Data Retention

Data retention is the collection of  information about a person’s location and communications from phone, text, email or other services. General and Indiscriminate data collection is the collection of the location and communications data of the entire population, regardless of if they are suspected or accused of a crime.

General and Indiscriminate data collection represents an unprecedented attack on our right to privacy and is the most invasive method of mass surveillance. It captures highly sensitive information about our daily lives and excludes no one. It can reveal your personal relationships, communications with legal council, therapists, marriage councillors, or medical professionals such as psychologists or doctors, and gives governments and law enforcement unprecedented access to your private life in a way that is ripe for abuse.

The effects also go far beyond infringement on your individual right to privacy: they have a chilling effect on democratic society: imagine being afraid to a protest because the government can track you through your phone and arrest you, or being afraid your conversations with friends are being scrutinised, imagine being afraid to speak up out because the government can reveal your secrets publicly, or being a journalist trying to protect your source when all communications are monitored. This is what general and indiscriminate data retention allows.

The blanket collection of everybody’s metadata  not only seriously undermines our privacy, but also fundamentally violates EU law. It creates an unacceptable risk of abuse and loss of confidential information relating to our contacts, movements and interests. That is why it has already been annulled on multiple occasions by the European Court of Justice (ECJ).

Nevertheless, most member states have ignored EU law and maintained or introduced national legislation on data retention. In addition, as a leaked discussion paper from June 2021 reveals, the European Commission is currently working on scenarios to reintroduce indiscriminate and general retention of traffic, location and internet connection data throughout the EU.

What’s new?

A new EU law on data retention would not only bypass national parliaments, but also national constitutional courts. This threatens to result in yet another case of  Member States orchestrating legislation at EU level to avoid responsibility for it on a national level. This is what the EU Commission is considering:

  • Data retention for “National Security”: In exceptional situations, such as an imminent terrorist attack, the European Court of Justice has accepted the blanket retention of information on everybody’s contacts and movements to safeguard “national security”. Following a French court ruling however, the EU Commission wants to make this exception a rule. With “security risks” present always and everywhere, data retention could easily be made permanent. This perverts EU jurisprudence that protects our fundamental rights to privacy and freedom of expression.
  • IP Data Retention: Perhaps the greatest danger at present results from the European Court of Justice’s recent acceptance of indiscriminate IP data retention, which would allow authorities to retrace the private internet use of any citizen for months and make it possible to identify pseudonyms of people at risk. This could endanger whistleblowers and political activists. Criminals can easily circumvent this total surveillance by using anonymisation services, but ordinary users would be hit hard by a ban on accessing the Internet anonymously.
  • Targeted Data Retention: The idea of supposedly “targeted data retention” aims to indiscriminately collect communications and location data of persons staying e.g. in “above-average crime” areas and “affluent residential areas”. All “targets” taken together, this could affect millions of innocent people, such as tourists, public transport users or even drivers at toll booths. For example, there is likely to be an “above-average crime” rate in every imaginable city. The EU Commission plans to amass information on people in churches, schools, shopping centres and even at protest marches and place them under general suspicion. This would violate religious freedom and the secrecy of confessions as well as freedom of assembly. In targeted parliaments, Members of Parliament‘s communications would be indiscriminately recorded. In targeted courts, the attorney-client privilege would be violated.
  • Ban anonymous communications: The Commission’s paper includes a proposal for a ban on anonymous prepaid cards and thus anonymous communications. They are also considering to require messaging, e-mail, video conferencing and other Internet communications services to retain the identity of users. This threatens whistleblowers and press informants, political activists and people in need of advice, who often fall silent without the protection of anonymity. Only anonymity prevents the persecution and discrimination of courageous people in need of help and ensures the free exchange of sometimes vital information.

Digital rights activist Patrick Breyer has long advocated against the introduction of data retention. The German Pirate Party Member of the European Parliament warns:

“Studies have repeatedly failed to find any significant effect of data retention on the crime rate or the crime clearance rate.And the fact that the EU Commission now also wants to oblige Over-the-top content (OTT) services, such as messenger services or video telephony, to retain data and identify users goes far beyond even the EU Directive on data retention, which has been annulled for violating fundamental rights, and also goes beyond existing national laws on data retention. This risks capturing every confidential contact in private, business and governments.

 

If there is one thing we have learned from past totalitarian regimes in Europe, it is that we must never again allow the construction of a surveillance state. Now all concerned groups need to join forces very early to stop the threat of total surveillance and identification in time.” – Patrick Breyer

What are alternatives?

The Commission’s paper includes one mechanism on the preservation of data that actually would make sense: a quick freeze procedure. Authorities would have a suspect’s metadata preserved by the provider and only be given access to it with a judicial authorization. The approach to quickly preserve the data of suspects has been discussed for a long time. But so far, it has been blocked by the surveillance fundamentalists who ideologically insist on total data retention.

What can you do?

  • Spread the word on social media! Join the debate on Mastodon, Facebook, Twitter, Instagram & Co. Share this article and memes using the hasthag #dataretention.
  • Talk about it offline! Many people are not aware of the dangers of indiscriminate data retention and how close we are to losing our digital privacy online. Start conversations with friends and family or share links to our info page.
  • Reach out to journalists and media companies! The blanket collection of our metadata is not only the most unpopular mass surveillance method, but it affects the freedom of information as well. Journalists and whistleblowers would suffer immensely from such measures and have an interest in reporting about it.
  • Address policymakers! For many years now, the potential implementation of a data retention regime is one the most controversial topics in the field of digital rights. It is discussed on all political levels in national and European legislation. Reach out to your elected representatives and ask them to better protect our fundamental rights online.

A brief history of data retention in the EU

  • 2006: On 15 March, the Data Retention Directive (Directive2006/24/EC) was adopted as EU law. Member States of the EU were obliged to store communications data for at least six months with a maximum of 24 months.
  • 2014: On 8 April, the Court of Justice of the European Union (CJEU) annulled directive 2006/24/EC. The Court considered that the directive ‘entails a wide-ranging and particularly serious interference with the fundamental rights to the respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary’.
  • 2020: On 6 October, the CJEU (C-623/17) confirmed that EU law precludes national legislation in the United Kingdom, France and Belgium requiring providers to generally and indiscriminately retain traffic and location data.
  • 2021: On 21 April, the French “Conseil d’Etat” court bypassed EU law and decided to uphold the collection of information on everybody’s contacts and movements for 12 months due to a “threat to national security”, referring to an elevated risk of terrorist attacks and foreign espionage. It also allowed these data to be used for general law enforcement purposes.
  • 2021: A leaked discussion paper from 10 June reveals that the EU Commission plans a new attempt to introduce data retention.

The situation in EU countries?

The situation in Member States is extremely varied. In many countries, provisions of the now annulled Data Retention Directive are still in force, despite that Directive being struck down by the European Court of Justice for infringing on fundamental rights. Research by the European Parliamentary Research Service study commissioned by Patrick Breyer shows there have been at least 28 cases in national courts against data retention, that 13 have succeeded, 9 have failed, 4 are pending or suspended and that at least 5 have resulted in referrals to to the European Court of Justice.

You can find  the study in full here.