Last week (12/12/2013), a serious blow was dealt to one of the fundamental building blocks establishing the legal framework for retention of data for law enforcement across Europe. Advocate General Pedro Cruz Villalón (AG) at the Court of Justice of the European Union (ECJ) delivered an opinion stating that the Data Retention Directive (DRD) is, as a whole, incompatible with the individual’s right to privacy in the Charter of Fundamental Rights of the European Union. The opinion has potentially profound implications for law enforcement agencies and for service providers subject to the retention requirements across Europe. The opinion is here.
Today’s post is courtesy of guest blogger @matthew1hunter.
The DRD requires Member States to implement laws requiring telephone or electronic communications service providers to collect and retain traffic data, location data and the related data necessary to identify the subscriber or user of the services “in order to ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Article 1(1) of the DRD). Providers are not required to collect and retain content data i.e. the data communicated itself by subscribers or users of the services. Members States are required to ensure that the data is held for periods of not less than six months and not more than two years from the date of the communication. Only competent national authorities are to be permitted access to the data. For more information about data retention requirements, go here.
Key takeaway for service providers
Service providers should watch this space and keep their own compliance programmes under review. For service providers wrestling with retention requirements, the opinion means that doubt will remain about the correct way to build a compliance programme. If the ECJ agrees with the AG, new legislation would need to be developed though the practical impact on service providers with respect to the types of data to be collected and any reduction in retention periods is unclear.
What did the AG say?
– The AG considers that the purposes of the DRD are legitimate.
– However, the AG is concerned that the retained data will include a lot of information about an individual’s private life and identity. There is a risk that the data may be used for unlawful purposes. The risk may be greater because the data is not retained or controlled by the competent national authorities but by the providers and the providers do not have to retain the data within the relevant Member States.
– The AG said that the DRD does not provide minimum guarantees for access to the data and its use by the competent national authorities. (i) A more precise definition of “serious crime” would help to define when competent authorities are able to access the data. (ii) Access should be limited to judicial authorities or independent authorities. Any other access requests should be subject to review by judicial authorities or independent authorities so that access is limited to only the data that is strictly necessary. (iii) Member States should be allowed to prevent access to data in certain circumstances e.g. to protect individuals’ medical confidentiality. (iv) Authorities should be required to delete the data once used for the relevant purposes. (v) Authorities should be required to notify individuals of the access, at least after the event when there is no risk that the purpose for accessing the data would be compromised.
– Finally, the AG said that he could not find sufficient justification for not limiting the data retention period to one year or less.
What does this all mean?
– For now the existing requirements remain but may be subject to review. The AG’s opinion is not binding on the ECJ or indeed on any Member State. Nevertheless, the opinion carries weight and in many cases the ECJ has gone on to follow opinions delivered by the AG. The Judges of the ECJ are still deliberating and judgment will be given at a later date.
– The AG also proposed that the effects of stating that the DRD is invalid should be postponed so, even if the ECJ agrees with the AG, the ECJ could allow the EU legislature a reasonable period to adopt remedying measures, so that the DRD is no longer incompatible with the Charter of Fundamental Rights.
Readers will recall from the curious case of Mr Spitz that European telecoms operators already retain very large amounts of information about their customers. In an evaluation report adopted today by the European Commission, the Commission proposes to review the existing rules.
The Commission summarise the main findings of the report as:
- Most Member States take the view that EU rules on data retention remain necessary for law enforcement, the protection of victims and the criminal justice systems. As criminal investigation tools, the use of data related to telephone numbers, IP address or mobile phone identifiers have resulted in convictions of offenders and acquittals of innocent persons.
- Member States differ in how they apply data retention. For example, retention periods vary between 6 months and 2 years, the purposes for which data may be accessed and used, and the legal procedures for accessing the data, vary considerably.
- Given that the Directive only seeks to partially harmonise national rules, it is not surprising that common approach has not emerged in this area. The overall low level of harmonisation can however create difficulties for telecommunication service providers and in particular smaller operators. Operators are reimbursed differently across the EU for the cost of retaining and giving access to data. The Commission will consider ways of providing more consistent reimbursement of the costs.
- Data retention represents a significant limitation on the right to privacy. Whilst there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place. The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data.
The Commission will now commence a consultation with stakeholders prior to publishing its proposed amendments to the existing Data Protection Directive.
This area is very sensitive politically, as it draws one of the lines between the interest of the state and the interests of citizens. As such some countries have delayed implementation of existing rules and in others their legality has been subject to challenge. It remains to be seen how the Commission will seek to meaningfully engage on those issues which are not really addressed to a substantive extent in the report.
There has been some coverage recently of the case of Mr Spitz. Malte Spitz is a German green party politician and privacy advocate. He went to court to obtain details of the location information stored by his mobile phone provider and discovered that over a six month period that they had stored over 35,000 items of geographic information. He was concerned enough to ask a newspaper to help him map the data – you can see the results here.
For those familiar with the amount and type of information stored by mobile networks it is not perhaps surprising, but it graphically demonstrates the amount of information stored.
What has not been picked up widely in the reports is that the requirement to store this type of information exists across Europe as a result of the implementation of the Data Retention Directive, which was in the wake of 9/11 to address national security concerns. Whilst the Directive gives Members States some latitude on its implementation, article 5 (f) requires the retention of:
‘…data necessary to identify the location of mobile communication equipment:
(1) the location label (Cell ID) at the start of the communication; and
(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.’
Details of how this requirement has been implemented in the UK can be found here.