European Parliament Study Likely To Boost Legal Challenges To Blanket Data Retention In Europe

from the principles-of-proportionality-and-necessity dept

Back in April last year, we wrote about a surprising and hugely important ruling by Europe's top court that the framework for data retention in Europe -- the Data Retention Directive -- was "invalid". That was largely because it allowed data retention on a scale that was disproportionate. But an interesting question that arises from that decision is: if the Directive itself is invalid, where does that leave all the EU agreements and laws that require data to be retained? What exactly is their legal status now that the Directive has been struck down? Are they invalid too?

A few months ago, we reported on the leak of a document from a closed meeting of EU Justice and Home Affairs ministers, which suggested that "general and blanket data retention" is no longer possible in the EU, because of the top court's ruling. Independently of that legal opinion, one of the key EU committees -- that dealing with civil liberties -- asked the European Parliament's internal Legal Services for a formal study on the question. That report has now been completed (pdf), and the digital rights organisation Access has obtained a copy. It has also put together an accessible post explaining the key points:

the European Parliament legal services indicates that these agreements [involving data retention], while controversial, are still valid as they benefit from "presumption of legality". However, the report then adds "That said, the 'presumption' of legality of EU acts can also be rebutted and so it cannot be excluded, at this stage, that any other EU act could suffer the same fate as the data retention Directive". Therefore, all existing agreements currently in place remains valid, however, citizens can request the Commission to look into the validity of these agreements, or they can choose to take legal action to test their validity.
In other words, it is the view of the European Parliament's Legal Services that citizens can challenge any EU agreement or law involving data retention so that its validity is examined in the light of the court's ruling. There are two main classes affected.

The first is agreements that the EU has made with other nations. These include the Passenger Name Records agreements (PNR) and the Terrorist Finance Tracking Programme (TFTP). The former allows details of EU air passengers to be passed to other countries (notably the US), while the TFTP allows financial information to be shared (again, mostly with the US.) Successful legal challenges to these would cause huge problems for EU-US co-operation in the realms of counter-terrorism and beyond.

The second class potentially affected by the latest opinion is the national laws passed by EU Member States to implement the Data Retention Directive. It is the EU Legal Service's view that these national laws are also covered by the European court's decision, and that they too may be invalid if disproportionate. As Access explains:

Concerning member states' existing legislation on data retention, the EP legal services clarifies that, while the ruling does not outlaw these national laws, it does created a "twofold effect". First, since member states are no longer obliged by law to retain communication data, they can then decide to repeal their related laws -- as several countries such as Austria or Romania have done since the ruling. Second, if member states were to decide to keep measures for the retention of communication data, such rules would fall under EU legislation from 2002, the so-called E-privacy Directive.

Therefore, member states must ensure that their national laws on data retention comply with the EU Charter of Fundamental Rights and fulfill the requirements laid down in the E-privacy Directive regarding the principles of proportionality and necessity. And perhaps, most importantly, the report then adds that all the criteria set out by the Court in its ruling on the need for safeguards, proportionality and the "existence of clear and precise rules" must be included in these national laws. As a result all existing national acts on data retention should be examined on a case-by-case basis to check their compliance with those criteria.
As Access goes on to point out, it seems extremely unlikely the UK's new Data Retention and Investigatory Powers Act (DRIP), rushed through as result of the European court's ruling, would be in compliance. The latest study from the European Parliament's Legal Services is therefore likely to encourage digital rights organizations to add yet another challenge to DRIP, making it even more likely that it, too, will be struck down for being disproportionate, just as the Data Retention Directive was.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Jan 2015 @ 1:22am

    Good way to start this Year. Now I will watch it, as usual...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2015 @ 3:22am

    or, as it tends to do now, the UK can ignore whatever any court says and just do what it feels like, just to remain 'best buddies' with Obama and his bunch of totally rogue agencies! when it was deemed illegal to force ISPs to retain customer information, the UK ignored it and made those (main) ISPs carry on. when it was deemed illegal to implement website blocking, the UK ignored it and carried on using, in true entertainment industries backing ways, the 'protect the children' from porn and being groomed to take part in porn as the reason, rather than having the balls to admit the real reason or even have any discussion, Cameron started the UK on the censorship road, putting the UK in the same category as Iran and N.Korea! not bad for someone who recently said that the UK would never give up the 'freedom of speech'. he forgot to add on the end the part of 'provided i and Obama agree with it!! fucking prick!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2015 @ 8:30pm

    "...as several countries such as Austria or Romania have done since the ruling."

    Too bad none of the articles, list which of the several countries repealed the Data Retention Directive. I'm guessing Netherlands is one of them, because StartPage.com is headquartered there and claims to keep no IP or search record logs. Knowing the other four countries would be nice. So that I could choose to use VPNs in those countries.

    You definitely don't want to use a VPN in the UK or France. Those countries expanded their Data Retention Directive for maximum surveillance effect.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jan 2015 @ 2:32am

      Re:

      It's also worth noting that Romania's law was repealed because the country's own Constitutional Court found it unconstitutional, making it effectively unenforceable. The parliament is now hurriedly trying to pass another one in the wake of last week's attacks in Paris.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.