EU Legal Study: All EU Data Retention Laws May be Dodgy

Back in April last year, I reported on a hugely important judgment handed down from Europe's highest court, the Court of Justice of the European Union, which declared the entire Data Retention Direction invalid. That was because the court found that the Directive was a "particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary."

Given the uncompromising nature of that verdict, the European Parliament's Civil Liberties Committee naturally wanted to know what its impact would be on national laws that implement data retention, and for existing international data retention agreements operating in the EU. These include the Passenger Names Records agreements (PNR), which allows countries to swap detailed information about passengers and the flights they take, and the Terrorist Finance Tracking Programme (TFTP), which is supposedly about tracking the flow of funds terrorists.

The Committee therefore requested an opinion from the European Parliament's Legal Services department. The digital rights organisation Access has obtained a leaked copy of this, and provided a useful summary of what it says:

the European Parliament legal services indicates that these agreements [involving the retention of personal data], while controversial, are still valid as they benefit from "presumption of legality". However, the report then adds “That said, the ‘presumption’ of legality of EU acts can also be rebutted and so it cannot be excluded, at this stage, that any other EU act could suffer the same fate as the data retention Directive”. Therefore, all existing agreements currently in place remains valid, however, citizens can request the Commission to look into the validity of these agreements, or they can choose to take legal action to test their validity. In a similar situation, the European Parliament decided last December to send the EU-Canada PNR agreement, currently being reviewed, in front of the CJEU to check its compliance with the EU Charter.

That green light for taking legal action to test validity is almost certain to lead to a string of such challenges to international agreements such as PNR and TFTP. But there are also implications for future EU laws:

every time EU institutions consider developing legislative acts putting in place requirement for the “storage of the data of a very large number of unsuspected persons and access to and use of such data by law enforcement authorities”, the legislators will need to strictly apply the principles of proportionality and necessity and must ensure that the proposed measures are in line with the EU Charter. The report adds that “great care must therefore be taken in such cases to ensure full respect, at all stage of the legislative procedure, for the Charter.”

Moreover, that need for "great care" is likely to have huge implications for the UK's data retention laws:

member states must ensure that their national laws on data retention comply with the EU Charter of Fundamental Rights and fulfill the requirements laid down in the E-privacy Directive regarding the principles of proportionality and necessity. And perhaps, most importantly, the report then adds that all the criteria set out by the Court in its ruling on the need for safeguards, proportionality and the “existence of clear and precise rules” must be included in these national laws. As a result all existing national acts on data retention should be examined on a case-by-case basis to check their compliance with those criteria. It is already clear that laws in place in several EU countries - such as France or the UK, which recently expanded its surveillance powers - would have difficulty passing that test.

It's too early to tell how all this will play out but one thing is clear: the data retention landscape has been massively changed by the Court of Justice verdict,  which has opened up many new avenues for challenges to disproportionate data retention laws - not least in the UK, which has some of the worst (as usual).

On a related note, I'd like to mention that there is a UK consultation on establishing a UK Privacy and Civil Liberties Board. Rather richly, given the current state of surveillance in this country, the consultation's home page states:

We must ensure that we strike the right balance between safeguarding our national security and ensuring that privacy and civil liberties are not unjustly compromised.

Too right; what a pity we are nowhere near achieving that. It continues:

Consideration is being given here to the oversight mechanism for counter-terrorism legislation and the related powers linked to the prevention and suppression of terrorism. This consultation seeks views on a measure within the Counter-Terrorism and Security Bill which will enable the Home Secretary to create a Privacy and Civil Liberties Board to support the Independent Reviewer of Terrorism Legislation.

The consultation invites comments on a number of details (such as membership of the board) that will be set out in the regulations.

The consultation closes on 30 January 2015. To be honest, I don't think the new Privacy and Civil Liberties Board will be given any meaningful powers, or will make that much difference. It's little more an exercise in window dressing so that the UK government can claim it is "striking the right balance" - such a terribly misguided phrase and idea. Still, if you have a moment, it wouldn't hurt to pass on your thoughts in this area.  It can be done using an online survey, which makes the whole process relatively quick and painless.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+


Copyright © 2015 IDG Communications, Inc.

8 highly useful Slack bots for teams
Shop Tech Products at Amazon