. In the Tele2 judgement (paragraphs 108-111), the CJEU outlines a targeted data retention regime which does not include every subscriber.
The EU CTC, considering input received from Member States, makes it clear that he is not at all interested in targeted data retention. Instead, the EU CTC proposes the concept of ”restricted data retention” on the basis that it is necessary to fight terrorism and serious crime, including cyber attacks. This measure has to be limited to the strictly necessary and be based on objective evidence. However, according to the EU CTC, the measure can cover the entire population, even though this is quite obviously blanket data retention.
The justification for this is claimed to be paragraph 106 of Tele2, which states that data retention must be restricted to (i) particular time periods and/or geographical and/or a group of persons likely to be involved, in one way or another, in a serious crime or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime. In essence, the EU CTC argues that the entire population, perhaps with an opt-out for persons bound by a legal obligation of professional secrecy (such as lawyers, journalists and doctors), could fall under the second category, ”persons who could, for other reasons, contribute, through their data being retained, to fighting crime”.
While deliberately covering the entire population, the EU CTC emphasises that other aspects of the data retention measure must be limited to what is absolutely necessary. What this means is not clear from the proposal, but it could include some differentiation with respect to categories of data and service providers. Minor operators, such as WiFi access points at pizza restaurants could be excluded since that data ”may potentially not be indispensable for retention”, as the EU CTC carefully notes. As far as the purpose limitation is concerned, there is nothing novel about the reinvention of restricted data retention. The annulled Data Retention Directive also limited data retention to the purpose of investigation, detection and prosecution of serious crime.
The critical aspect of restricted data retention is obviously that the entire population is covered. The EU CTC argues that this can meet the necessity test. However, the CJEU has ruled twice that a data retention measure which covers all subscribers exceeds the limits of what is strictly necessary. Referring to the entire population as ”persons who could, for other reasons, contribute, through their data being retained, to fighting crime” clearly fails to satisfy the requirement of objective criteria that establish a connection between the personal data to be retained and the objective pursued. The CJEU has referred to this principle several times, most recently in paragraph 191 of opinion 1/15 on the EU-Canada PNR agreement. Moreover, paragraph 110 of the Tele2 judgment specifically says that ”conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.”
The DAPIX FoP meeting report mentions that, while the CJEU rules out general data retention, it “does not solely permits” (sic) targeted data retention (which appears to mean that data retention that is not forbidden by the ruling may be permitted). Therefore, there are other legally possible regimes for non-general data retention. This is undoubtedly true, but largely irrelevant. Since the proposed unrestricted yet “restricted” data retention covers the entire population, it cannot possibly be classified as non-general data retention. The DAPIX FoP report refers to the proposed concept as ”restricted data retention and targeted access”, but the Tele2 judgment makes it very clear that safeguards and limitations at the access stage are not sufficient and cannot justify blanket (general) data retention.
The proposal from the EU CTC contains some general comments about the data categories (communication services) to be retained. It is claimed that approaches in some Member States show that a number of data categories are indeed not necessary (and, by implication, illegal).
The new focus on cyber attacks, where data retention is claimed to be key for attribution and investigation, could easily lead to more retention of internet traffic data, in particular, perhaps even internet connection records as in the UK Investigatory Powers Act (information about every internet packet, including all destination IP-addresses). Moreover, Europol has recently complained about the unavailability of data from internet service providers that use Carrier Grade network address translation (CG-NAT) since a large number of subscribers may share the same IP address. Data retention requirements to address the technical limitations caused by CG-NAT would, in most cases, substantially increase the amount of data collected. The DAPIX FoP report describes a matrix with categories of data to be retained, for example content data, traffic data, location data, and subscribers’ data. Except for content data (where generalised data retention would, incidentally, not respect the essence of the fundamental rights), this is simply the list of data categories in the annulled Data Retention Directive and the current data retention laws in Member States. In summary, the proposal of the EU CTC could easily lead to more data being retained per subscriber, despite the claim that a “peeling off” approach is taken to limit the data categories.
Data retained for business purposes, such as billing data, will be complementary to the data covered by the mandatory data retention regime. The EU CTC foresees that the new mandatory data retention regime will also cover over-the-top (OTT) service providers like Google and Facebook, and it is noted in the proposal that OTT operators collect much more data for business purposes than traditional telecommunications operators. In this connection, the EU CTC fails to mention (or, possibly, understand) that the proposed e-Privacy Regulation seeks to create a level playing field by subjecting all electronic communications service providers, whether OTT or telecommunications providers, to the same privacy rules.
The proposal from the EU CTC respects the strict access conditions set out in the second part of the Tele2 ruling. Access to retained data must be solely for the purpose of fighting terrorism and serious crime and must be subject to a prior court review. With the exception of terrorism cases, access can only be granted to data of individuals suspected of involvement in serious crime (Tele2 paragraph 119). The EU CTC also mentions pseudonymisation and encryption, and that this could facilitate searches of the retained encrypted data with decryption only on the basis of a warrant. The purpose of this is not entirely clear, since the retained data, as the general rule, can only be accessed with a prior court review for a specific person. It could perhaps mean that searches of encrypted or pseudonymised data are not intended to count as access to the retained data, and that such searches can be used to find persons of interest who can then, under certain substantive conditions, be depseudonymised subject to a court review. If data on specific persons could only be accessed after a prior court review, there would not really be a need for encrypted searches. Encryption is, of course, a useful security measure for the stored data, but that is an entirely different issue.
In the final part of the proposal, the EU CTC considers the role of the draft e-Privacy Regulation in relation to restricted data retention. The EU CTC notes that the Tele2 judgment is stricter than the annulment of the Data Retention Directive since Article 15(1) of the e-Privacy Directive makes data retention an exception to the main rule of erasure once the communication is completed. The EU CTC hypothesises that the draft e-Privacy Regulation could be amended to make blanket data retention easier. According to the EU CTC, it should be considered to allow storage of communications data in Article 7 of the draft e-Privacy Regulation if legally required to assist governments to fight serious crime and terrorism. However, a provision of this type would still be a restriction on the fundamental rights to privacy and data protection of subscribers, and the restriction would have to satisfy the conditions of Article 52(1) of the Charter of Fundamental Rights. This would not necessarily be different from the current situation with Article 15(1) of the e-Privacy Directive or Article 11 of the draft e-Privacy Regulation.
Working document on contributions to the discussion on data retention, EU Counter-Terrorism Coordinator, WK 9699/2017 INIT, LIMITE (15.09.2017)
Retention of communication data for the purpose of prevention and prosecution of crime, Council document 13845/17, LIMITE (30.10.2017)
Carrier-Grade Network Address Translation (CGN) and the Going Dark Problem, Council document 5127/17, LIMITE (16.01.2017)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)