Cynthia M. Wong, Senior Researcher, Internet and Human Rights.
This week, the European Union’s top court once again found that blanket data retention mandates are hostile to privacy and democratic freedoms, and incompatible with EU law. Such mandates require service providers to store data on all of the provider’s users for a set period. The decision responds to challenges to sweeping data retention laws in the UK and Sweden to invalidate the laws after the court previously struck down an EU-wide data retention law in 2014. The court’s ruling is a stern rebuke to governments that support blanket data collection for entire populations and should prompt renewed scrutiny of similar requirements in Belgium, France, Germany, the UK, and elsewhere.
Law enforcement agencies contend that companies must ensure that metadata, or data about communications like time, location, and recipient, is available for the investigation and prevention of serious crime, including terrorism. But blanket retention requirements invade the privacy of all mobile phone and Internet users, not just those under suspicion of wrongdoing.
The Court of Justice of the EU (CJEU) found that EU law bars member states from adopting laws that require “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” simply to fight crime. Governments are only allowed to impose data retention mandates for specific purposes such as protecting national security—and even then, the means must be strictly tailored to meet specific ends with limitations on retention periods and specific groups of users.
The court noted that metadata can be just as sensitive as the content of communications. Such data can allow authorities to draw “very precise conclusions” about people’s private lives, including “everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”
Given the sensitivity of such data, the court—in an important new finding—said that EU law requires “prior review by a court or an independent administrative authority” before authorities can access retained data, and authorities must notify people whose data they access as soon as notice would no longer jeopardize an investigation.
This decision provides added clarity following the court’s 2014 ruling in the Digital Rights Ireland case that invalidated the EU Data Retention Directive. While several EU states have enacted new data retention requirements since 2014, the case may pose particular problems for the UK’s new Investigatory Powers Bill, which expands data retention requirements to even more categories of sensitive data like web browsing histories. Whatever the UK decides in the post-Brexit era, expect a new wave of legal challenges by privacy advocates across Europe, and challenges in the UK as well.