An EU law requiring companies to log telecommunications data for law enforcement breaches rights, an advocate-general of Europe’s top court has said. Germany in particular had challenged the Data Retention Directive.
Thursday’s opinion at the European Court of Justice in Luxembourg responds to challenges against the directive in Ireland and Austria. Adopted the by the EU in 2006 following attacks on the London tube and trains in Madrid , the Data Retention Directive specifies that firms must save telephone and Internet data – user, recipient and length of calls – for a period of up to two years.
“The directive constitutes a serious interference with the fundamental right of citizens to privacy,” Advocate-General Pedro Cruz Villalon said. “The use of those data may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity,” he added.
Cruz Villalon argued that the directive increased the risk that corporations and individuals could use the data for unlawful and possibly fraudulent or malicious purposes – even more so as private communication companies controlled the information rather than public authorities. Cruz Villalon also called the directive invalid because it failed to sufficiently specify the circumstances for data access, storage and use – leaving this for member states to define. In addition, Cruz Villalon called one year a disproportionately long time to hold so much information – let alone two.
Relevance, ‘even urgency’
The advocate-general did recognize the “relevance and even urgency” of data retention measures. Should the court decide to follow his opinion, Cruz Villalon suggested that it grant a grace period to change the directive, rather than taking immediate measures against it.
At any given time, the European Court of Justice has nine advocates general, who provide legal but nonbinding opinion ahead of deliberations and decisions by judges.
Germany does not currently comply with the Data Retention Directive, owing in large part to a Constitutional Court ban on the legislation in 2010. The forthcoming grand coalition government hopes to limit data storage in Europe to three months.
By Fiona de Londras, Durham University | November 6, 2013
Next month the advocate general of the Court of Justice of the EU (CJEU), Yves Bot, will publish an opinion on the extent to which the Data Retention Directive, one of the most controversial security measures introduced by the EU in the past decade, is compatible with human rights law. Although not a binding judgement (this will come later), the CJEU’s opinion is a significant intervention in the ongoing debate over how to balance human rights with states’ perceived surveillance needs.
The security-related retention of communications by telecoms firms was on the European agenda well before 9/11, but privacy concerns had led to a limited approach. Telecoms companies in the EU were obliged to delete communications data as soon as all business needs had been met; the data could not be retained for security or criminal investigation purposes. Some states had attempted to adjust this and introduce a retention system in 2000, but this failed – again, largely because of privacy concerns. All this changed, however, after 9/11.
As early as May 2002, a “data retention amendment” had been made to existing EU privacy laws to allow for security-related data retention, and drafts of a provision that would require retention began to circulate. Those proposals attracted so much rights-based criticism that they were apparently abandoned; however, they quickly reappeared in the wake of the London and Madrid bombings, and in 2006, the Data Retention Directive was adopted.
It obliges all member states to introduce national data retention regimes, even where -— as in the UK —- there had already been significant resistance to such regimes when they were previously proposed at national level. The directive requires telecommunications providers to retain data on the source, destination, time, date, duration and type of all communications by fixed and mobile telephone, fax and internet, and on the location and type of equipment used.
The data is to be retained for between six month and two years, with national law deciding on the duration, and can be accessed by state agencies investigating “serious crime” —- a term that has different definitions across the member states.
The volume and extent of information retained under the directive is stunning; in effect, it has introduced a system of blanket surveillance across the entire EU. Although access to the information is regulated by law, state agencies can nonetheless access an enormous amount of information about our communications patterns and activities. This naturally raises serious human rights concerns, especially about privacy.
Security services insist that data retention is an indispensable tool for investigating serious crimes, such as terrorism and the production and distribution of child pornography. Yet different states make use of the Directive to wildly varying extents: in 2012, for example, Cyprus made 22 requests for access to data, while the UK made 725,467.
The question for the advocate general, the CJEU and the EU more broadly is whether or not the approach taken by the directive privileges perceived security needs over human rights. Data retention unquestionably constitutes a prima facie infringement on privacy; the real issue is whether this infringement is justified because it is necessary, effective, and limited. This question is at the core of all debates about “balance” in the security context: how far are we prepared to allow state power into our individual, family, social and democratic lives in order to “secure” us?
Answering this question requires us to decide on what we think “effectiveness” means in the context of security. If the directive helps to resolve a handful of serious crimes per year, or to prevent one terrorist attack, is it effective? Could a more limited approach -— such as requiring telecoms companies to collect data related to certain investigations but not to retain all data -— achieve the same security objectives while better protecting rights?
These are difficult questions, but they are ones we must resolve if we are to have a balanced security system. The advocate general’s opinion will be an important contribution to the debate, but it will not be the final word. Achieving a balanced approach to security requires critical scrutiny at practical, political, social and legal levels. This is all the more true given that, as the Data Retention Directive illustrates, security measures operate upon and have implications for the rights of all of us, all of the time.
Fiona de Londras is the Project Co-Ordinator of SECILE (Securing Europe through Counter-Terrorism: Impact, Legitimacy and Effectiveness), a project that has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 313195.
- Are YOU content for the EU & UK politicos to be party to every detail of your life? (ironiestoo.blogspot.com)
- Corporate interests dominate group working on EU data law (computerworld.co.nz)
- Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes (techdirt.com)
- How to choose a VPN that actually protects your privacy – Abine (uwnthesis.wordpress.com)
Australia is the latest democratic nation to introduce new national security measures that would vastly expand governmental surveillance powers, following an alarming legislative pattern that’s also unfolded in the United Kingdom and Canada in recent months.
Just as EFF sounded the alarm about the UK’s attempt to move forward with a mass surveillance bill and kept the pressure on before Canada’s online surveillance bill was temporarily shelved in the face of an outcry from privacy advocates, we’re ready to join Australians in pushing back against this latest bid for greater online spying powers Down Under.
Last week, Australian Attorney General Nicola Roxon submitted to Parliament a package of proposals intended to advance a National Security Inquiry in an effort to expand governmental surveillance powers. In a 60-page discussion paper, Roxon calls for making it easier for law enforcement and intelligence agencies to spy on Twitter and Facebook users, which would likely be achieved by compelling companies to create backdoors to enable surveillance. The proposals also revive a controversial data retention regime. And an especially problematic proposal would go so far as to establish a new crime: failure to assist law enforcement in the decryption of communications.
The bulleted list of proposed reforms, which Roxon submitted to Parliament’s Joint Committee on Intelligence and Security committee, reflects a wish list of Australia’s intelligence agencies. The discussion paper proposes to revise four laws relating to the surveillance activities of Australia’s six intelligence bodies, at great cost to Australians’ civil liberties. The proposed changes are divided into three categories: those that the government “wishes to progress,” those it’s considering, and those it’s seeking advice on.
On a broad level, the discussion paper makes it clear that intelligence agencies are seeking nothing less than a radical overhaul of Australia’s wiretapping laws. “The magnitude of change to the telecommunications environment suggests that further piecemeal amendments to the existing Act will not be sufficient,” the paper states, in reference to the Telecommunications Interception and Access (TIA) Act of 1979. “Rather, holistic reform that reassesses the current assumptions is needed in order to establish a new foundation for the interception regime that reflects contemporary practice.”
If approved, the revisions would amount to what the Sydney Morning Herald characterized as “the most significant expansion of the Australian intelligence community’s powers since … reforms following the terrorist attacks of 2001.” A readers’ poll that accompanied the article showed that 96 percent of respondents were opposed to any plan that would force telcos to store telephone and Internet data.
“These proposals are one of the biggest threats to the privacy of all Australians for many years,” said Nigel Waters, of the Australian Privacy Foundation and Privacy International. “Governments seem to have an insatiable appetite for more and more information about us all that is none of their business, and when history shows that they can’t make effective use of the intelligence they already collect.”
Concerned citizens have only until August 6 to weigh in on Roxon’s initial package of reforms. To have your say, go here.
The Return of Mandatory Data Retention
The proposed “OzLog” mandatory data retention policy, which Parliament rebuffed in May, sought to require Australian Internet service providers to store information about each and every individual’s web usage history for two years. EFF has been mounting resistance to mandatory data retention policies since before the European Union’s 2006 adoption of the highly controversial Data Retention Directive, and we continue to sound the alarm when similar proposals arise.
The attorney general’s paper references a “tailored” data retention scheme, which would nevertheless require providers to store data for a full two years. As a point of comparison, the European Union Data Retention Directive — which has not been universally adopted and Courts in in Germany and the Czech Republic have declared unconstitutional — requires data storage lasting just six months, with the possibility of an increase to two years in certain cases.
Data retention was included under the category of proposals the attorney general is “seeking advice” on, suggesting that it might not be politically tenable to charge ahead with the controversial measure with the same zeal as before. It was the inclusion of this agenda item that drew the strongest initial responses to the proposal.
“This inquiry will likely be used to again expand the powers of spy agencies when Australians are already under a phenomenal amount of government surveillance,” said Senator for Western Australia Scott Ludlam, Australian Greens communications spokesperson. “This extreme proposal is based on the notion that all our personal data should be stored by service providers so that every move we make can be surveilled or recalled for later data mining. It comes from a mindset that imagines all Australians as potential criminal suspects, or mindless consumer drones whose every transaction should be recorded and mapped.”
Sounding a similar note, Rodney Serkowski of the Australian Pirate Party also seized on data retention as one of the most odious proposals. “It is not possible for the government to adequately ensure that the vast databases of highly personal data would not be at risk or subject to abuse of third parties,” he wrote in an email. “Indiscriminate data retention, as opposed to judicially sanctioned, targeted surveillance of a specific person for specific reason, is incompatible with human rights, and should never be considered legal or legitimate.”
New Rules for ISPs and Telecoms
The proposal would broaden online surveillance powers for Australia’s intelligence and law enforcement agencies by compelling Internet companies to make it easier for authorities to conduct digital eavesdropping efforts. “The exclusion of providers such as social networking providers and cloud computing providers creates potential vulnerabilities in the interception regime that are capable of being manipulated by criminals,” the discussion paper states. “Consideration should be given to extending the interception regime to such providers to remove uncertainty.”
Yet another proposal would sacrifice the privacy of law-abiding citizens for the sake of zeroing in on criminal suspects. It calls for allowing intelligence officials to tamper with a computer belonging to an uninvolved third party who is not under investigation in order to access a targeted computer.
To justify the dramatic expansion of surveillance powers, the discussion paper attempts to portray the intelligence agencies as helpless, claiming that a revolution in communications technology has rendered existing wiretapping laws outmoded and inadequate. “Substantial and rapid changes in communications technology and the business environment are rapidly eroding agencies’ ability to intercept,” the paper states. “Adapting the regime governing the lawful access to communications is a fundamental first step in arresting the serious decline in agencies’ capabilities.”
No New Surveillance Powers Needed
A radical expansion of police surveillance powers is not the answer. This proposal poses a serious threat to online privacy and it’s important to keep the pressure on, just as Canadian privacy advocates pushed back against a similar bill. The revisions floated in Australia’s National Security Inquiry should be met with stiff resistance from Internet users everywhere.
“These proposed changes, if implemented in their entirety, would appear to amount to a massive expansion of surveillance activity across the entire community, accompanied by a corresponding reduction in accountability for that surveillance activity, and are therefore a potentially significant threat to the civil liberties and privacy of all Australians,” Jon Lawrence of Electronic Frontiers Australia wrote in a recent blog post.
Bill Rowlings, CEO of Civil Liberties Australia, said the Australian Government seems to have found the straw that might break the back of the growing trend towards excessive surveillance in Australia. “People – your average Joe – are at last waking up that free speech and privacy matter, and are worth fighting for,” Rowlings said. “The ‘Arab Spring’ in the West might well be fought over such freedoms, rather than freedom of association, as in the Middle East.”
Stay tuned as EFF continues monitoring this proposal.
 “Equipping Government Against Emerging and Evolving Threats: A Discussion Paper to Accompany Consideration by the Joint Committee on Intelligence and Security of a package of National Security Ideas Comprising Proposals for Telecommunications Interception Reform, Telecommunications Sector Security Reform and Australian Intelligence Community Legislation Reform,” Australian Government Attorney General’s Department, pp. 17
 ibid., pp. 10
 ibid., pp. 27
 ibid., pp. 11
 ibid., pp. 23
- Every click you make, they’ll be watching (theage.com.au)
- Spies want our net data (theage.com.au)
- Government unveils huge wishlist of new surveillance powers (crikey.com.au)
- Down Under-surveillance: Australian govt seeks confidential online data (rt.com)
No sooner did a mandatory data retention law go into effect in Austria this month than thousands of Austrians banded together in a swift opposition campaign to overturn it. The Austrian law originated as the misshapen offspring of the 2006 European Data Retention Directive. Led by AK Vorrat Austria, a working group against mandatory data retention, the pushback against this mass-surveillance law demonstrates that opposition remains alive and well six years after the European Union adopted the infamous Directive.
The Austrian data retention law compels all ISPs and telcos operating in Austria to retain everyone’s incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data. The information is collected for all citizens, rather than just those suspected criminal activity. In many cases, the data is handed over to law enforcement.
Austrian activists took advantage of a two-year delay of the implementation of this ill-conceived Directive in their country by mapping out their opposition strategy in advance. They sought to leverage a two tier strategy to beat back the Data Retention Directive at the European level, and to fight against the Austrian data retention law at the national level.
One day before the law entered into force, Austrian activists organized funeral marches to protest this anti-privacy, anti-anonymity, anti-free expression law.
Now, just weeks after the Directive officially went into effect, its future hangs in the balance as a pair of efforts calling for its reversal speed toward Austria’s Constitutional Court. Austrian activists are seeking to overturn the legality of the Austrian law with a mass complaint filed with Austria’s Constitutional Court. With nearly 7,000 supporters formally signed on and 18,000 declaring their intent to join, that effort that is shaping up to be “the biggest complaint in the history of the republic,” according to European Digital Rights (EDRi), a coalition of 32 privacy and civil rights organizations working in the European Union, including EFF. AK Vorrat Austria initially announced that it hoped to bring 1,000 individuals together to sign onto the complaint – and surpassed that goal in two days’ time.
But activists aren’t stopping there. On a parallel track, AK Vorrat Austria has already gathered 100,000 signatures for a citizens’ initiative calling for their government to work towards the abolishment of the EU Directive. The signatures are enough to meet the required threshold to force the issue to be considered by the National Council, Austria’s legislative branch of government.
This isn’t the first time this Directive has sparked an uproar in Europe. When it first became clear that the EU was going to cave to governmental lobbying interests from the U.S. and UK and enact a sweeping law that would effectively legitimize mass surveillance, the Freedom not Fear movement responded with massive street protests in Germany and across Europe.
The opposition continues, and is only growing. Courts in Romania, Germany, and the Czech Republic have declared their national laws derived from the EU Directive to be unconstitutional, while a court in Ireland has referred a case to the European Court of Justice—the highest Court in Europe for matters related to European Union law—questioning the legality of the overall EU Data Retention Directive. The European Data Protection Supervisor Peter Hustinx has called the Directive “the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.” Despite all this, the European Commission is still defending it even though it has not been able to provide any evidence that the Directive is necessary, and therefore legal, in the European Union.
Austrian Association for Internet users (VIBE!AT), the Ludwig Boltzmann Institute of Human Rights and several other Austrian activists are encouraging all concerned Austrians to join this fight. Austrians can join the mass complaint against the Austrian data retention law by filling out the declaration form by May 18, available at verfassungsklage.at.
Meanwhile, all Austrians age 16 and older should support the citizens’ initiative online at zeichnemit.at (in German) to call for the abolishment of the EU data retention directive. Take Action: Sign the citizens’ initiative now. Tell the Austrian government to fight for the repeal of the European Data Retention Directive in Brussels.
- ACTA in the EU: We Can’t Call it Dead Yet (alethonews.wordpress.com)
- European Data Retention Directive At Work: Polish Authorities Abuse Access to Users’ Data (eff.org)
This January 28 marks International Privacy Day, the day that the first legally binding international privacy treaty was opened for signature to Member States in January 28, 1981. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent privacy threats around the world and describing a few of the available tools that allow individuals to protect their privacy and anonymity.
Today, we are calling on governments to repeal mandatory data retention schemes. Mandatory data retention harms individuals’ anonymity, which is crucial for whistle-blowers, investigators, journalists, and for political speech. It creates huge potential for abuse and should be rejected as a serious infringement on the rights and freedoms of all individuals.
It has been six years since the highly controversial Data Retention Directive (DRD) was adopted in the European Union. Conceived in the EU and steamrolled by powerful U.S. and U.K. government lobbies, this mass-surveillance law compels EU-based Internet service providers to collect and retain traffic data revealing who communicates with whom by email, phone, and SMS, including the duration of the communication and the locations of the users. This data is often made available to law enforcement. Europeans have widely criticized the DRD, and year after year, it has inspired some of the largest-ever street protests against excessive surveillance.
The European Commission has begun mounting a defense for this highly controversial mass-surveillance scheme, though they have thus far been unable to show that the DRD is necessary or proportionate. For the DRD to be legal in the EU, any limitation to the right to privacy mustbe “necessary” to achieve an objective of general interest and “proportionate” to the desired aim. This requirement is important to ensure that the government does not adopt severe measures to address a problem that could be otherwise solved in a way that is less harmful to civil liberties. But the Commission has been arguing that all uses of retained data illustrate that the Directive is “valuable.” This doesn’t meet the legal standard. Instead, the Commission should provide evidence that in the absence of a mandatory data retention law, traffic data crucial to the investigation of “serious crime” would not have been available to law enforcement.
Despite the European Commission’s efforts to preserve the Directive as-is, a leaked letter confirms that the Commission has been scrambling to conjure evidence for the “need” of a DRD scheme in the European Union. It also underscores the fact that there is no system of oversight that would allow citizens to monitor the impact of the proposed program on their privacy rights. Perhaps the most disquieting detail that has been confirmed by the letter is that service providers have already been storing instant messages, chats, uploads, and downloads. This type of data collection falls outside the scope of the DRD. Moreover, the letter indicates that “unnamed” players seek to broaden the uses of the DRD to include prosecution of copyright infringement including “illegally downloading.” Since this is not a serious crime, this legally falls outside the scope of the DRD.
In response to this leak, EDRI stated, “The leaked document however shows that the Commission can neither prove necessity nor proportionality of the Data Retention Directive – but still wants to keep the Directive.” The leaked letter also disclosed that the EU Commission is evaluating the possibility of amending the Directive. The Commission has commissioned a study into data preservation in the EU and around the world. According to the letter, this exercise is to be completed by May 2012.
Ending Data Retention: Constitutional Challenges
Constitutional courts have begun weighing in on the legality of this mass-surveillance scheme. In a decision celebrated by privacy advocates, the Czech Constitutional Court declared in March 2011 that the Czech data retention law was unconstitutional. Earlier this month, the same Court dealt another blow to data retention by annulling part of the Criminal Procedure Code, which would have enabled law enforcement access to data stored voluntarily by operators. Most importantly, the Czech Court used compelling language in articulating the importance of the protection of traffic data. The Court stated that the collection of traffic data and communication data warranted identical legal safeguards since both have the same “intensity of interference”.
We couldn’t agree more. Sensitive data of this nature demands stronger protection, not an all-access pass. Individuals should not have to worry whether one sort of private information has less protection than another.
I believe that both decisions will help ensure that new legislation enforces the same restrictions as exist for use of wiretap. These include strong privacy safeguards for government access to citizen’s data, the obligation to inform individuals about the use of their data, and so on.
Several other courts in EU member states have also ruled on the illegality of data retention laws. Earlier in 2009, the Romanian constitutional Court rejected the imposition of an ongoing, sweeping traffic data retention program. The Court rightly emphasized that mandatory data retention overturns the presumption of innocence in a way that treats all Romanians like potential suspects. Despite this court decision, a new draft data retention bill was introduced in the Parliament, but the Senate finally rejected it at the end of 2011.
In March 2010, the German Court declared unconstitutional the German mandatory data retention law. The Court ordered the deletion of the collected data and affirmed that data retention could “cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas.” The lawsuit was brought on by 34,000 citizens through the initiative of AK Vorrat, the German working group against data retention.
Over in Ireland, the Court is referring to the European Court of Justice the case challenging the legality of the DRD, thanks to the complaint brought by Digital Rights Ireland. The Irish Court acknowledged the importance of defining “the legitimate legal limits of surveillance techniques used by governments”, and rightly emphasized that “without sufficient legal safeguards the potential for abuse and unwarranted invasion of privacy is obvious”. The Courtsin Cyprus and Bulgaria have also declared their mandatory data retention laws unconstitutional.
The DRD compels EU member countries to implement the Directive into national law. Fortunately, many member states have not yet done so. The Czech Republic, Germany, Greece, Romania, and Sweden have not adopted this piece of legislation, despite pressure from the European Commission to do so. In Austria, the data protection law will take effect in April 2012. AK Vorrat Austria plans to use all legal means to challenge the legality of the DRD. They have also handed over a petition to the Austrian Parliament asking the government to fight against the DRD at the EU level and to review all existing anti-terror legislation. (If you are Austrian, sign the petition today at zeichnemit.at.) In Slovakia, the NGO European Information Society Institute is opposing the Slovakian data retention implementation law.
Meanwhile, civil society groups are resisting and campaigning against this oppressive data retention law. EDRI, along with EFF and AK Vorrat, has fought to repeal the DRD in favor of targeted collection of traffic data. EDRI has previously reported that Deutsche Telekom, a German telco, illegally used telecommunications traffic and location data to spy on roughly 60 individuals including journalists, managers, and union leaders. They also reported that two major intelligence agencies in Poland used retained traffic and subscriber data to illegally disclose journalistic sources without any judicial oversight. These are only a few examples in which data retention policies have directly threatened individuals’ expression and privacy rights.
The DRD is a threat to Internet privacy and anonymity, and has been proven to violate the privacy rights of 500 million Europeans. EFF, together with EDRI, will keep fighting to repeal the DRD in favor of targeted collection of traffic data.
Mandatory Data Retention in the United States
Two bills introduced in the U.S. Congress in 2009 would have required all Internet providers and operators of WiFi access points to keep records on Internet users for at least two years to assist police investigations. Neither bill became law. Some legislators and law enforcement officials continue to argue, however, that mandatory data retention is necessary to investigate online child pornography and other Internet crimes. In January 2011, the U.S. House of Representatives Judiciary Subcommittee on Crime, Terrorism, and Homeland Security held a hearing that discussed whether Congress should pass legislation that would force ISPs and telecom providers to log Internet user traffic data. In May 2011, H.R. 1981, which would require retention of such traffic data, was introduced in the House of Representatives. This bill is still alive and continues to be a threat to the privacy and anonymity of all Americans. EFF has joined civil liberties and consumer organizations in publicly opposing H.R. 1981. Please join EFF, and help us defeat this bill before it is made law. Contact your Representative now.