EU Quietly Ramps Up Preparations To Re-introduce Blanket Data Retention After Top Court Threw It Out In 2014

from the let's-protect-article-13-while-we-are-at-it dept

One of the biggest wins for the general public in recent years was when the Court of Justice of the EU (CJEU), the region's highest court, ruled in 2014 that the 2006 Data Retention Directive was "invalid". That naturally didn't go down too well with many of the governments in the EU, who were keen to keep it for surveillance of their populations. Almost immediately, the European Commission began to "examine the best options for the way forward as regards the retention of telecommunications data", as Erich Möchel reported in 2015. More recently, Statewatch published a draft of an internal document from the Council of the EU (pdf), outlining the EU's plans to re-instate obligatory data retention, while an updated version was obtained and released by (pdf). The differences between the two versions give a hint of how the EU might try to play this. The earlier one says:

The rulings of the European Court of Justice in the cases Digital Rights Ireland and Tele 2, which set out the criteria for the lawful retention of data and access thereof are of fundamental importance in this context. It should also be noted that it has been argued that the findings of the Court in those cases apply only to traffic and location data, and not to subscriber data.

In the second version, the Council of the EU is much more assertive:

The rulings of the European Court of Justice in the cases Digital Rights Ireland and Tele 2, which set out the criteria for the lawful retention of data and access thereof are of fundamental importance in this context. In this context, Member States expressed their view that the findings of the European Court of Justice in Digital Rights Ireland and Tele 2 do not apply to subscriber data, but only to traffic and location data.

So maybe the line will be that the big 2014 defeat in the courts only applied to "traffic and location data", not to subscriber data. The hope seems to be that new legislation might specify that only data about the latter should be retained, thus avoiding the EU court's restriction.

The document also provides important information about another key piece of proposed EU legislation. The e-Privacy Regulation is designed to complement the General Data Protection Regulation. Where the latter essentially protects personal data at rest -- in databases, for example -- the e-Privacy Regulation will restrict how personal data can be transferred. Even though it is close to completion, the e-Privacy Regulation has essentially been put on the back burner, with no prospect of it being passed soon. Thanks to the latest document leak, now we know at least one reason why:

Legislative reforms at national or European level, including the new e-Privacy Regulation, should maintain the legal possibility for schemes for retention of data at EU and national level that take into account future developments and that are compliant with the requirements set out by the European Court of Justice.

This exposes a fear on the part of the EU politicians that the e-Privacy Regulation might place new obstacles in the way of a re-vamped Data Retention Directive. The comment above is a reflection of the fact that the e-Privacy Regulation will only be set on the path to final approval if it allows governments to collect and store personal data as they wish.

Finally, Erich Möchel's analysis of the latest version of the document from the Council of the EU notes a troubling possibility. While the EU is smoothing the way for data retention to return, it might get rid of another pesky directive that tries to limit surveillance of online users. Article 15 of the EU's e-Commerce Directive, passed in 2000, says:

Member States shall not impose a general obligation on providers ... to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.

Techdirt pointed out recently that Article 13 (now renumbered as Article 17) of the EU's Copyright Directive imposes exactly this kind of general obligation. It is therefore quite possible that the CJEU could rule that Article 13/17 of the Copyright Directive is invalid, just as it did for general data retention. Möchel suggests that as the EU tries to bring back data retention, it might also take the opportunity to get rid of that ban on general monitoring to head off any legal challenges to Article 13/17 as well.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: cjeu, data privacy, data protection, data retention, data retention directive, eu, general monitoring, privacy, surveillance

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    That One Guy (profile), 10 May 2019 @ 4:02am

    'Spying on your users is bad... now do LOTS more of it.'

    EU politicians, supporting the GDPR: Companies tracking/collecting/having customer data and activity is bad, more stringent rules need to be put in place to force transparency with hefty penalties in place for failure to do so.

    Also EU politicians, supporting Data Retention and Article 17: Companies should not only track user activity extensively, they should be required to do so, whether overtly or as the only real way to comply with a law even if we didn't specifically tell them they had to(well, before it was passed anyway...)

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.