The opinion of Advocate-General Pedro Cruz Villalón, delivered in December 2013, about two cases before the Court of Justice of the European Union (CJEU; cases C‑293/12 and C‑594/12) concerning the Data Retention Directive 2006/24/CE contributes to the growing debate over the data retention for both internet service providers (ISP) and telephone providers.
The Directive provides for the establishment by the Member States of an obligation to collect and retain traffic and location data, which is “without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects”, said Peter Hustinx, the European Data Protection Supervisor (EDPS).
For Pedro Cruz Villalón, the Directive might be invalidated regarding European main principals, such as proportionality (Article 52 of the Charter of Fundamentals Rights of the European Union – the Charter), the respect for private and family life (Article 7 of the Charter), the protection of personal data (Article 8 of the Charter) and, in general, the balance between individuals’ liberties and the proper security and safety of European citizens.
Following the example of the EDPS, there were many controversies about the Directive and the last one came out with this opinion of the Advocate-General. So, does the European Data Retention Directive need to be revised?
The European Data Retention Legal Framework
The Directive 95/46 (a new Regulation is supposed to come soon) regulates the processing of personal data and imposes on Member States the obligation to guarantee the right to privacy of individuals. Furthermore, the Directive 2002/58 includes some specific rules applicable to the electronic communications sector; in particular the confidentiality of the communications and the traffic data of subscribers, and users of electronic communications services (Article 5(1) of Directive 2002/58). It is therefore an obligation to erase or make anonymous the traffic data of all the communications (except for the data necessary for billing or interconnection payments and certain data may for marketing purposes and the provision of value-added services, subject to consent).
However, after the terrorist bombings in London in 2005, the Data Retention Directive was adopted in March 2006. While the current data protection framework ordered erasing or making the data anonymous, the new Directive requires ISP and telephone providers to retain traffic and location data for a period between six months and two years, for the purpose of investigating, detecting and prosecuting serious crime. Consequently, this Directive 2006/24 is a huge reversal of the traditional European’s conception of data protection, since it imposes the obligation to collect and retain several data on providers.
Some other national legislation came with the civil and social fear of terrorism attacks to spy on citizens online. But, the particularity of this legislation is letting providers own the data and, at the same time, to give an extended right to access the data by enforcement services. Thus, national enforcement services do not create new databases and cannot snoop on all the data to discover new relationships between suspects and citizens.
The Member States were supposed to transpose the Directive by the following year and implement a new law regarding the national laws. But, three Constitutional Courts (Romania, Germany and Czech Republic) declared void the relevant national legislation, mainly because of inadequacy with privacy and personal data concerns. These decisions create a disruption on the efficiency of the Directive within the European Union. Globally, the Directive is transposed very differently in every single Member States, since European law does traditionally not regulate enforcement.
Many commentators from both civil society and academia think the Directive is disproportionate and unnecessary, notably because of limited use for law enforcement. Some of them recommend repealing the Directive and adapting the concept of “data preservation” provided for by the Council of Europe Convention on Cybercrime (Articles 16 and 17). Basically, data concerning a criminal suspect can be retained only with a Court order for a determinate time (from the date of the Court order to, for example, the end of the suspicion). Thus, providers would not retain all data about their users and subscribers but only data of suspects. Even if the solution is really interesting to protect privacy, it’s clearly not efficient for an emergency case; the procedure for obtaining a Court order might last few days.
The Advocate-General’s opinion
In this context, the Advocate-General has to analyze the validity of the Directive with the European Union Law through the questions of the right to privacy and of the proportionality.
The Directive constitutes a serious ‘interference’ with the privacy of individuals, since providers monitor huge databases of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union. Even if all this data is not an open and clear view about personal and professional activities, it establishes the conditions allowing retrospective scrutiny of privacy lives. Then, such data permits carrying out surveillance only retrospectively when the data is used. Thus, the Advocate-General thinks it less constitutes a permanent threat throughout the data retention period.
This period is one of the main points to determine the proportionality of the Directive. In fact, he makes a philosophical analysis splitting the online human being life in two periods: the present life and the historical life. The present life is the more or less immediate lived experience, and materialized by the awareness of what the individual is in the process of living through. The historical life is the own history of the human being and his memory. At last, Pedro Cruz Villalón considers that the feeling of the present life cannot be extended beyond one year (even if some criminal activities are prepared well in advance). Finally, he offers to the European Commission the perfect argument to revise the Directive on this point. For the record, six Member States (Belgium, Ireland, Italy, Latvia, Poland and Slovenia) of nineteen that transposed the Directive have implemented a retention period beyond one year.
Moreover, the Article 52 of the Charter lays down two principles: “any limitation on the exercise of the rights and freedoms recognized by the Charter must be provided for by the law”; and “subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others”.
On these points, the Advocate-General explains that the European Union legislature have entirely left to the Member States the task of defining the guarantees capable of justifying the interference with fundamental rights and the data retention. Thus, the Union didn’t enough control the necessary conditions to respect the principle of proportionality. In fact, considering Article 51 of the Charter, the Union shall assume its responsibility by defining the principals that must govern the establishment, application and review of observance of those guarantees. Mainly, the EU should have established the principle that the authorities authorized to access the data are required, first, to erase them once their usefulness has been exhausted and, second, to notify the persons concerned of that access, at least retrospectively, after the elimination of any risk that such notification might undermine the effectiveness of the measures justifying the use of those data.
So, what does that mean for the future of Data Retention?
Nonetheless, the Advocate-General concludes proposing the Court should allow data retention to continue until new EU instruments can be adopted with substantial modifications, in particular limiting the retention period and defining exactly the process to access the data.
Besides, in 2011 the European Commission evaluated the Directive and concluded that data retention should continue and advocates for revising the data retention framework. In particular the report recommend that the new Directive limits consistently the purpose of data retention and types of crime for which retained data may be accessed and used, the number of authorities authorized to access the data and shortens the periods of mandatory data retention. The supervision of the requests for access must also be strong and independent.
While the opinion of the Advocate-General is not binding on the CJEU whose judgment is awaited, it sounds like a perfect guideline for the European Commission to review the Data Retention Directive on the bases of its own evaluation report. Moreover, it clearly means that the data retention will not stop in the future, since it is an important tool for enforcement services but it must be more limited and controlled to not allow an European PRISM-like system (if it does not exist yet).