Yet more strikes against general and indiscriminate data retention in the EU: The bloc’s top court has issued a couple of rulings on joined cases today — one related to a German law on telecoms data retention which had been challenged by Deutsche Telekom and ISP SpaceNet; and another finding fault with the French state’s blanket retention of telecoms data which had been challenged after it was used by a financial services regulator in an insider trading case.
“The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security,” the Court writes in a press release on its judgment on the German case referral — which finds the national data retention law seriously interferes with the fundamental rights of people whose data is retained, confirming its previous case-law.
“The general and indiscriminate retention of traffic data by operators providing electronic communications services for a year from the date on which they were recorded is not authorised, as a preventive measure, for the purpose of combating market abuse offences including insider dealing,” the CJEU writes in a second press release, on the French referral.
Its ruling there also upholds existing case law that essentially means EU Member States can’t (or, well, shouldn’t) deploy creative workarounds to (try to) avoid a CJEU declaration that a national law requiring general and indiscriminate retention of telecoms data is invalid under EU law.
We have been here before, many times — so the déjà vu is real. But so are EU Member States’ appetites for grabbing and holding data for wide-ranging ‘crime fighting’ purposes despite indiscriminate bulk collection being demonstrably incompatibility with fundamental EU human rights laws. And so the legal challenges and CJEU rulings continue to flow.
Why national courts keep referring questions to the CJEU when there’s ample jurisprudence on the incompatibility of general and indiscriminate data retention with EU law is question — however the underlying strategy (of Member States) looks akin to a war of attrition, with national lawmakers taking each CJEU strike down as an opportunity to regroup and redouble their efforts with a fresh bulk collection law, battering ram style, in the hopes of exploiting cracks in the legal shielding against general retention.
And those cracks may be widening.
Earlier this year the CJEU sharpened its guidance vis-a-vis targeted exceptions — when it said may be permissible for gathering digital evidence in bulk to fight serious crime, such as by targeting places with a high instance of crime or a high volume of visitors (such as airports), or other locations which host critical infrastructure.
Its ruling today on the German referral reiterates a growing list of exceptions where the Court has said bulk data retention legislation may be permissible — in specific contexts and circumstances (e.g., serious threats to national security) — and with appropriate review (e.g., by a court) — and so long as there is some targeting involved (e.g., to a specific geographical location) and/or other limits (e.g., a period of time).
This includes an exception for “the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary” — which is a pretty generous allowance, given how much personal data may be traced back to an IP address and how malleable a timeline of strict necessity may be, depending upon the stated purpose.
So the fact national data retention regimes keep failing to land within these boundaries suggests there’s a lot of bad faith lawmaking going on.
In the CJEU’s ruling against the German law, the court objected to it laying down what the press release describes as “a very broad set of traffic and location data” retention requirements — retained for 10 weeks and four weeks respectively — which it warns “may allow very precise conclusions to be drawn concerning the private lives of the persons whose data are retained, such as habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them and, in particular, enable a profile of those persons to be established.”
Digital rights advocates are urging the European Commission not to ignore yet another CJEU strike against overbearing data retention — after a leaked paper obtained by the German language blog netzpolitik last year suggested the EU’s executive is toying with several ways forward on data retention which includes, potentially, coming out with a fresh EU data retention law.
The latter would risk being a cynical gambit to kick the can down the road via inviting another round of lengthy CJEU referrals. The last EU Data Retention Directive was brought down by the Court almost a decade ago — aka, the 2014 Digital Rights Ireland decision — and anything proposed by the EU that attempts to legislate for wider data retention that has been allowed for in the bounded and exceptional circumstances the CJEU has said are possible would be set up for future failure.
But perhaps the Commission’s repeat attempts at rebooting EU-US data transfers despite multiple CJEU strike downs since 2015 (see: Safe Harbor, Privacy Shield) are providing it with a template for ignoring the Court’s will on data retention too.
In a statement following the today’s CJEU rulings, MEP Patrick Breyer, of the German Pirate Party, urges the bloc to plot an alternative course, writing: “Today’s judgement describes only the outermost limits of what is legally possible and should not be taken as an instruction manual. I warn the EU Commission not to ignore the lack of effectiveness and the harmful effects of blanket data retention on society by making a new proposal to place 450 million EU citizens under general suspicion! Instead we need to focus on preserving digital traces of suspects quickly and across borders (quick freeze).”