Data retention and legality: The fall of the EU’s Data Retention Directive

(Photo illustration: Shutterstock)

(Photo illustration: Shutterstock)

Retaining data is the reflex of a functioning bureaucracy.  What is stored, how it is stored, and when it is disseminated, poses the great trinity of management.  These principles lurk, ostensibly at least, under an umbrella of privacy.  The European Union puts much stake in Article 8 of the European Convention on Human Rights, stressing the values of privacy that covers home, family and correspondence.  But there are also wide qualifications – interferences are warranted in the interest of national security and public safety, allowing Member States, and the EU, a degree of room to gnaw away at privacy rights.

That entitlement to privacy has gradually diminished in favour of the “security” limb of Article 8.  The surveillance narrative is shaping privacy as a necessarily circumscribed right.  The realm of monitoring and surveillance is being extended.  Technologies have proliferated; laws have remained, if not stagnant, then ineffective.

Unfortunately for those occasionally oblivious drafters of rules in Brussels, the judges of the Court of Justice of the EU did not take kindly to the Data Retention Directive, which requires telecommunications and internet providers to retain traffic and location data.  That is not all – the directive itself also retains data identifying the user or subscriber, a true stab against privacy proponents keen on principles of anonymising users.

The objective of the DRD, like so many matters concerned with bureaucratic ordering, is procedural: to harmonise regimes of data retention across various member states.  More specifically, Directive 2006/24/EC of the European Parliament and of the Council of March 15 2006 deals with “retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks”.

Other courts have expressed concern with the directive, which propelled the hearings to the ECJ.  These arose from separate complaints in Ireland and Austria over measures taken by citizens and parties against the authorities.  The Irish case began with a challenge by Digital Rights Ireland in 2006. The Austrian legal challenge was pushed by the Kärntner Landesregierung (Government of the Province of Carinthia) and numerous other concerned parties to annul the local legislation incorporating the directive into Austrian law.

The Constitutional Court of Austria and the High Court of Ireland shook their judicial fingers with rigour against it – the judges were not pleased.  The disquiet continued to their brethren on the ECJ, which proceeded to make its stance on the scope of the retention law clear by declaring it invalid.  EU officials should have seen it coming – in December last year, the Advocate General of the ECJ was already of the opinion that the DRD constituted “a serious interference with the privacy of those individuals” and a “permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives.”

The defensive stance taken by the authorities is so old it is gathering dust.  Technology changes, but government rationales never do.  Invariably, it is two pronged. The ever pressing concerns of security forms the first.  The second: that such behaviour does not violate privacy – at least disproportionately. You will find these principles operating in tandem in each defence on the part of authorities keen to justify extensive data retention.  Such intrusive measures have as their object the gathering of information, rather than the gathering of useful data. The usefulness is almost never evaluated as a criterion of extending the law.  Instinct, not evidence, is what counts.

The rationale of the first premise is simple enough: information, or data, is needed to fight the shady forces of crime and terrorism.  Better data retention practices equates to more solid defence against threats to public security.  The ECJ acknowledged the reason as cogent enough – that data retention “genuinely satisfies an objective of general interest, namely, the fight against serious crime and, ultimately, serious security.” The authorities were also keen to emphasise that such a regime of retention was not “such as to adversely affect the essence of the fundamental rights to respect for private life and to the protection of private data.”

In dismissing the main arguments of the authorities, the points of the court are clear.  In retaining the data, it is possible to “know the identity of the person with whom a subscriber or registered user has communicated and by what means”.  Identification of the time of the communication and place form which that communication took place is also possible.  Finally, the “frequency of the communications of the subscriber or registered user with certain persons during a given period” is also disclosed.  Taken as a whole set, these composites provide “very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.”  Former Stasi employees would be swooning.

The judgment provides a relentless battering of a directive that should never left the drafter’s desk. “The Court takes the view that, by requiring retention of those data and by allowing competent national authorities to access those data, the directive interfered in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”

The laws of privacy tend to focus on specificity and limits.  If there is to be interference, it should be proportionate. The directive had failed at the most vital hurdle – if privacy is to be interfered with, do so in even measure with minimal interference.  The DRD had, in effect “exceeded the limits imposed by compliance with the principle of proportionality.”  The decision is unlikely to kill off regimes of massive data retention – it will simply have to make those favouring surveillance over privacy more cunning.

This article was posted on April 9, 2014 at