On the 8th of April, the EU Data Retention Directive (Directive 2006/24/EC) was made invalid by a ruling of the European Court of Justice. This ruling is a major victory for privacy campaigners, such as Privacy International, who have argued for many years that the kind of indiscriminate mass surveyance on all the people of the EU, sanctioned by this Directive, violates the rights to privacy and data protection enshrined in the European Charter of Fundamental Rights (Art 7 and 8).
The ruling was strong and unequivocal: the right to privacy provides a fundamental barrier between a person and powerful institutions, and laws allowing for indiscriminate retention on a mass scale are completely unacceptable. It is right and overdue that this terrible directive was struck down.
About the Directive
This data retention Directive, when transposed into national laws of EU member countries, forces internet service providers and phone companies to store ‘traffic and location data’: information on who contacts whom, when, how often, and from which locations, for between six months and two years – and for every person in the European Union. The purpose is to allow government agencies to access and use it to prevent ‘serious crime’. This kind of information, called ‘metadata’ gives very revealing information about our private lives, our daily activities, our friendships and lifestyle.
According to statistics published by the European Commission, the number of requests for such data from government agencies are steadily increasing in volume - about 1.56 million in 2008 in 17 countries that have declared figures, and 2.66 million in 2012 in 12 countries. UK alone has used the measures to access people’s data 724,751 times in 2012; Italy has not provided any figures.
The majority of EU countries have transposed this Directive into national legislation – with the exception of Germany and Belgium that considered it unconstitutional.
The European Court’s decision
The Court finds, not surprisingly, that the Directive does interfere with two fundamental rights, of privacy and data protection; on examining further whether such interference could be justified, it finds that it cannot, because it infringes the principle of proportionality for three reasons:
- It has no limits and in effect amounts to mass surveyance, as it covers all people, all means of communications and all traffic data
- It has no objective criteria which national authorities have to observe before accessing the data; there is no purpose limitation, or limits to the numbers of persons who can access such personal information; the definition of ‘serious crime’ is vague and left to national laws.
- It has no sufficient safeguards concerning data retention periods or protection of the information from unlawful access and use.
- It does not require that the data are to be retained within the EU
So what happens now – life after death?
The Directive is dead, and the decision cannot be appealed against. While the Commission has stated that it is now carefully assessing the verdict and its impacts, there is much speculation as to what happens to individual national legislations that have implemented this Directive and what are the consequences for service providers that have been keeping our data for many months and years?
As the court decision applies to the Directive, in theory EU Member States are free to keep their national measures in place, but they will be open to a flood of legal challenges since they are also subject to the EU Charter and human rights legislation. This is the case in Italy, where the data retention directive has been implemented through an amendment to the Privacy Code effective as of August 22, 2009 (section 132). This clause will continue to be in force unless a new law is passed to abolish it, but legal actions maybe launched in the Italian courts to avoid such data retention by providers.
The communications industry is still digesting the consequences, though a couple of companies in Sweden have already deleted the data they kept. In some countries, such as UK, companies have received money from the government as compensation for costs incurred for data retention obligations so they may still have an economic incentive for retaining their customers’ data.
In conclusion
The European Court of Justice confirms, what the privacy advocates have known for a long time, that it is not, and never was, proportionate to spy on the entire population of Europe. The Court states that mass collection of metadata is an interference with the right to privacy, and access to this data cannot be justified under vague references to combating serious crimes or terrorism. If access to this sensitive data is granted, such access must be subject to prior review which should be carried out by a court or independent body. The right to privacy must be protected fiercely.
And if the Data Retention Directive fails to meet the requirements of human rights law, then the international mass surveyance programmes revealed by Edward Snowden in the last year and operated by the US, the UK and other European governments must also be in conflict with the right to privacy.
So as policy makers now look to revise communications surveillance laws to protect human rights, they must look to the International Principles on the Application of Human Rights to Communication Surveillnace, endorsed by over 400 civil society groups, over 50 experts and academics, and many elected officials and even political parties.
Now is the time to get these 13 Principles into law, and a unique opportunity to put right the wrongs.