HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

It's not the end of the line for data retention

About The Author

Chris Bridges (Executive Editor)

Chris is an IT and Data Protection solicitor at a top 20 full service firm and the founder of Keep Calm Talk Law. He also contributes to Computers and Law and other sector specific publications.

[Read More]

In 2006, the controversial European Data Retention Directive (DRD) was adopted, requiring all Member States to retain meta telecommunications data for a minimum of 6 months and a maximum of 24 months. Meta telecommunications data includes the time, duration and origin of every single email, text and phone call, but does not include the contents of the communication. In essence, it includes only the data required to identify the subscriber or user of a network that sent or received the communication, but not the communication itself. As ‘meta’ suggests, the data is an abstraction of the real communication.

For the majority of people, this would apply to all electronic communications, especially with today’s frequent utilisation of the cloud. For companies still operating entirely private networks for internal communications, these communications would be excluded as the directive applies only to publically available networks.

The prevention and investigation of crime is the underlying purpose of the Directive. However, on Tuesday 8th April 2014, the Court of Justice of the European Union (CJEU) ruled that the directive is invalid, and has been since the day it was adopted.

The Case

The case was heard on the application of the High Court of Ireland and the Verfassungsgerichtshof (or if like me, you cannot say it, the Austrian Constitutional Court). The CJEU was asked to examine the validity of the DRD in light of the Charter of Fundamental Rights of the European Union (CFREU), in particular the right to respect for private life (Article 7) and the fundamental right to protection of personal data (Article 8).

Whilst the court recognised that the DRD served legitimate aims (the fight against serious crime) it believed it did so disproportionately and therefore cannot be valid.

The court felt that there is a “wide-ranging and particularly serious interference… with the fundamental rights at issue”, which is not sufficiently circumscribed “to ensure that that interference is actually limited to what is strictly necessary.”

There were a number of reasons that led to this conclusion, some of which are more obvious than others:

  1. The directive applied to all communications “without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime”;
  2. The lack of control over access to gathered data. Whilst many Member States require court permission for access to this data, there are no express protections included within the directive, other than that access should be “subject to the relevant provisions of European Union law or public international law, and in particular the European Convention on Human Rights as interpreted by the European Court of Human Rights.” (see Article 4 of the DRD).
  3. The retention period of between 6 months and 24 months is too vague, especially with the absence of guidance on how this should be determined. The court felt there should be guidance to the effect that data should only be kept as long as is strictly necessary. Furthermore, this indeterminate window pays no regard to the usefulness of the data or the categories of person concerned.
  4. The Directive does not protect against the risk of abuse, for instance the unlawful access and use of the data gathered. Furthermore, the Directive indicates that economic considerations are valid for deciding on what protections to put in place, which the court felt should not be a consideration.
  5. Data does not have to be retained within the EU, and is therefore not secure as required by Article 8 CFREU.

The Deeper Problems

Data privacy is a subject that many, if not most, do not care about. If this is you, and whether this be out of ignorance, lack of interest or a well-considered personal opinion, you should not however disregard the decision as unimportant without fully considering the implications of the DRD. As Paul Bernal highlights, people have historically underestimated the importance of privacy, until it is too late.

Of the five reasons above, the problem underlying the first four can be called ‘The Big Brother State’ and the problem underlying the firth, ‘Geographical Safeguards’. I also believe there is one other issue that is likely to arise out of this decision, a dangerous precedent for intelligence services.

A Big Brother State

I attribute this worry to a much deeper problem than data privacy. If it were not for an inherent mistrust in government and administration, the data retained in line with this directive would be no issue. Whilst I believe government and administration should always be treated with a certain degree of suspicion to ensure accountability, I do think we should be able to trust the state with collecting our data, and using it only for the legitimate purpose of preventing crime.

I find the idea that the state has any interest in spying on individuals without any good reason somewhat absurd within the UK, therefore I have no particular issue with the government storing this data on my communications in principle, considering the crime-prevention justification, although the practical details of the DRD (such as foreign storage) do trouble me.

That said, it cannot be disputed that the DRD provides a strong tool for an aspiring Orwellian Nineteen Eighty-Four style regime, which is a perfectly legitimate concern, even if I doubt it could ever materialise in these green and pleasant lands. The court highlighted in its judgement:

Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

Aside from the more likely state interest in these details where criminals are concerned, it does not take a vivid imagination (thanks to the numerous films that have spun off Orwell’s Nineteen Eighty-Four, including The Matrix and Equilibrium to name a couple) to foresee some kind of political dictatorship where a dominant party uses such data to eliminate its opposition. Whilst this may not seem like a concern now, we only have to look to history to find dictatorial regimes that have erupted from nowhere, and to many, it is a matter of precedent. Once one shoot breaks the earth, it is only a matter of time until another finds its way through the loosened soil.

Therefore, whilst I do not see this as a big issue, I cannot in theory dispute suggestions that such laws could infringe our freedom of expression given the correct conditions. I also feel that innocent people should not feel like suspects in every crime, as they do with the knowledge that every communication is being recorded, regardless of whether it is looked at it.

Whilst in reality a human will look at very few datasets, every single dataset is likely to be analysed by some sort of algorithm that flags certain things for human attention. This places us all under the magnify glass.

Geographical Safeguards

This second issue that arose from the DRD is one I find more concerning. Whilst data kept outside of the EU is not necessarily any less secure than it is within the UK, as highlighted in my article ‘Data Privacy: Due Diligence Due?’, that does not always mean this will be the case.

Whilst, for instance, I do not see data being kept in the US as a substantial threat (many do, due to some misconceptions about data security over yonder), I do concede this might not always be the case. This point is all the more potent with the apparent tectonic movements within the European IT sphere in recent months (i.e. the ban on bandwidth throttling, the opening of clinical research databases, and the upcoming major reform of data protection law).

It is clear that data protection within the EU is of utmost importance, and will continue to be for the significant future. Whilst there have been murmurs elsewhere in the world, the EU undoubtedly has some of the strongest data protection law, and for that reason, if data like this is to be collected, on this or a lesser scale, there needs to be safeguards to ensure it cannot, and does not, leave Europe. Therefore, any amended DRD, needs to ensure there is sufficient protection of data, with particular regard to geographical limitations.

A Dangerous Precedent for Intelligence Services

The CJEU has made its opinion on blanket surveillance well known in Digital Rights Ireland Ltd. v Ireland. Even if for the protection of the state and the prevention of serious crime, blanket surveillance cannot be proportionate. This is a direct affront to schemes such as the USA’s PRISM Program, and the UK’s counterpart Tempora Program, both of which were discussed in brief terms in my article ‘Data Privacy: Due Diligence Due?’.

These programs collect communication data without discrimination, and are therefore likely to be disproportionate in the eyes of the CJEU. Whilst this is of no significance to the USA’s National Security Agency, which is, of course, outside of the EU, GCHQ (the UK’s surveillance body) may have to reign in its program or face a slap on the wrists from Europe.

Further, the issue of geography could raise issues for intelligence sharing. If data cannot be stored outside of the EU, does this also mean EU intelligence agencies cannot share important data with their foreign counterparts, or will this be permitted as a proportionate exception? I suspect that sharing data that is directly linked to an investigation or feasible threat will be permissible to share, but the days of sharing data by the bucket load are surely finished.

The Solution

Whilst many seem to see Tuesday’s decision as a death sentence for data retention law within the EU, I have a different view. The court has provided extremely clear advice that indicates exactly what needs to be fixed in order for such a directive to be valid. It was made absolutely clear within the decision that the aim of prevention of serious crime is in essence legitimate, and it was simply the disproportionate nature of the current legislation that rendered it invalid.

The crux of the ECJ’s judgement centred on what I like to call the Pokémon approach to data surveillance, “Gotta Catch ‘em All!” Instead of allowing and promoting the universal collection of data, which portrays big brother characteristics, a redraft of data retention legislation needs to limit its target. This does not seem like a particularly difficult task, given that the now void DRD allowed for universal data collection. If, for instance, the security services had reason to believe a terrorist attack was likely to occur in a given city, they could limit their collection of data to this city plus a 50-mile radius. This alone would be respect privacy far more than the DRD ever did.

Such surveillance is even alluded to within the judgement:

Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences. (Emphasis added).

If, therefore, surveillance was limited to one or more of these criteria, is this a hint that the DRD would not have been declared invalid (note the use of and/or)?

However, these criteria could open a completely different can of worms, particularly any criteria relating to ‘a circle of particular persons’. Dependent on how such a circle was defined, this could be open to allegations of discrimination, something law enforcement is already known for, as highlighted by Francesca in her article on Tuesday.

The point does however stand. With a less blasé attitude, and more tightly defined criteria and guidance, a replacement DRD could quite feasibly be held valid even in light of this judgement. Tighter safeguards on access to data would also need to be put in place for a replacement DRD to be acceptable to the CJEU. Whilst many countries already have safeguards within domestic law, for instance the requirement of judicial permission, an explicit access procedure within the directive would help calm worries of unauthorised and unlawful snooping.

The ‘Geographical Safeguards’ issue could be resolved with even greater ease, and needs no further discussion.

Whilst European data retention law may for now be left at sea, I do not see it being so for long. I suspect an amended Directive will be of high priority to the Commission, and might even be snuck into the upcoming data protection overhaul.

Further Reading

Digital Rights Ireland Ltd. v Ireland (Joined Cases C‑293/12 and C‑594/12)

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Commercial Law, European Union, Privacy Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

Living in an Interconnected World – A Legal Conundrum

17th Sep 2015 by Matt Bogdan

How to Save the Internet 101: Net Neutrality & Competition Law

12th Aug 2015 by Matt Bogdan

Politics in Competition Law

3rd Feb 2015 by Matt Bogdan

Is There Really a ‘Right’ to be Forgotten?

17th May 2014 by Chris Bridges

Online Pirates, prepare to be boarded! Right after we borrow a ship…

5th Apr 2014 by Chris Bridges

Data Privacy: Due Diligence Due?

13th Nov 2013 by Chris Bridges

Section Pick September

Financial Fair Play in Football: Curbing the Excess or the Enthusiasm?

Editors' Pick Image

View More

KCTL News

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Keep Calm Talk Law's First Birthday

11th Nov 2014

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription