Tomorrow: Belgian mass surveillance proposal on data retention
Tomorrow, Wednesday 18 May, the members of the Committee on the Economy, Consumer Protection and Digital Agenda in the Belgian Parliament will debate for the second time and then vote on a new data retention proposal. Patrick Breyer, MEP, has analysed this draft law and has submitted his Opinion to the Committee members.
The Belgian law on the subject was annulled by the Constitutional Court in 2015. The next law also ended in front of the Court, in 2021. Will the third one respect fundamental rights and stand in court? For Patrick Breyer, it is clear that it will not. He comments:
“Collecting information on the personal contacts and movements of the entire population massively threatens privacy, disrupts confidential activities and disregards rulings by our highest courts. We are running into a rule of law deficiency if the prohibition of indiscriminate data retention is ignored in such a way. And Belgium is setting a harmful precedent at EU level, while its large neighbor Germany is doing well without this kind of mass surveillance. This proposal urgently needs to be stopped and brought in line with our fundamental rights.”
What is (meta)data retention?
The Data retention is probably the most privacy-invasive surveillance tool available to the state, and allows it to collect data about our conversations in a given area: who you talk to by message or phone, for how long, how often, from where, etc. The fact that the legislator decides to use it in such a casual way and with so little regard for the basic principles of a strong democracy must be a clear signal to those who elected them.
The proposal de facto reinstates mass surveillance surveillance.
This proposal is riddled with with elements that are each more problematic than the last. The proposal provides for several overlapping forms of data retention.
« Retention is not targeted if criteria are manipulated to cover everybody », explains Breyer. He outlines in detail his concerns in his opinion (in FR). In summary :
- Mandatory retention period to combat fraud:
- Since indiscriminate data retention is not justified to support prosecuting serious crimes, combating fraud does not justify it either.
- ‘Targeted’ retention of data depending on the rate of serious crime in a given area:
- the CJEU allows targeted retention “on the understanding that there can be no question of reinstating, by this means, a generalised and undifferentiated retention of traffic data and location data .” Given the modalities chosen, however, the bill will cover the entire territory and population, de facto reinstating this generalized surveillance.
- Targeted data retention in important, strategic, vital, and other buildings:
- Only sites that “regularly receive a very large number of visitors” and are “particularly vulnerable to the commission of serious criminal offenses” can be covered. Listing in the law all the sites where many people pass through Belgium (such as the entire motorway network), does not constitute such targeting.
- Retention of data targeted at buildings of International Institutions:
- If data retention is a serious threat to democracy at the national level, I also believe that the European democratic process is threatened if Belgian authorities and intelligence services are able to access the location, traffic, and communication data of MEPs and all individuals who set foot in the perimeter surrounding the Parliament. This argument also applies to other international institutions, which should be consulted before this ‘protection’ is imposed.
- On the question of covering OTTs or not:
- A surveillance law covering OTTs would capture all confidential contact in the private, professional and government sectors.
- On the issue of encryption
- Cybersecurity and trust in the state is not given when you are an activist, investigative journalist (or his or her source) or political opponent (or even a lawyer, counselor, victim in need of anonymity) – what’s more since the Pegasus debacle. This data retention and its impact on encryption is a further step in weakening this cybersecurity and trust.
- IP addresses and other data:
- The indiscriminate retention of IP addresses and identifying data of all users of communication services in the EU, undermines the right to use the Internet and communicate anonymously.
- Moreover, the new features of IPv6 had not yet been taken into account by the Court when it allowed this retention of IP addresses, which (in light of the increased interference caused by IPv6) should lead the legislator to caution and nuance when providing for it.