Two legal judgements at the highest level in Europe in recent years have reaffirmed that all Member States' data retention regimes must comply with core principles of legality, necessity, and proportionality in order to avoid breaching citizens' fundamental rights. However a new report surveying the current status of legislation pertaining to the retention of communications data across the region has found that many of the EU's 28 members are not adhering to what privacy rights advocacy organization Privacy International describes as the "basic standard".
It's urging all EU Member States to review their national legislation and amend it where necessary to come into compliance, while also recommending that telcos and other companies subject to data retention obligations should challenge existing non-compliant data retention regimes.
The two recent CJEU judgements of note here are the Digital Rights Ireland case (2014), and the Tele-2/ Watson decision (2016). The former judgement rolled back an earlier EU directive aimed at harmonizing data retention regimes across the bloc by asking Member States to impose obligations on providers of comms services to retain certain types of data for a period of between six months and two years. While the latter expanded on the earlier jurisprudence.
In the Digital Rights Ireland decision the CJEU held the 2006 directive to be invalid as a disproportionate exercise of the EU legislature’s powers and in breach of citizen's human rights.
The court was concerned about the lack of satisfactory limits to access, and by the fact data retention periods were not tailored to the goals or crimes concerned.
In the more recent Tele-2/Watson decision, at the end of last year, the court expanded on Digital Rights Ireland, with a judgment which positively asserted minimum safeguards of EU law that must be prescribed in any national data retention legislation -- specifically precluding:
...national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, [and] national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.
However Privacy International's survey of Member States data retention regimes indicates that many are yet to make the necessary changes to ensure domestic legislation is compliant with the court rulings.
It's urging the European Commission to provide guidance on reviewing national data retention laws to help ensure states' conformity with fundamental rights, as interpreted by Europe's top court, the CJEU.
"Member States have an obligation to ensure that their laws comply with the CJEU’s jurisprudence, and EU law more generally. It is thus concerning to notice that only a limited proportion of Member States have actually annulled their pre-Digital Rights legislation and that practically no Member States’ laws currently comply with Tele-2/Watson," it writes in the report.
"Very few governments have taken the lead in pushing legal reforms, and to the extent that limited positive changes at the national level have occurred, they have been the result of litigation initiated by NGOs and other small interest groups."
Privacy International found that close to half (40 per cent) of the countries surveyed for the report still had the invalidated 2006 directive in place. While, as a generally rule, it said it found that where repeals or amendments had taken place this was as a result of challenges in national courts predominantly by human rights NGOs -- with governments and legislators "largely inactive".
And even in Member States where the prior data retention regime has been invalidated in the national courts, and where new data retention legislation has come into force after Digital Rights Ireland, it found national laws to be "nonetheless inconsistent" with the CJEU’s most recent ruling in Tele-2/Watson -- saying this was true for around a fifth of the countries surveyed.
"In those countries the regimes might allow indiscriminate retention of data in bulk or provide vague and ill-defined regulation on access to that data by relevant authorities," it warns.
"Data retention legislation is being considered or is on hold in about 30% of the jurisdictions surveyed, and in about half of these cases attempts to ensure compliance with Tele-2/Watson are being pushed. Nonetheless, we are now eight months into the CJEU decision, and the slow pace by which changes are evolving in these jurisdictions is concerning, given how impactful these data retention regimes are on Europeans’ fundamental rights and freedoms," it adds.
Privacy International's report was compiled after consulting with digital rights NGOs and industry in 21 national jurisdictions across the EU -- specifically in: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
In the UK's case, the government passed expanded state surveillance legislation at the end of last year -- aka the Investigatory Powers Act (or, to give it its colloquial name, the 'Snoopers' charter') -- which includes a provision requiring that ISPs retain web activity data for all their users for a period of 12 months.
Asked what it has been able to glean regarding the UK government's intention to respond to the Tele-2/Watson ruling, a Privacy International spokeswoman noted that the case has been remitted back to the court of appeal -- saying there's therefore still no clarity on how the legislation might be amended.
"The government stated recently that “…in light of the CJEU judgement, and in order to bring an end to the litigation, the government have accepted to the Court of Appeal that the Act was inconsistent with EU law in two areas.” However, until a hearing takes place, the details of what the government is prepared to accept, the response to this from the Claimants’ and ultimately what results from the CJEU’s ruling is unknown," she told us.
The spokeswoman also said it's unclear whether the data retention obligations the law places on ISPs have been activated yet, or whether they're on pause as a result of the ongoing legal uncertainty. "It is unclear whether this is current in force," she said, adding: "Not all of the Investigatory Powers Act has come into force."
There's a further uncertainty in the UK's case relating to the Brexit referendum decision for the country to leave the European Union.
Since that vote last year, the government has said it wants to extract the UK from the jurisdiction of the CJEU -- raising questions of whether it might seek to avoid compliance with the EU-level data retention rules once it's no longer a Member State.
However the Privacy International spokeswoman suggested any such move by the UK to ignore Europe-wide principles on data retention could complicate the government's stated aim for "a quick and seamless data flow with the EU following Brexit" -- an essential component if UK digital businesses are to continue to serve customers in the EU after the two-year Brexit negotiation process comes to an end in May 2019.
"Failing to comply with this judgement will raise questions as to whether the UK law provides equivalent protection to personal data as the EU standards," she suggested. "Further, the government’s recent position paper on Brexit raises more questions than it answers in relation to the CJEU and the bearing its rulings will have on the UK."