EU Quietly Ramps Up Preparations To Re-introduce Blanket Data Retention After Top Court Threw It Out In 2014
from the let's-protect-article-13-while-we-are-at-it dept
One of the biggest wins for the general public in recent years was when the Court of Justice of the EU (CJEU), the region’s highest court, ruled in 2014 that the 2006 Data Retention Directive was “invalid“. That naturally didn’t go down too well with many of the governments in the EU, who were keen to keep it for surveillance of their populations. Almost immediately, the European Commission began to “examine the best options for the way forward as regards the retention of telecommunications data”, as Erich Möchel reported in 2015. More recently, Statewatch published a draft of an internal document from the Council of the EU (pdf), outlining the EU’s plans to re-instate obligatory data retention, while an updated version was obtained and released by ORF.at (pdf). The differences between the two versions give a hint of how the EU might try to play this. The earlier one says:
The rulings of the European Court of Justice in the cases Digital Rights Ireland and Tele 2, which set out the criteria for the lawful retention of data and access thereof are of fundamental importance in this context. It should also be noted that it has been argued that the findings of the Court in those cases apply only to traffic and location data, and not to subscriber data.
In the second version, the Council of the EU is much more assertive:
The rulings of the European Court of Justice in the cases Digital Rights Ireland and Tele 2, which set out the criteria for the lawful retention of data and access thereof are of fundamental importance in this context. In this context, Member States expressed their view that the findings of the European Court of Justice in Digital Rights Ireland and Tele 2 do not apply to subscriber data, but only to traffic and location data.
So maybe the line will be that the big 2014 defeat in the courts only applied to “traffic and location data”, not to subscriber data. The hope seems to be that new legislation might specify that only data about the latter should be retained, thus avoiding the EU court’s restriction.
The document also provides important information about another key piece of proposed EU legislation. The e-Privacy Regulation is designed to complement the General Data Protection Regulation. Where the latter essentially protects personal data at rest — in databases, for example — the e-Privacy Regulation will restrict how personal data can be transferred. Even though it is close to completion, the e-Privacy Regulation has essentially been put on the back burner, with no prospect of it being passed soon. Thanks to the latest document leak, now we know at least one reason why:
Legislative reforms at national or European level, including the new e-Privacy Regulation, should maintain the legal possibility for schemes for retention of data at EU and national level that take into account future developments and that are compliant with the requirements set out by the European Court of Justice.
This exposes a fear on the part of the EU politicians that the e-Privacy Regulation might place new obstacles in the way of a re-vamped Data Retention Directive. The comment above is a reflection of the fact that the e-Privacy Regulation will only be set on the path to final approval if it allows governments to collect and store personal data as they wish.
Finally, Erich Möchel’s analysis of the latest version of the document from the Council of the EU notes a troubling possibility. While the EU is smoothing the way for data retention to return, it might get rid of another pesky directive that tries to limit surveillance of online users. Article 15 of the EU’s e-Commerce Directive, passed in 2000, says:
Member States shall not impose a general obligation on providers … to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.
Techdirt pointed out recently that Article 13 (now renumbered as Article 17) of the EU’s Copyright Directive imposes exactly this kind of general obligation. It is therefore quite possible that the CJEU could rule that Article 13/17 of the Copyright Directive is invalid, just as it did for general data retention. Möchel suggests that as the EU tries to bring back data retention, it might also take the opportunity to get rid of that ban on general monitoring to head off any legal challenges to Article 13/17 as well.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: cjeu, data privacy, data protection, data retention, data retention directive, eu, general monitoring, privacy, surveillance
Comments on “EU Quietly Ramps Up Preparations To Re-introduce Blanket Data Retention After Top Court Threw It Out In 2014”
'Spying on your users is bad... now do LOTS more of it.'
EU politicians, supporting the GDPR: Companies tracking/collecting/having customer data and activity is bad, more stringent rules need to be put in place to force transparency with hefty penalties in place for failure to do so.
Also EU politicians, supporting Data Retention and Article 17: Companies should not only track user activity extensively, they should be required to do so, whether overtly or as the only real way to comply with a law even if we didn’t specifically tell them they had to(well, before it was passed anyway…)
Re: 'Spying on your users is bad... now do LOTS more of it.'
That’s exactly what I was thinking: how does not directly contradict the GDPR?
Re: Re: GDPR requirements
Consent by the user is one of 6 legal grounds for legitimate processing of personal data.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/when-can-personal-data-be-processed_en
Helpfully, one of them is "to meet a legal obligation under EU or national legislation". As far as the GDPR is concerned. it’s always fine to help the state spy its citizens.
It is the duty of the ISP's to help the goverment spy on you.
I guess the politicians here in Sweden would love this. The data retention policy they introduced has (if I am not mistaken, twice) been struck down by the CJEU for not being in compliance with the stricter ruling the CJEU did earlier.
Of course, said politicians think it is awful if companies like Facebook track you, but love having as much information about the great unwashed masses (the citizens) as possible. Even if the law does not permit it. Even going so far as to threaten one ISP that they might lose their license if they do not comply with the government’s demands for data retention. All in the name of war on terror (and for their friends in the copyright lobby).
And woe to any of the serfs if they try to protest.
EU, this is Not Metal Gear Solid
This is not the time to be hiding in a box while sneaking these corrupt laws into people’s faces.