More strikes against generalized and indiscriminate data retention in the EU: The bloc’s top court today issued a number of rulings on related cases – one related to a German telecoms data retention law that has been challenged by Deutsche Telekom and ISP SpaceNet ; and another failure in the French state’s blanket retention of telecoms data, which was challenged after it was used by a financial services regulator in an insider trading case.
“The Court confirms that EU law precludes the general and indiscriminate storage of traffic and location data, except in the case of a serious threat to national security,” writes the Court in a press release on its judgment on the German case referral — noting that the national law on data retention seriously interferes with the fundamental rights of individuals whose data is retained and confirms its previous case law.
“The general and arbitrary storage of traffic data by operators providing electronic communications services for one year from the date on which they were recorded is not permissible as a preventive measure to combat market abuse offences, including insider dealing,” the ECJ writes in a second press release on the French transfer.
His judgment there also confirms existing case law, which essentially means that EU member states cannot (or, well, should not) use creative workarounds to avoid (trying to) a declaration by the ECJ that a national law is a general and indiscriminate storage of telecommunications data required Data is invalid under EU law.
We’ve been here many times so the déjà vu is real. But also the appetite of EU member states to collect and store data for broader “crime-fighting” purposes, even though indiscriminate mass collection has been shown to be incompatible with core EU human rights laws. And so the legal challenges and ECJ judgments flow on.
Why national courts keep sending questions to the ECJ when there is extensive case law on the incompatibility of general and indiscriminate data retention with EU law is questionable – but the underlying strategy (of the member states) resembles a war of attrition, in which national legislators each taking the CJEU’s crackdown as an opportunity to regroup and redouble their efforts with a new battering ram-style mass collection law, hoping to exploit cracks in the legal shield against general retention.
And these cracks can widen.
Earlier this year, the ECJ tightened its guidance on targeted exceptions – when it said it might be permissible to collect digital evidence in bulk to tackle serious crime, e.g. (e.g. airports) or other locations that house critical infrastructures.
Today’s ruling on the German referral reiterates a growing list of exceptions in which the Court has stated that big data retention laws may be permissible – in certain contexts and circumstances (e.g. serious threats to national security) – and at reasonable review (e.g. by a court). — and as long as there is some targeting (e.g. to a specific geographic location) and/or other limitations (e.g. a time period).
This includes an exception for “the retention, generally and indiscriminately, of IP addresses assigned to the source of an Internet connection, for a period limited in time to what is strictly necessary” — which is a fairly generous allowance, considering how much personal data can be traced back to an IP address, and how malleable a timeline can be of absolute necessity, depending on the stated purpose.
The fact that national data retention rules consistently fall short of these limits suggests that a slew of bad faith laws are afoot.
In the CJEU’s decision against the German law, the court objected to the establishment of what the press release describes as “a very wide range of traffic and location data”, retention requirements – for 10 weeks or very specific inferences about the private lives of the individuals whose data are stored, such as everyday habits, permanent or temporary whereabouts, daily or other movements, the activities carried out, the social relationships of these people and the social environments they frequent and make it possible, in particular, to create a profile of these people”.
Digital rights advocates are urging the European Commission not to ignore another ECJ strike against overbearing data retention – after a leaked paper obtained by the German-language blog netzpolitik last year suggested the EU executive was having multiple avenues to pursue ahead in terms of data retention, including possibly , with a new EU data retention law.
The latter would risk being a cynical move to kick the can out onto the street by inviting another round of lengthy ECJ referrals. The last EU data retention directive was brought down by the Court of Justice almost a decade ago – also known as the 2014 Digital Rights Ireland decision – and everything that was proposed by the EU to legislate for broader data retention , which was allowed to a limited extent and in exceptional circumstances, which the ECJ considered possible, would predestine it to fail in the future.
But perhaps the Commission’s repeated attempts to resume data transfers between the EU and the US despite several ECJ strikes since 2015 (see: Safe Harbor, Privacy Shield) provide a template for ignoring the court’s will to data retention.
In a statement following today’s ECJ rulings, German Pirate Party MEP Patrick Breyer is calling on the bloc to chart an alternative course, writing: “Today’s ruling only describes the furthest limits of what is legally possible and should not be taken as a user manual.” . I warn the EU Commission to ignore the ineffectiveness and harmful effects of blanket data retention on society by coming up with a new proposal to put 450 million EU citizens under general suspicion! Instead, we must focus on securing digital traces of suspects quickly and across borders (Quick Freeze).”