The European Union (EU) Data Retention Directive was adopted in 2006, following terrorist bombings in London and Madrid, two incidents that created a political climate that allowed supporters to push through legislation in only 3 months. Getting laws passed in the European Commission can drag on for years.
As it stood, the law required telcos and CSPs (Communications Service Providers) to store data on people's communication interactions for two years in order to allow law enforcement agencies and other interested parties - subject to court orders being required - to monitor someone's identity, the time of their communication, the location where the communication took place and the frequency of the communications.
In this respect, the EU directive is in fact comparable to the US Patriot Act, which permits bulk metadata collection from phone and Internet providers.
But following complaints by privacy advocates in Ireland and Austria, the European Court of Justice (ECJ) has ruled that the Directive violates two basic rights - respect for private life and protection of personal data.
Crucially the court did not reject the notion of data retention in full, but did take issue with the implementation of the same. The court in Luxembourg ruled:
By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
The ruling will have significant implications for how data handlers in business and government conduct themselves, as well as impacting on the Commission’s current attempts to legislate creating a Fortress Europe set of pan-European data protection rules.
There are also implications for the cloud computing sector as the ECJ expressed specific concern about how metadata reveals a person’s identity, movements, daily activities and interests, and so must be handled with due regard.
The ruling also argues that data on Europeans, gathered for any retention programme, must remain in Europe, under EU laws and protections and should not, for example, be housed in US-based data centers.
The Commission says it is assessing the ruling, arguing that there needs to be a proper balance between security and fundamental rights.
Commissioner Cecilia Malmstroem, responsible for the European Charter of Fundamental Rights, issued a statement noting:
"The judgement of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive.
"The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework."
It’s important to note here that this is a court ruling, but one that has no automatic effect on national legislation. It’s left up to the individual EU member states to decide what action to take and when.
Some countries have already made their position clear. For example, Norway’s Prime Minister Erna Solberg immediately announced that the country will prepare a new proposal for data storage, while the Swedish authorities made it clear that they would turn a blind eye to any telco that now erased retained data.
Elsewhere Bulgaria’s Ombudsman Konstantin Penchev has asked the country’s Constitutional Court to scrap the provisions in the Electronic Communications Act that mandate the bulk collection of telecommunications data.
The UK government is said to be privately dismayed at the implications of the ECJ ruling, but publicly states it will adhere to EU rules. But the UK Home Office argued in a statement:
“The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security.”
So what happens now? Gartner fellow French Caldwell notes that the ruling does not directly affect US legal and constitutional considerations on the NSA phone records program, but adds that it might impact on any revisions to it being undertaken following domestic and international outcry:
The EU Data Retention Directive required that telecoms and ISPs retain phone records and some internet service records for at least six months and up to two years and make these available to government agencies as needed for law enforcement. The requirement that telecoms hold on to phone record data instead of the NSA storing the data is likely to be part of the White House proposals for NSA reforms in response to public concerns over domestic spying.
Caldwell believes the EU may well issue a new directive to address the main concerns of the ECJ, but this will take time:
The directive was phrased in terms of law enforcement, where the EU has some standing, not national security where the EU has very little standing. We should expect that EU member states that have a history of this type of activity will continue to require telecoms and ISPs to store the data for national security purposes. However, this ruling will balkanize the data, making pan-EU law enforcement and anti-terrorism analysis more difficult.
It also makes a global consensus on data retention policies - always a hideously elusive Holy Grail - even less likely, liberating both opponents and advocates of legislative powers to argue their case more strongly.
For example, the day after the ECJ ruling, the Romanian government introduced proposals to increase surveillance of its citizens, including plans to make users of free wifi identify themselves to providers and allow them to retain data about them. Meanwhile opponents of data retention in Australia seized on the ECJ ruling as a national debate on the planned legislative changes hots up there.
The US government has yet to make any official comment.
On the face of it, a triumph for democracy. The Data Retention Directive was bad law, forced through without due scrutiny on the back of the bombings in London and Madrid.
Terrible though those incidents clearly were, using them as an excuse to fast track ill-considered and disproportionate legislation was never an acceptable response.
The EU will have to go back to the drawing board, which is good news for the likes of Commissioner for Justice Vivian Reding in her hell-bent campaign to toughen up EU data protection laws. Never waste a good crisis, as they say.
Reding is running out of time - her term in office ends in September. Her patience with those who don’t go along with her interpretation of the need for tough new laws is also running out it seems, based on comments she made earlier this year:
“There has been a lot of hypocrisy in the debate. There were those who called for a high level of data protection in Europe, while simultaneously arguing that the Regulation should be replaced by a Directive. A Directive would mean the status quo. It would mean 28 Member States doing what they want. It would mean data protection on paper but not in practice.
“We have listened to these arguments for two years. Round and round in circles while, every day, the headlines have reminded us of why the reform is important. Waiting patiently – or maybe not so patiently – as Big Data has been generated against the will of the people.
“And yet in practice where do we stand? Discussions are mature. The text is ready. It is just a matter of political will.”
I don’t know what effect she has in Washington, but she scares the living daylights out of me.
Meanwhile the ECJ ruling is potentially bad news for US cloud services providers as one element that will be leapt upon by Brussels is the bit about not allowing EU data to reside on non-EU resident servers (or in other words, US servers).
Ironically, the Obama administration is said to be planning to base mass data gathering reform around the basic model of the now debunked EU directive, taking US call metadata collection out of the NSA’s hands, and shifting the burden to the telcos.
President Obama last month said of the plan:
“I am confident that it allows us to do what is necessary in order to deal the threat of a terrorist attack, but does so in a way that addresses people’s concerns.”
But now the ECJ has come down against the EU directive, Europe is essentially without a formal data retention regime for now and the ECJ ruling is bound to be cited in opposition to Obama’s proposed amendments.
That said, the Obama regime has a great opportunity to learn here from Europe’s mistakes around data retention legislation, should it choose to pay heed.