Export Compliance Daily is a Warren News publication.
‘Turning of the Tide’

Untargeted Communications Traffic Data Retention Held Unacceptable in Democracies

Europe’s phone and Internet data traffic storage law is invalid, the European Court of Justice ruled Tuesday. To the joy of digital rights and privacy activists, the European Data Protection Supervisor (EDPS) and others, the court said the data retention directive (CD Dec 13 p25) “entails a wide-ranging and particularly serious interference” with fundamental rights, without the interference being “precisely circumscribed” to ensure that it’s limited to what’s strictly necessary. The judgment “finds that untargeted monitoring of the entire population is unacceptable in a democratic society,” said Digital Rights Ireland (DRI), one of the law’s challengers. The big question now is what happens to national laws based on the directive, some said in interviews.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The directive was enacted to harmonize national measures on retaining certain e-communications traffic data in the fight against serious crime and terrorism, the ECJ said (http://bit.ly/1oJBMsN). It doesn’t allow retention of the content of phone and Internet communications. Ireland’s High Court and the Constitutional Court of Austria asked the EU high court to determine whether the legislation adequately protects the rights to respect for private life and personal data protection under the Charter of Fundamental Rights of the EU, the court said.

The traffic data e-communications providers must hold makes it possible to know who a subscriber has communicated with and by what means; the time of the communication and the place from which it took place; and the frequency of communications of the subscriber in a given period, the court said. That data together could provide very precise information about the private lives of those whose traffic information is kept, it said. By requiring the retention of the data and letting relevant national authorities access it, the directive seriously interferes with fundamental privacy rights, it said. “That data are retained and subsequently used without the subscriber ... being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance."

Data retention per se doesn’t violate privacy and personal data protection rights, and such storage genuinely satisfies the general interest goal of public security, the ECJ said. It said the directive goes too far by not limiting the data collection and storage to what’s strictly necessary. It covers generally all people who use e-communications, and fails to set any objective criteria to ensure that national authorities accessing the data can only use them for preventing, detecting or prosecuting offenses that are sufficiently serious enough to justify such an interference with rights, the court said. The directive allows data to be held for six months to two years, but doesn’t explain how to determine the period, said the court. Nor does the measure provide enough safeguards to ensure the data is protected against risk of abuse and unlawful access, or that it’s kept within the EU, it said.

'Clarity’ Provided

The judgment “brings clarity and confirms the critical conclusions in terms of proportionality” of the EC’s 2011 evaluation report on the working of the directive, said Home Affairs Commissioner Cecilia Malmström. The commission will assess the verdict and “take its work forward” as it revises the e-privacy directive and negotiates changes to the data protection rules, she said. It’s “urgent” that EU governments finish work on the data protection regulation already approved by the European Parliament, said Civil Liberties, Justice and Home Affairs Committee Chairman Juan Fernando López Aguilar.

This is a landmark ruling, said the EDPS. Retention of e-communications data to combat crime “should always be precisely defined and clearly limited,” it said. The EC should now reflect on the need for a new directive that will prevent EU members from imposing the same obligations nationally as required by the invalid directive, it said. The ruling also means the EU “should take a firm position” in talks with non-EU nations, particularly the U.S., on access to and use of Europeans’ communications data, the office said.

"This is the first assessment of mass surveillance by a supreme court since the [Edward] Snowden revelations” of NSA spying, said DRI Chairman TJ McIntyre. It will set the tone for how privacy and data protection issues will be handled across the EU, he said. The ruling “is an invitation for everyone to continue to fight against surveillance by all appropriate means, be they technical, political or legal,” said Félix Tréguer, co-founder of French citizens’ advocacy group La Quadrature du Net.

The ECJ opinion “demolishes communications data surveillance laws not just across Europe, but sets the precedent for the world,” said Privacy International. If the data retention directive fails to meet human rights law requirements, then the mass surveillance programs operated by the U.S. and U.K. governments “must be equally in conflict with the right to privacy,” PI said. German ISP association ECO welcomed the decision. It “confirms the disproportionality, often commented on by us, of such data retention without cause,” said ECO Director-Policy and Law Oliver Süme.

The data retention issue “will remain live” in all countries that have enacted domestic law to implement the directive, DRI said. National legislation will only have to be amended with regard to the aspects that run afoul of the decision, the EC said. That the law has been invalided doesn’t stop EU governments from requiring data storage under the e-privacy directive, it said.

Neither the European Community treaties nor ECJ precedent gives clear guidance on what happens now, wrote consultant Innocenzo Genna, who advises non-incumbent telecom and Internet providers, on his blog (http://bit.ly/1g1ppCf). EU members now seem to have two options, he said: Either scrap their entire national data retention legislation or modify it to meet the court’s proportionality concern. In the meantime, he said, if an operator claims the national data retention law can’t be applied against it, it may have a good case.