Advocate General: EU Data Retention Directive unconstitutional

Some consider retention of communication data of EU Citizens already gone, after the Advocate General of the European Court of Justice (ECJ), Cruz Villalón, stated Thursday, December 12, in his opinion, that it is “as a whole incompatible” with the EU Charter of Fundamental Rights. Yet reading his non-binding opinion to the end, you feel inclined to quote him with “the issue is not so simple.”

Villalón did acknowledge the “relevance and even urgency of the ultimate objectives of the limitation on fundamental rights at issue.“ “The opinion is an important step against mass retention of data, but we certainly are not there yet,“ said Rena Tangens, co-founder of German Digital Rights group Digital Courage who voiced that Villalón’s opinion should not be viewed as a roadmap on how to do data retention safely, but should result in addressing the fundamental rights framework instead.

Unconstitutional directive

The EU legislator failed EU citizens with the directive. That is the conclusion of the opinion brought to the Court in Luxembourg after long fights in national courts by Digital Ireland, some citizens of Austria supporting the activist group AKVorrat and the regional government of Carinthia.

Villalón dessicated the 2006 directive which has over the years busied the constitutional courts in many countries. The controversial directive made retention of communication traffic and location data of a mininum of six months and up to two years mandatory in the EU. But while anti-terrorism has been stated as the original motive, the data stored by internet service and telephony providers finally was used in many countries to prosecute even copyright or slander cases.

The EU legislator could just not, the General Advocate reminds him, adopt legislation including “serious interference with the fundamental rights of citizens of the Union“ and “entirely leave to Member States the task of defining the guarantees capable of justifying that interference.“

Instead of leaving it to the member states, the EU legislator should have foreseen limitations about who will get access and what he can do with the data. The fact that judges in several of the 27 member states have brought about some amendments to make the directive more EU law compatible, would not absolve the European legislator, Villalón states.

The opinion also makes crystal clear that the collection of communication traffic and location data is not “just metadata,” but a very serious interference with the fundamental rights to privacy and data protection enshrined in the European Convention on Human Rights (ECHR, PDF). “The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period.“

The data was moreover “not personal data in the traditional sense of the term, relating to specific information concerning the identity of individuals, but ‘special’ personal data, the use of which may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.” And the data could “be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious.”

Back to the drawing board

The directive finally violates the principle of proportionality, the opinion states, as it requires that data should be retained for a period of up to two years and that there might be lapses once data is transferred. An “accumulation of data at indeterminate locations in cyberspace such as the accumulation at issue, which always concerns actual and particular persons, tends, whatever its duration, to be perceived as an anomaly,“ the Advocate warns. It “should never exist,” he pleads, and “where it does, [it] should exist only having regard to other requirements of society.“

Finally, Villalón establishes moreover that even after acknowledging data retention as a legitimate measure it still had to be “ascertained whether it is necessary and, specifically, whether a measure less disruptive (like quick freeze, the editor) to the enjoyment of the fundamental rights at issue would allow the objective pursued to be attained.“ The Advocate General for example declares that a retention period for personal data “‘which is measured in months’ is to be clearly distinguished from a period ‘which is measured in years’,” given that the shorter period would fall within “what is perceived as present life and the second to that falling within life perceived as memory. The interference with the right to privacy is, from that perspective, different in each case and the necessity of both types of interference must be capable of being justified.”

Is a fundamental rights-proof variant of data retention possible?

Despite the harsh criticism towards the EU legislator and a clear recommendation that the directive be ruled unconstitutional, the Advocate General proposes that it should not be stopped immediately, but should be kept in place while the necessary legislative review is undertaken. In his view, guarantees and limitations (on access, use and storage time) have to be included, and issues like the potential storage of the data outside of member states jurisdictions where data could be abused – potentially a hint to this year’s spy affair – have to be addressed to make the legislation constitutional.

The judges at the ECJ certainly could go further and stop data retention with the judgement that will be delivered next year, Tangens says. The idea, for example in Germany, that the new government could just point to the safeguards proposed by the German Constitutional Courts and create and implement a fundamental-rights-compliant  data retention, is a fallacy, she says.

“The German judges also have said that a total surveillance account has to be calculated when considering the conformity with fundamental rights of any measure. The total surveillance account nowadays looks awful,” she says, pointing to the Snowden revelations. Moreover coming up with solutions that would be constitutional would be very difficult to impossible given the current events, she thinks.

To make this clear in a potential review process, means more work for the civil society groups and data protection community. “We can not just leave it all to the judges,” she says.