EU Quietly Ramps Up Preparations To Re-introduce Blanket Data Retention After Top Court Threw It Out In 2014
from the let's-protect-article-13-while-we-are-at-it dept
One of the biggest wins for the general public in recent years was when the Court of Justice of the EU (CJEU), the region's highest court, ruled in 2014 that the 2006 Data Retention Directive was "invalid". That naturally didn't go down too well with many of the governments in the EU, who were keen to keep it for surveillance of their populations. Almost immediately, the European Commission began to "examine the best options for the way forward as regards the retention of telecommunications data", as Erich Möchel reported in 2015. More recently, Statewatch published a draft of an internal document from the Council of the EU (pdf), outlining the EU's plans to re-instate obligatory data retention, while an updated version was obtained and released by ORF.at (pdf). The differences between the two versions give a hint of how the EU might try to play this. The earlier one says:
The rulings of the European Court of Justice in the cases Digital Rights Ireland and Tele 2, which set out the criteria for the lawful retention of data and access thereof are of fundamental importance in this context. It should also be noted that it has been argued that the findings of the Court in those cases apply only to traffic and location data, and not to subscriber data.
In the second version, the Council of the EU is much more assertive:
The rulings of the European Court of Justice in the cases Digital Rights Ireland and Tele 2, which set out the criteria for the lawful retention of data and access thereof are of fundamental importance in this context. In this context, Member States expressed their view that the findings of the European Court of Justice in Digital Rights Ireland and Tele 2 do not apply to subscriber data, but only to traffic and location data.
So maybe the line will be that the big 2014 defeat in the courts only applied to "traffic and location data", not to subscriber data. The hope seems to be that new legislation might specify that only data about the latter should be retained, thus avoiding the EU court's restriction.
The document also provides important information about another key piece of proposed EU legislation. The e-Privacy Regulation is designed to complement the General Data Protection Regulation. Where the latter essentially protects personal data at rest -- in databases, for example -- the e-Privacy Regulation will restrict how personal data can be transferred. Even though it is close to completion, the e-Privacy Regulation has essentially been put on the back burner, with no prospect of it being passed soon. Thanks to the latest document leak, now we know at least one reason why:
Legislative reforms at national or European level, including the new e-Privacy Regulation, should maintain the legal possibility for schemes for retention of data at EU and national level that take into account future developments and that are compliant with the requirements set out by the European Court of Justice.
This exposes a fear on the part of the EU politicians that the e-Privacy Regulation might place new obstacles in the way of a re-vamped Data Retention Directive. The comment above is a reflection of the fact that the e-Privacy Regulation will only be set on the path to final approval if it allows governments to collect and store personal data as they wish.
Finally, Erich Möchel's analysis of the latest version of the document from the Council of the EU notes a troubling possibility. While the EU is smoothing the way for data retention to return, it might get rid of another pesky directive that tries to limit surveillance of online users. Article 15 of the EU's e-Commerce Directive, passed in 2000, says:
Member States shall not impose a general obligation on providers ... to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.
Techdirt pointed out recently that Article 13 (now renumbered as Article 17) of the EU's Copyright Directive imposes exactly this kind of general obligation. It is therefore quite possible that the CJEU could rule that Article 13/17 of the Copyright Directive is invalid, just as it did for general data retention. Möchel suggests that as the EU tries to bring back data retention, it might also take the opportunity to get rid of that ban on general monitoring to head off any legal challenges to Article 13/17 as well.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: cjeu, data privacy, data protection, data retention, data retention directive, eu, general monitoring, privacy, surveillance