Quo Vadis, EU Data Retention Policy? - An Outlook on Digital Privacy and Cyber Prosecution in the European Union
Ein Beitrag von Jan-Willem Prügel1
“Nothing was your own except the few cubic centimetres inside your skull.”2
This dystopic quote from George Orwell’s famous novel 1984 illustrates the sentiment of people living in a society where government surveillance is omnipresent and any attempt at individualism causes instant prosecution. While life in Europe today is still not quite as dreary as in the fictional world envisioned by Orwell, there have in fact been recent developments hinting at eerie similarities.
With the proliferation of cellular phones and the internet, people disclose increasingly more information about themselves and those who they are in contact with, often unknowingly so. Whenever a call is made, a text message sent or a website visited, there remains, at least for some time, a digital footprint in form of a record in the service provider’s database. If the government was to look not even at the content, but only at this so-called meta or traffic data3, it could effectively deduce an individual’s movement, contacts, daily habits and much more. Just as frequent calls to the doctor’s office during business hours may indicate health issues, so could an e-mail sent from a smartphone in a red light district indicate unfaithfulness or even ties to the underworld. Needless to say, the collection and analysis of traffic data presents not only a sharp intrusion into one’s most private spheres, but could also be used to blackmail politicians and other influential figures, if fallen into the wrong hands.4 Nonetheless, the European Parliament passed the highly controversial5 Data Retention Directive6 (Directive) to stipulate an EU-wide obligation for all telecommunication traffic data to be stored by the service providers for up to 24 months, while bestowing upon government agencies the power to use that data for “the investigation, detection, and prosecution of criminal offences”7. The Directive aimed at harmonizing the Union-wide data retention policies and, thus, ultimately at facilitating the prosecution of “serious crimes”8. Recently, roughly eight years after its ratification, the European Court of Justice (Court) has struck down the Directive, declaring it incompatible with the EU Charter of Fundamental Rights9 (Charter) and invalid ab initio.10
This article will briefly analyze the decision, point out its implications and suggest a few possible solutions for an improved data retention policy compatible with the Charter.
II. The Judgment
The Court agreed with the claims submitted by the Irish and Austrian courts that the stipulated data retention granting national authorities access to their citizen’s traffic data was indeed an interference with the fundamental rights to privacy (Art. 7) and data protection (Art. 8). When applying the Directive to the Charter’s proportionality principle laid out in Art. 52(1) and established by the Court’s case law11 in order to determine whether the interference was justified, an improved combat of “serious crimes” was found to be a satisfactory objective of general interest as it safeguarded public security within the Union.12 Nonetheless the Court is of the opinion that the EU legislature has exceeded its discretion under the proportionality principle for various reasons. It analogously applied the reasoning developed in the European Court of Human Rights’ (ECtHR) Marper13 decision that the broad and thus serious interference with data privacy severely restricts the legislature’s discretion.14 Taking this legislative restriction into consideration it found, inter alia, the undifferentiated collection of data, the unclear term of “serious crimes”16, the seemingly arbitrary storage time frame as well as the lackadaisical approach to protecting the stored data18 to be disproportionate and hence incompatible with Art. 7 and 8 of the Charter.
III. Analysis of the Decision
While the Court’s reasoning is sound for the most part and the decision rendered an important signal for the data protection policies across all Member States, there remain some fundamental flaws in the judgment.
First, the Court holds that
“[the Directive’s appropriateness as a legitimate objective] cannot be called into question by the fact […] that there are several methods of electronic communication which do not fall within the scope of Directive 2006/24 or which allow anonymous communication. Whilst, admittedly, that fact is such as to limit the ability of the data retention measure to attain the objective pursued, it is not, however, such as to make that measure inappropriate […].”19
This statement hints at a profound misconception of both data retention’s viability to prevent crime in general as well as being useful against professional criminals in particular.
The Court acknowledges the existence of alternative collectible telecommunication methods, but deems them to be of such low relevance that they allegedly do not interfere sufficiently with the recording measures stipulated by the Directive to render the collection inappropriate. This argument cannot be accepted. There is a plethora of ways for individuals to avoid having their digital activities recorded or even noticed.20 Even the tracking of cell phones might prove to be useless, if the phone is registered under a different person or bought in a country without registration requirements.21 Granted, such behavior and technical savvy may indeed not be expected from the average European citizen and thereby lending a prima facie credibility to the Court's findings. Data collection is, however, specifically aimed at combating “serious matters such as organized crime and terrorism”.22 Individuals involved in structures specifically assembled to commit crimes are in most cases either professional criminals themselves or have access to trained experts. Since these persons are the target group and the data collection is unlikely to detect most of their disguised activities, the Directive would at this point already have to be considered inappropriate to accomplish the objective of crime prevention.
Furthermore, research shows that additional data retention as envisioned by the Directive only plays a minuscule role in preventing and solving criminal cases and thus represents a very small benefit that is heavily outbalanced by the severe privacy violations.23 Unfortunately, the Court fails to discuss the general usefulness of data retention which could have been an important source of strong arguments for the ongoing political debates all over the EU and beyond, especially so in the absence of a guiding directive.
Second, the Court mistakenly examines the Directive’s proportionality in the face of prevention and prosecution of crime, the eventual goal, rather than its actually stated objective, i.e., the harmonization of the EU market and retention policies.24 This is particularly problematic since it thereby conveniently circumvents its findings in Ireland v Council stating that the Directive predominantly relates to the functioning of the internal market.25
IV. Outlook and Conclusion
Considering the strong lobbyism of both international as well as national police and security agencies26 and numerous politicians, there will likely be an ongoing debate and possibly a new version of a data retention directive. The Court has made clear, however, that blanket data retention is unacceptable in the light of the proportionality requirements. A new directive would therefore have to offer a sophisticated system of differentiations between the persons targeted, the type of information collected and the length of time data would be stored for.
A potential solution to two currently problematic aspects could be the creation of a database for individuals suspected of being involved in either terrorism or other forms of organized crime. This would firstly clarify the opaque phrasing of “serious crimes” and secondly offer a way of targeting only a small group of viable suspects based on probable cause, while excluding a vast number of people from having their privacy unnecessarily intruded. Germany’s “anti terror file” (ATDG)27 could provide a valuable point of reference. According to § 2 ATDG, only individuals who have a reported history of participating in or actively endorsing terrorist organizations may be added to the file. EU Member States could adopt a similar approach to narrow the new directive’s ambit and use such a database to further differentiate in terms of data types collected and duration of information stored, thereby complying with some of the Court’s proportionality desiderata.
Another possible implication concerning the future of governmental cooperation is the proscription of storing data outside of the EU. While the Court’s reasoning has a sound foundation considering the enforceability of security standards, it also hints at distrust to non-EU data privacy legislations. Regardless of this conjecture’s veracity, it is nonetheless indicative of the fact, that future police collaboration in the form of data transfer might face another set of challenges.
To conclude, the decision has for many human rights groups been a long-awaited deliverance from a purportedly Orwellian effort of EU governments to implement a strict surveillance measure. It has also helped to shed some light on the future of the complex rules and implications that are created by the increased digitalization of our times. The interaction between policy, human rights and the (cyber) prosecution of serious crimes will continue to shape the way we live in and prove to be one of the greatest legal challenges of the 21st century.
1 Der Autor ist Student an der Universität Heidelberg und war Chefredakteur der StudZR.
2 George Orwell, 1984, p. 39, available at http://www.planetebook.com/ebooks/1984.pdf (last accessed on 4 May, 2014, 8:40AM).
3“Traffic data means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”; Convention on Cybercrime, Budapest, Nov. 13 2001, Art. 1(d), available at http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm (last accessed on 4 May, 2014, 8:40 AM).
4 Cf. Caroline Goemans/Jos Dumortier, Enforcement Issues – Mandatory retention of traffic data in the EU: possible impact on privacy and on-line anonymity, Digital Anonymity and the Law, series IT & Law/2, 2003, p. 163 (170), available at http://www.law.kuleuven.be/icri/en/docs/publications/440retention-of-traffic-data-dumortier-goemans2f90.pdf (last accessed on 4 May, 2014, 8:40 AM).
5 Joint letter to Cecilia Malmström, 22 June 2010, available at http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf (last accessed on 4 May, 2014, 8:40 AM); Charles Arthur, EU court of justice overturns law that would enable ‘snooper’s charter’, 8 April 2014, theguardian.com, available at http://www.theguardian.com/technology/2014/apr/08/eu-court-overturns-law-snoopers-charter-data-phones-isps (last accessed on 4 May, 2014, 8:40 AM); Lukas Feiler, The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection, European Journal of Law and Technology, Vol. 1, Issue 3, 2010, available at http://ejlt.org/article/view/29/75#_ednref51 (last accessed on 4 May, 2014, 8:40 AM).
6 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, Official Journal of the European Union, L 105/54, pp. 54-63, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF (last accessed on 4 May, 2014, 8:40 AM).
7 See supra note 5, (4).
8 See supra note 5, (21).
9 Charter of Fundamental Rights of the European Union, 2000/C364/01, available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf (last accessed on 4 May, 2014, 8:40 AM).
10 Joined judgment of the requests for a preliminary ruling under Article 267 TFEU from the High Court (Ireland) and the Verfassungsgerichtshof (Austria), C-293/12 and C-594/12, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=406846 (last accessed on 4 May, 2014, 8:40 AM).
11 See supra note 9, para. 46 with further sources.
12 See supra note 9, para. 44.
13 ECHR 1581, (2009) 48 EHRR 50, 25 BHRC 557, 48 EHRR 50,  Crim LR 355, available at http://www.bailii.org/eu/cases/ECHR/2008/1581.html (last accessed on 4 May, 2014, 8:40 AM).
14 See supra note 9, para. 47, 48.
15 See supra note 9, para. 57.
16 See supra note 9, para. 60.
17 See supra note 9, para. 63.
18 See supra note 9, para. 67.
19 See supra note 9, para. 50.
20 For a quick overview of an increasingly popular branch of software see http://theaspiringsurvivalist.blogspot.com.br/2012/05/51-free-tools-to-stay-invisible-on.html (last accessed on 4 May, 2014, 8:40 AM).
21 Cf. Patrick Breyer, Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Traffic Data Retention with the ECHR, European Law Journal, Vol. 11, No. 3, May 2005, pp. 365 (369).
22 See supra note 5, (9).
23 German Working Group on Data Retention (Arbeitskreis Vorratsdatenspeicherung), Serious criminal offences, as defined in sect. 100a StPO, in Germany according to police crime statistics, available at http://www.vorratsdatenspeicherung.de/images/data_retention_effectiveness_report_2011-01-26.pdf (last accessed on 4 May, 2014, 8:40 AM).
24 See supra note 5, Art. 1(1).
25 Ireland v Council, C-301/06, 10 February 2009, para. 85, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=72843&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=369222 (last accessed on 4 May, 2014, 8:40 AM).
26 European Working Party on Information Technology Crime (Interpol), Expert Statement on Retention of Traffic Data, 11 November 2001, available at https://www-old.bof.nl/docs/Comments_on_Data_Retention.pdf (last accessed on 4 May, 2014, 8:40 AM).
27 Gesetz zur Errichtung einer standardisierten zentralen Antiterrordatei von Polizeibehörden und Nachrichtendiensten von Bund und Ländern (Antiterrordateigesetz, ATDG), 22 December 2006, BGBl. I, p. 3409, available at http://www.gesetze-im-internet.de/atdg/BJNR340910006.html (German version only; last accessed on 4 May, 2014, 8:40 AM).