Next week, the European Court of Justice (ECJ) will hear a case concerning the German law on the general, indiscriminate and comprehensive retention of all connection, location and internet access data. The law has been suspended by the courts and is not being applied. A new investigation by the EU Parliament shows that a total of 28 lawsuits have been filed against data retention laws in the EU.
MEP, civil rights activist and lawyer Patrick Breyer (Pirate Party), who successfully challenged Germany‘s first data retention law before the German Constitutional Court, comments:
“The lawsuit filed by SpaceNet AG will stop the retention of information on all contacts and movements in Germany, which is an infringement on fundamental rights. Reintroducing the blanket collection of metadata leaves us, and our personal lives exposed. Indiscriminately collecting sensitive information about the social and business interactions, movements and the private lives (e.g. contacts with physicians, lawyers, workers councils, psychologists, helplines, etc.) of millions of citizens that are not suspected of any wrongdoing is a radical and unacceptable measure of mass surveillance.
Unfortunately, the ECJ has given in and allowed IP data retention, which could be used to snoop on our online activities for months past. Yet we have known for a long time that data retention laws have had no measurable effect on the crime rate or the crime clearance rate in any EU country. Requests for communications data are rarely unsuccessful even in the absence of indiscriminate data retention legislation. The clearance rate for cybercrime in Germany, for example, is at 58.6% and above average even without IP data retention. It fell when data retention legislation was first enacted. No other surveillance law encroaches as deeply on our right to privacy as the indiscriminate retention of our everyday activities.
It is scandalous that the EU Commission and EU governments are planning another attempt behind closed doors to make data retention mandatory throughout the EU. This threatens to result in yet another policy laundering case of Member States orchestrating legislation at an EU level to avoid responsibility for it on a national level.”
On 13 September, the ECJ hearing in the case of internet provider SpaceNet will take place in order to clarify if Germany’s indiscriminate, blanket storage obligation of traffic and location data is compatible with Union law – including the EU Charter of Fundamental Rights. Munich-based SpaceNet AG began proceedings against the controversial surveillance instrument in April 2016. SpaceNet AG was successful before the Cologne Administrative Court (VG), which ruled on 20 April 2018 that indiscriminate data retention violates EU law. The Federal Administrative Court disagrees. Now the European Court of Justice is to decide.
The following day (14 September), a French case will be heard on the admissibility of evidence obtained through illegal data retention.
In July 2020, a leaked discussion paper surfaced, which shows that the European Commission is working on scenarios for a Europe-wide reintroduction of general and indiscriminate data retention of interaction, movement and internet connection data. For the first time, messenger and videoconferencing services could also have to identify users and retain their interactions.
A previously unpublished investigation by the European Parliamentary Research Service (EPRS) commissioned by Breyer found that there have been at least 28 lawsuits against data retention laws in the EU since 2009. In 13 of these cases, the data retention rules were limited or declared invalid, in 3 cases judgment is still pending.