An EU law requiring telecom companies to store their customers’ metadata for up to two years has been ruled “invalid” by the EU Court of Justice.
BRUSSELS — The Court of Justice of the European Union concluded last month that the EU law forcing telecommunication companies to retain customer data for up to two years is illegal.
In a press release issued after the ruling in April, the European judges said the Data Retention Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” and as such, the court considers the directive “invalid.”
The Data Retention Directive requires Internet service providers and telephone companies to store metadata — the details of digital communications, including the phone numbers of both a caller and a recipient, the date and duration of a call, the location where a call was placed, as well as email addresses, but not the actual content of a conversation — for a period of up to two years. This storage, according to the law, allows “for the prevention, investigation, detection, and prosecution of criminal offences [sic],” particularly organized crime and terrorism.
“Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them,” the judges wrote in their ruling.
Furthermore, because the data is retained and subsequently used without the subscriber’s knowledge or consent, it is likely to generate “a feeling that their private lives are the subject of constant surveillance,” they added.
In the aftermath of the Sept. 11, 2001 attacks in the United States, a long debate ensued in Europe about the importance of hoarding telecom data to fight terrorism and organized crime. After terrorist attacks in Madrid in 2004 and in London in 2005, the EU adopted the Data Retention Directive in 2006.
In Europe, privacy has always been considered a fundamental right of citizens. It is enshrined in the EU Charter of Fundamental Rights, and Article 8 of the European Convention on Human Rights guarantees every individual the right to respect for “his private and family life, his home and his correspondence,” subject only to narrow exceptions where government action is imperative.
In recent years though, the EU — largely due to pressure from the U.S. — has been adopting increasingly restrictive laws regarding its citizens’ rights to privacy. Ahead of an important vote on personal data protection in the European Parliament in March, U.S. National Security Agency whistleblower Edward Snowden issued a 12-page statement to members of the European Parliament. Writing from Russia, where Snowden has found temporary asylum, he revealed that the U.S. had successfully pressed EU governments to weaken laws protecting their communications systems, allowing American agencies to tap into data on EU citizens with impunity.
Snowden’s May 2013 revelations on the NSA’s sprawling surveillance and data collection activities put privacy rights back on the agenda. In its ruling, the European Court of Justice criticized the fact that the Data Retention Directive does not require that the data collected be retained within the EU, thereby opening the door to security breaches from outside the bloc — read, the U.S.
Thousands of applicants in Austria
The case against the Data Retention Directive arose after Digital Rights Ireland launched a court action against the Irish state in 2006 that questioned the legality of the Irish data retention legislation, which was transposed from the EU directive. In 2012, the High Court of Ireland referred the case to the European Court of Justice, asking for an opinion on the validity of the directive. The case was later coupled with an Austrian case in which a similar law was contested by 11,128 private applicants.
Digital Rights Ireland welcomed the European Court of Justice’s decision to declare the directive “invalid” in April. The organization’s chairman, TJ McIntyre, said in a press release, “This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The [European Court of Justice’s] judgement finds that untargeted monitoring of the entire population is unacceptable in a democratic society.”
“After eight years, this affront to the fundamental rights of European citizens has finally been declared illegal. Eight years of abuses of personal data and eight years of reassurances from EU Member States and the Commission that the measure was legal,” Joe McNamee, executive director of European Digital Rights, said of the court’s decision.
The European Court of Justice did not contest the principle of data retention in and of itself, though. In its ruling, while saying it considered the requirements of the legislation “excessive,” it recognized that such measures can “genuinely [satisfy] an objective of general interest.”
The court explained, “It is apparent from the case-law of the Court that the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest … The same is true of the fight against serious crime in order to ensure public security … Furthermore, it should be noted, in this respect, that Article 6 of the Charter lays down the right of any person not only to liberty, but also to security.”
Despite the court annulment of the Data Retention Directive, individual EU member states may keep the measures in place if they choose. Those that do, however, are likely to face a flood of legal challenges. Following the European court’s ruling, Digital Rights Ireland’s case against the state’s legislation will now be allowed to proceed.
In Belgium, the opposition Green Party has called on the government to repeal the law on telecommunication data. In Germany, where privacy is an issue of great political sensitivity, the EU directive has never even been implemented.
In Finland, Krista Kiuru, the minister of education, science and communications, commented that “naturally, we must clean out the paragraphs enacted due to the directive. We will gladly adhere to this decision.”
On the EU level, member states will have to decide whether they want to amend the legislation or adopt new legislation altogether. It is highly unlikely that they any member state will leave the issue unaddressed — a new or amended EU law is likely to focus on striking a better balance between the right to privacy and data protection and national security. This could mean reduced retention periods and tighter restrictions on government and third-party access to data.
Adopting a new law could take years, though, and would require the approval of national governments and the European Parliament. Since the Snowden revelations, the European Parliament has tightened its position considerably in this regard and clearly feels that this is an issue in which it can play a defining role in defending public interests.
MEPs for data protection
In March, MEPs voted overwhelmingly to adopt data protection reform, as drafted by the German Green MEP Jan Philipp Albrecht. The new regulation tightens the EU’s existing data protection rules and calls for strict safeguards to protect citizens’ data when it is transferred to non-EU states. MEPs in the next European Parliament — which will be formed after the May 25 elections — will have a solid position to work from.
Albrecht, an MEP who is active on the privacy front, called the European court’s ruling a “major victory for civil rights in Europe,” adding that the “blanket, unjustified collection and retention of telecommunications data in the EU must now stop.” He also criticized the German government and the European Commission for continuing to “advocate in favor of data retention and other types of unfounded, unjustified blanket surveillance, for example through the air passenger data system.”
Albrecht has also submitted clear parliamentary questions on this issue to the European Commission. He asked whether the EU institution would now submit a proposal to terminate the agreement on the transfer of passenger name records to the U.S. and if it would terminate the agreement on the transfer of SWIFT banking data to U.S. authorities.
In an interview with the Irish Times, the German MEP said he receives many letters from leading civil rights groups in the U.S. and around the world. He said these groups are convinced that Europe is the only one that “can take a stand on digital privacy” and “it’s the only place with such an advanced debate and the only place where governments have the strength to do it.”
Addressing digital privacy in the U.S., however, may not require EU intervention. In March, Washington announced that it was preparing legislation that would end the NSA’s surveillance and data storage that affects millions of U.S. citizens. The government could still access much of this information via a court order, though, especially to obtain information related to terrorism.