20:05 GMT +313 December 2017
Listen Live
    Digital world

    Despite Court Rulings, EU's Unlawful Mass Data Retention Policies Remain

    CC0 / Pixabay
    Military & Intelligence
    Get short URL
    128

    Mass data retention in European Union member states was declared unlawful in 2014 by the Court of Justice of the European Union, and had been so since the policy's adoption in 2006 - and this finding was confirmed in 2016, however the EU and its constituents alike have been reluctant to end the practice.

    The EU has failed to revise or repeal the bloc-binding March 2006 Data Retention Directive — and member states themselves have likewise proved sluggish — despite two unambiguous rulings by the Court of Justice of the European Union (CJEU).

    The Directive obliged member state governments to store citizens' telecommunications data for a minimum of six months, and allowed police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received.

    It was first subject to review by the Court in 2014, in the case of "Digital Rights Ireland and Seitlinger and others" — judges ruled the Directive contravened the EU Charter, and was invalid as a result.

    This finding was supported in December 2016, in "Watson/Tele2 Sverige AB" — the judges took a strong stance on data protection and privacy, unequivocally stating legislation providing for general and indiscriminate data retention was incompatible with the ePrivacy Directive.

    Specifically, the court found the obligation to retain traffic and location data was unlawful, and as communication metadata can be so specific, it is often no less sensitive than actual content, and therefore represents the same — if not greater — violation of the right to privacy. 

    The ruling directly stated using communications data to profile individuals, revealing details of their private lives such as "everyday habits, permanent or temporary places of residence, daily or other movements, activities, the social relationships and environments frequented by them," was extremely hazardous to citizens' privacy, and rights.

    The court did however suggest targeted retention of data could be authorized if and only if a series of clear safeguards were put in place by the state to ensure such measures were necessary and proportionate.

    Among the safeguards proposed was law enforcement only being able to request data be retained if the request was targeted at users who are suspects of serious crime, such as terrorism, and if it was on the basis of "objective evidence," and for a limited time.

    Inaction or Ignorance?

    For its part, the EU presidency issued guidance on the topic to member states in October — namely, how to circumvent the preclusive court judgments. The note suggested member states justify access to data on the basis of fighting crimes other than terrorism, and crafting legislation replete with rules setting out the circumstances in which mass data retention is permissible.

    If the presidency's recommendations are adopted by member states, they will exacerbate already questionable regulatory regimes in most cases — a September 2017 study by Privacy International found the vast majority of bloc members' rules on data retention did not comply with fundamental human rights, and were "poorly drafted," outdated and lacked clarity.

    The group's investigation specifically compared member states' legislation to the two landmark court judgments, and noted member states are legally obliged to comply with CJEU rulings and must update their national legislation to do so.

    However, as of September 2017, 40 percent of EU countries still had a pre-2014 regime in place, with states including Croatia, France and Portugal yet to repeal or amend their laws as a result of the Digital Rights Ireland case.

    Privacy International said that some national courts had been interpreting Digital Rights Ireland "compatibly with their national legislation," while others — including the Czech Republic — had "recognized the national regimes' flaws but not invalidated them."

    Moreover, most of the countries that had changed their laws only did so in response to challenges brought by human rights NGOs in national courts, rather than as a result of parliaments making proactive changes.

    Some 20 percent of countries that do have new legislation are still not consistent with the most recent ruling, the Tele2 case in 2016, including Bulgaria, Belgium and Italy, with legislation allowing "indiscriminate retention of data in bulk or provide vague and ill-defined regulation on access to that data by relevant authorities."

    In the UK and Sweden, litigation is still underway and no amendments had been made to existing laws — while data retention legislation was still being considered, or on hold, in 30 percent of member states, including Austria and the Netherlands.

    "We are now eight months into the CJEU decision, and the slow pace by which changes are evolving in these jurisdictions is concerning, given how impactful these data retention regimes are on Europeans' fundamental rights and freedoms," Privacy International said at the time.

    Related:

    EU Set to Vote on Controversial PNR Mass Data Collection Law
    US Promises on Mass Data Collection Privacy Thrown Into Doubt
    New EU-US Data Transfer Deal Not Ruling Out US Firms' Mass Info Collection
    EU Chief Says Mass Data Collection Will Not Prevent Terrorism
    Tags:
    mass data retention, data, data retention, surveillance, EU Court of Justice, European Union, Europe
    Community standardsDiscussion
    Comment via FacebookComment via Sputnik
    • Сomment