The EU has failed to revise or repeal the bloc-binding March 2006 Data Retention Directive — and member states themselves have likewise proved sluggish — despite two unambiguous rulings by the Court of Justice of the European Union (CJEU).
The Directive obliged member state governments to store citizens' telecommunications data for a minimum of six months, and allowed police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received.
This finding was supported in December 2016, in "Watson/Tele2 Sverige AB" — the judges took a strong stance on data protection and privacy, unequivocally stating legislation providing for general and indiscriminate data retention was incompatible with the ePrivacy Directive.
Specifically, the court found the obligation to retain traffic and location data was unlawful, and as communication metadata can be so specific, it is often no less sensitive than actual content, and therefore represents the same — if not greater — violation of the right to privacy.
The ruling directly stated using communications data to profile individuals, revealing details of their private lives such as "everyday habits, permanent or temporary places of residence, daily or other movements, activities, the social relationships and environments frequented by them," was extremely hazardous to citizens' privacy, and rights.
The court did however suggest targeted retention of data could be authorized if and only if a series of clear safeguards were put in place by the state to ensure such measures were necessary and proportionate.
Among the safeguards proposed was law enforcement only being able to request data be retained if the request was targeted at users who are suspects of serious crime, such as terrorism, and if it was on the basis of "objective evidence," and for a limited time.
Inaction or Ignorance?
For its part, the EU presidency issued guidance on the topic to member states in October — namely, how to circumvent the preclusive court judgments. The note suggested member states justify access to data on the basis of fighting crimes other than terrorism, and crafting legislation replete with rules setting out the circumstances in which mass data retention is permissible.
The group's investigation specifically compared member states' legislation to the two landmark court judgments, and noted member states are legally obliged to comply with CJEU rulings and must update their national legislation to do so.
However, as of September 2017, 40 percent of EU countries still had a pre-2014 regime in place, with states including Croatia, France and Portugal yet to repeal or amend their laws as a result of the Digital Rights Ireland case.
Privacy International said that some national courts had been interpreting Digital Rights Ireland "compatibly with their national legislation," while others — including the Czech Republic — had "recognized the national regimes' flaws but not invalidated them."
Moreover, most of the countries that had changed their laws only did so in response to challenges brought by human rights NGOs in national courts, rather than as a result of parliaments making proactive changes.
Some 20 percent of countries that do have new legislation are still not consistent with the most recent ruling, the Tele2 case in 2016, including Bulgaria, Belgium and Italy, with legislation allowing "indiscriminate retention of data in bulk or provide vague and ill-defined regulation on access to that data by relevant authorities."
In the UK and Sweden, litigation is still underway and no amendments had been made to existing laws — while data retention legislation was still being considered, or on hold, in 30 percent of member states, including Austria and the Netherlands.
"We are now eight months into the CJEU decision, and the slow pace by which changes are evolving in these jurisdictions is concerning, given how impactful these data retention regimes are on Europeans' fundamental rights and freedoms," Privacy International said at the time.
