On 8 April 2014 the European Court of Justice annulled the EU Data Retention Directive which required the bulk collection of any citizens call detail records and location. 8 years later EU Commission and EU governments are scheming how to maintain or restore bulk collection programmes. In a legal opinion published today former EU Judge Prof. Dr. iur. Vilenas Vadapalas finds that two of the most commonly used data retention schemes are “not in line with the ECJ case-law and fundamental rights”:
The French and Danish attempt to justify indiscriminate retention of telephone calling records and location data by claiming a permanent threat to national security is dismissed. Likewise plans of the EU Commission and Belgium to capture the vast majority of the population by way of extensive “geographically targeted retention” fails legal scrutiny.
“The bulk collection of information on non-suspects everyday communications and movements constitutes an unprecedented attack on our right to privacy and is the most invasive method of mass surveillance directed against the state’s own citizens”, comments Patrick Breyer, Pirate Party Member of the European Parliament who commissioned the legal opinion. “The anecdotal results are nowhere close to the damage this surveillance weapon inflicts on our societies, as a recent survey found. The persistent violation of fundamental rights, circumvention of case-law, pressuring of judges and ignorance of facts is an attack on the rule of law we need to stop!”
National Security: No Free Ride for Mass Surveillance
Under massive pressure by EU governments, the European Court of Justice allowed Member States to impose general and indiscriminate retention of all call detail records and location data only where exceptionally needed to counter a present of foreseeable threat to national security, such as a terrorist attack. A French administrative court (Conseil d’Etat) however invoked this exception permanently, pointing to the general risk of terrorism and past attacks in France as well as espionage and foreign interference. France has continued permanently imposing indiscriminate data retention by relying on this ruling.
According to the legal opinion however, the French court’s decision “fails to demonstrate a specific threat to national security because … it refers to a mere general risk of terrorism and past attacks in France. I did not find any evidence given for the specific or identified preparation of a specific future attack. Insofar, the Decision is not in line with the ECJ case-law and fundamental rights.” Breyer comments:
“We are yet to see evidence that untargeted data retention ever prevented even a single terrorist attack. The fact that several such attacks have taken place in France with blanket retention requirements in place does not support this assumption. Setting this issue aside, it is difficult to imagine that a specific terrorist threat could not be countered by means of targeted retention.”
Earlier this week the Court of Justice already dismissed the French approach to justify data retention with national security needs but access the data for other purposes (prosecution of crime).
“Targeted” data retention: Plans violate citizen’s fundamental rights
A secret EU Commission non-paper dated 10 June 2021 suggests to Member State governments a variety of options to making data retention mandatory throughout the EU once again. Several of these proposals are excessive and non-compliant, the legal opinion explains. The proposals for “geographical targeting … may lead to imposing unjustified legal obligations on providers to retain traffic and location data in very broad and indefinite geographic areas”.
1) The Commission proposes to apply data retention to all persons in areas with (even slightly) above average crime rates. Since cities tend to have an above-average crime rate, this approach could expose more than 80% of the population to data retention. The legal opinion finds that this approach is not permitted and a “high” (not just above average) incidence of serious crime in an area is required to justify applying data retention.
2) The Commission proposes to apply data retention to all persons within “a certain radius around sensitive critical infrastructure sites, transport hubs, (…) affluent neighbourhoods, places of worship, schools, cultural and sports venues, political gatherings and international summits, houses of parliament, law courts, shopping malls etc.” The legal opinion finds that this list does not comply to legal requirements and warns that by applying these criteria data retention “may even become general and indiscriminate in broad areas covering a big part of the territory and the infrastructure of a Member State”. Among the sites listed by the Comission only those which “regularly receive a very high volume of visitors” and are “particularly vulnerable to the commission of serious criminal offences” may be covered. There is also no legal basis for covering a radius around those sites. And Prof. Dr. iur. Vilenas Vadapalas warns that “especially the sites of worship and political gatherings host particularly sensitive activities revealing religion and political opinion”.
3) The Commission proposes to apply data retention to all “associates” of potential suspects, without requiring to verify that such persons represent a specific threat of committing serious criminal acts. This is not in line with the ECJ case-law and fundamental rights.
“The EU Commission now finally needs to do its job and start enforcing the landmark rulings, instead of plotting to bring back data retention.”