Data retention
Data retention is the collection of information about a person’s location and communications from phone, text, email or other services. General and Indiscriminate data collection is the collection of the location and communications data of the entire population, regardless of if they are suspected or accused of a crime.
General and Indiscriminate data collection represents an unprecedented attack on our right to privacy and is the most invasive method of mass surveillance. It captures highly sensitive information about our daily lives and excludes no one. It can reveal your personal relationships, communications with legal council, therapists, marriage councilors, or medical professionals such as psychologists or doctors, and gives governments and law enforcement unprecedented access to your private life in a way that is ripe for abuse.
The effects go far beyond infringement on your individual right to privacy. They have a chilling effect on democratic society: imagine being afraid to a protest because the government can track you through your phone, or being afraid your conversations with friends are being scrutinised; imagine being afraid to speak up out because the government can reveal your secrets publicly, or being a journalist trying to protect your source when all communications are monitored.
Contents
- What’s new?
- (In)compatibility with fundamental rights
- What are alternatives?
- What can you do?
- A brief history of data retention in the EU
- Gaps in protection without data retention?
- The situation in EU countries?
- What “targeted” data retention would mean for 40 million Germans
- Belgium: Online map shows what the Belgian government wants to hide
- Related topics
A survey conducted nine EU member states published in 2022 (full text) shows that data retention causes far-reaching societal problems because it deters people from engaging in private communication. When people in crisis situations do not have access to consultation services anonymously, it can lead to violence and endanger human lives.
The blanket collection of everybody’s metadata not only seriously undermines our privacy, but also fundamentally violates EU law. It creates an unacceptable risk of abuse and loss of confidential information relating to our contacts, movements and interests. That is why it has already been annulled on multiple occasions by the European Court of Justice (ECJ). All the same, most member states have ignored EU law and maintained or introduced national legislation on data retention.
As a leaked discussion paper from June 2021 reveals, the European Commission is currently working on scenarios to reintroduce indiscriminate and general retention of traffic, location and internet connection data throughout the EU.
What’s new?
A new EU law on data retention would not only bypass national parliaments, but also national constitutional courts. This threatens to result in yet another case of Member States orchestrating legislation at EU level to avoid responsibility for it on a national level.
This is what the EU Commission is considering:
- Data retention for “National Security”: In exceptional situations, such as an imminent terrorist attack, the European Court of Justice has accepted the blanket retention of information on everybody’s contacts and movements to safeguard “national security”. Following a French court ruling however, the EU Commission wants to make this exception a rule. With “security risks” present always and everywhere, data retention could easily be made permanent. This perverts EU jurisprudence that protects our fundamental rights to privacy and freedom of expression.
- IP Data Retention: Perhaps the greatest danger at present results from the European Court of Justice’s recent acceptance of indiscriminate IP data retention, which would allow authorities to retrace the private internet use of any citizen for months and make it possible to identify pseudonyms of people at risk. This could endanger whistleblowers and political activists. Criminals can easily circumvent this total surveillance by using anonymisation services, but ordinary users would be hit hard by a ban on accessing the Internet anonymously.
- Targeted Data Retention: The idea of supposedly “targeted data retention” aims to indiscriminately collect communications and location data of persons staying e.g. in “above-average crime” areas and “affluent residential areas”. All “targets” taken together, this could affect millions of innocent people, such as tourists, public transport users or even drivers at toll booths. For example, there is likely to be an “above-average crime” rate in every imaginable city. We have created a map showing which areas would be affected by targeted data retention in Germany. The EU Commission plans to amass information on people in churches, schools, shopping centres and even at protest marches and place them under general suspicion. This would violate religious freedom and the secrecy of confessions as well as freedom of assembly. In targeted parliaments, Members of Parliament‘s communications would be indiscriminately recorded. In targeted courts, the attorney-client privilege would be violated.
- Ban anonymous communications: The Commission’s paper includes a proposal for a ban on anonymous prepaid cards and thus anonymous communications. They are also considering to require messaging, e-mail, video conferencing and other Internet communications services to retain the identity of users. This threatens whistleblowers and press informants, political activists and people in need of advice, who often fall silent without the protection of anonymity. Only anonymity prevents the persecution and discrimination of courageous people in need of help and ensures the free exchange of sometimes vital information.
Digital rights activist Patrick Breyer has long advocated against the introduction of data retention. The German Pirate Party Member of the European Parliament warns:
“Studies have repeatedly [1, 2] failed to find any significant effect of data retention on the crime rate or the crime clearance rate.And the fact that the EU Commission now also wants to oblige Over-the-top content (OTT) services, such as messenger services or video telephony, to retain data and identify users goes far beyond even the EU Directive on data retention, which has been annulled for violating fundamental rights, and also goes beyond existing national laws on data retention. This risks capturing every confidential contact in private, business and governments.“
Patrick Breyer
(In)compatibility with fundamental rights
In a legal opinion, former EU judge Prof. Dr. iur. Vilenas Vadapalas states that two of the most widely used methods of data retention (national security, geographical limitation) are “not compatible with ECJ case law and fundamental rights”. You can find a summary here.
What are alternatives?
The Commission’s paper includes one mechanism on the preservation of data that actually would make sense: a quick freeze procedure. Authorities would have a suspect’s metadata preserved by the provider and only be given access to it with a judicial authorization. The approach to quickly preserve the data of suspects has been discussed for a long time. But so far, it has been blocked by the surveillance fundamentalists who ideologically insist on total data retention.
What can you do?
- Spread the word on social media! Join the debate on Mastodon, Facebook, Twitter, Instagram & Co. Share this article and memes using the hasthag #dataretention.
- Talk about it offline! Many people are not aware of the dangers of indiscriminate data retention and how close we are to losing our digital privacy online. Start conversations with friends and family or share links to our info page.
- Reach out to journalists and media companies! The blanket collection of our metadata is not only the most unpopular mass surveillance method, but it affects the freedom of information as well. Journalists and whistleblowers would suffer immensely from such measures and have an interest in reporting about it.
- Address policymakers! For many years now, the potential implementation of a data retention regime is one the most controversial topics in the field of digital rights. It is discussed on all political levels in national and European legislation. Reach out to your elected representatives and ask them to better protect our fundamental rights online.
A brief history of data retention in the EU
- 2006: On 15 March, the Data Retention Directive (Directive2006/24/EC) was adopted as EU law. Member States of the EU were obliged to store communications data for at least six months with a maximum of 24 months.
- 2014: On 8 April, the Court of Justice of the European Union (CJEU) annulled directive 2006/24/EC. The Court considered that the directive ‘entails a wide-ranging and particularly serious interference with the fundamental rights to the respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary’.
- 2020: On 6 October, the CJEU (C-623/17) confirmed that EU law precludes national legislation in the United Kingdom, France and Belgium requiring providers to generally and indiscriminately retain traffic and location data.
- 2021: On 21 April, the French “Conseil d’Etat” court bypassed EU law and decided to uphold the collection of information on everybody’s contacts and movements for 12 months due to a “threat to national security”, referring to an elevated risk of terrorist attacks and foreign espionage. It also allowed these data to be used for general law enforcement purposes.
- 2021: A leaked discussion paper from 10 June reveals that the EU Commission plans a new attempt to introduce data retention.
Gaps in protection without data retention?
- 2011: The German Federal Office of Justice commissioned the Max Planck Institute for Foreign and and International Criminal Law to write an expert opinion on possible gaps in protection due to the annulment of data retention legislation by the Federal Constitutional Court in 2010. An English summary of the study can be found here.
- 2020: Laws on the blanket retention of telephone, mobile phone and internet usage have no measurable impact on crime rates or rates of successfully solved cases in any EU country. This is the result of a 2020 study by the European Parliament’s Research Service. Find a summary here.
- 2020: According to a study commissioned by the EU Commission, traffic data queries are “rarely unsuccessful”. Even without data retention, Germany reports that procedures have been optimised and data is regularly accessed within seven days. In France and Portugal, unsuccessful searches are reported more frequently, although data retention laws are in force there.
- 2022: In an answer to a written question, the German Government published statistical data from the Federal Criminal Police Office (available in German here) on 24 January 2022 according to which only 3% of all cases of “use, trafficking or distribution of child pornography in the years 2017 to 2021” could not be prosecuted further due to non-existent IP addresses.
All of this shows that data retention is not needed for effective law enforcement but would rather encroach on people’s privacy disproportionately to its benefits.
The situation in EU countries?
The situation in Member States is extremely varied. In many countries, provisions of the now annulled Data Retention Directive are still in force, despite that Directive being struck down by the European Court of Justice for infringing on fundamental rights. Research by the European Parliamentary Research Service study commissioned by Patrick Breyer shows there have been at least 28 cases in national courts against data retention, that 13 have succeeded, 9 have failed, 4 are pending or suspended and that at least 5 have resulted in referrals to to the European Court of Justice.
You can find the study in full here.
What “targeted” data retention would mean for 40 million Germans
Background to the map
The EU Commission has proposed “targeted” data retention in areas with above-average crime (details above). Our map shows that despite the name, this is mass surveillance. In practice, surveillance is likely to be even more invasive, because according to the plans, places like churches, schools, shopping centres or railway stations could also be added nationwide.
Red areas: Anyone living here would have to face the fact that eyerybody’s telephone and internet data (phone number, location, time, IP address) is retained because the crime rate is above average in these areas. The area may seems small, but the proportion of people affected is large because there is higher crime especially in cities and densely populated areas. In Germany, communications data would be collected from more than 40 million people. That is about 48% of the entire population (as of 2020). So-called targeted data retention is mass surveillance without any reason, which almost exclusively affects law-abiding people. A proportionate solution would be the “quick freeze” approach, in which data is stored as soon as there is a concrete reason for doing so.
(Sources: Geodata: Bundesamt für Kartographie und Geodäsie | Crime data: Bundeskriminalamt, PKS 2020)
Belgium: Online map shows what the Belgian government wants to hide
In Belgium geographically “targeted” data retention would cover the entire national territory and the whole population. You find more information about the map in our press release: “Targeted” Data Retention: Online map shows what the Belgian government wants to hide.