Huge EU Win: Data Retention Directive Declared Invalid

This is getting worrying. Last week, we had two big wins: the European Parliament voted in favour of both net neutrality and open clinical trial data. I expected the latter, but was worried the former might be watered down. In the event, a...


This is getting worrying. Last week, we had two big wins: the European Parliament voted in favour of both net neutrality and open clinical trial data. I expected the latter, but was worried the former might be watered down. In the event, a surprisingly strong version was passed. We’re not there yet: the final version is not yet fixed, and could still be sabotaged, but the huge majority for the current text will make it hard and dangerous from a democratic viewpoint to do that.

Against that background, I hardly dared to hope that an arguably bigger decision would go in our favour, but that is exactly what has just happened. The Court of Justice of the European Union, the EU’s highest court, has just ruled blanket data retention illegal [.pdf]:

The Court of Justice declares the Data Retention Directive to be invalid

It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.

In doing so, it went even further than the Court’s Advocate General, whose provisional opinion was released at the end of last year, which is pretty astonishing, and important. That’s because the Court’s far stronger condemnation will make it much harder for the EU and member states to get around this ban. Here’s the detailed logic the court used in arriving at its verdict:

The Court observes first of all that the data to be retained make it possible, in particular, (1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means, (2) to identify the time of the communication as well as the place from which that communication took place and (3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.

The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

As you will note, the court is essentially talking about metadata here, and noting unequivocally that it pins down just about every aspect of our daily lives. And that last comment about “a feeling that their private lives are the subject of constant surveillance” naturally has a vastly greater resonance in the wake of Snowden’s leaks that this is precisely what is going on thanks to the NSA and GCHQ spying on us.

Of course, governments around the world justify such blanket surveillance on the grounds that it’s necessary to “protect” us. The ECJ naturally considered this line of argument:

It states that the retention of data required by the directive is not such as to adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data. The directive does not permit the acquisition of knowledge of the content of the electronic communications as such and provides that service or network providers must respect certain principles of data protection and data security.

Furthermore, the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.

However, the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.

So here the Court states that data retention is not in itself problematic, but that blanket retention, as here, fails the test of proportionality: that invoking “terrorism” or “national security” does not trump the rights of individuals. This is another hugely important point, because it’s basically what most reasonable commentators have been saying about the use of surveillance to combat crime and terrorism: it’s fine to deploy it, but only if it is strictly necessary and proportionate. Again, blanket retention of most of the Internet’s metadata (and much of its content) is clearly not proportionate in any sense.

Usefully, the ECJ then goes on to consider this issue of proportionality in some detail:

Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.

Here’s why:

Firstly, the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.

That’s a direct attack on the "collect it all" mentality that underlies the NSA’s activities.

Secondly, the directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference.

Again, that’s trying to tie any use of this data to strictly proportionate and well-defined cases.

Thirdly, so far as concerns the data retention period , the directive imposes a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued.

This is interesting: the Court is suggesting that the retention period ought to vary according to the people involved and the usefulness of data for the specific situation.

The Court also finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data.

This is also very interesting, since it touches on an issue many of us have raised – the potential for abuse – but which governments have consistently ignored. The ECJ ruling makes it impossible to do that in the future. Finally, we have a nice little parting gift:

Lastly, the Court states that the directive does not require that the data be retained within the EU. Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the
protection of individuals with regard to the processing of personal data.

What’s really significant about that is not just that it criticises the fact that data might leave the EU, but that it implicitly criticises the protection offered to data elsewhere. That’s a very interesting comment in the light of the current efforts to bring in meaningful data protection laws in the EU – and to enforce them in places like the US, which currently ride roughshod over users' rights in this sphere.

As the above makes clear, this is a massively important ruling. It not only says that the EU’s Data Retention Directive is illegal, but that it always was from the moment it was passed. It criticises it on multiple grounds that will make it much harder to frame a replacement. That probably won’t be impossible, but it will be circumscribed in all sorts of good ways that will help to remove some of its worst elements.

And lastly, it will clearly have a massive effect on GCHQ. Practically everything that the Court’s ruling describes applies to GCHQ’s blanket retention of European citizens' data. That is unequivocally illegal in the light of the ECJ’s comments, which will put even greater pressure on the UK government to begin a conversation with both UK and EU citizens about what it is up to here. It will doubtless resist until the last, but the clear-cut ruling against disproportionate data retention in Europe means that the ground is shifting under the UK government’s feet, and that it henceforth it will find itself on even shakier ground.

One other comment is worth making here. This big win for Europeans and their rights is largely thanks to the efforts of TJ McIntyre and Digital Rights Ireland, as well as work by the Austrian digital rights group AKVorrat. It’s a timely reminder that a few dedicated people working tirelessly can make a huge difference despite the odds and the powerful forces ranged against them. That’s really important to remember in the days and the fights that lie ahead of us.

Follow me @glynmoody on Twitter or, and glynmoody on Google

Find your next job with computerworld UK jobs