How we fought and beat governments unlawfully storing our data
PI and our global partners have been at the forefront of challenging communications data retention for over a decade.
Communications data, also known as metadata, tells the story about your data and answers the who, when, what, and how of a specific communication and activity. Companies are supposed to delete this data when it is no longer necessary, because it can be highly revelatory about people, their habits, thoughts, health and personal relationships. Governments worldwide seek to oblige companies to retain this communications data so that they can get access at some point in the future.
In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention poses risks to individual privacy and data security. The data opens the door for governments and third parties to make intimate inferences about individuals, and to engage in profiling.
Many of the laws introduced by governments demand indiscriminate and mass retention of data, beyond what is admissible under applicable international human rights standards. In turn, these laws result in the indiscriminate creation of vast dossiers of information on everyone’s activities, including location data and communications with friends, families and work colleagues. There are alternative methods of surveillance that are less disproportionate, for example, requiring a court order to allow operators to retain data related to a specific individual suspected of criminal activity.
What we did
Privacy International has been at the forefront of challenging data retention. We have been tracking the spread of these laws, raising awareness about the risks of metadata surveillance, and campaigning against their adoption.
Given its international influence, and the fact that the US has to date refrained from placing data retention obligations on communications service providers, much of the battleground on data retention has been in Europe. By the early 2000s, some EU member states had enacted national data retention laws, and were pushing for mandatory data retention regulations across the entirety of the EU.
In 2003, a draft Framework Decision on data retention under discussion by EU Justice and Home Affairs Ministers sought to oblige Member States to require communications providers to retain for up to two years. In response, PI published a legal memorandum reviewing the proposal, critically analysing existing retention laws in Member States, and argued that these retention policies were not in accordance with law, were not necessary in a democratic society, and therefore violated the right to privacy as protected by the European Convention on Human Rights.
We built coalitions, drafted joint letters, and repeatedly gave evidence at various Parliaments. For a while we were successful in pushing back against repeated attempts to create a legal regime across Europe. Following the terrorist attacks in London in July 2005, the European Parliament, under the UK Presidency of the EC, decided to approve the Data Retention Directive.
That directive was immediately challenged at the European Court of Justice by Digital Rights Ireland, a Irish-based NGO and PI partner within European Digital Rights (EDRi). In 2014, the court ruled in favour of Digital Rights Ireland, finding that the directive “entails an interference with the fundamental rights of practically the entire European population.”
Despite the decision however, some EU member states continued to mandate data retention provisions, with the UK parliament rushing through the Data Retention and Investigatory Powers Act (DRIPA), to intense criticism from legal and technical experts. As a result, DRIPA was challenged in court through judicial review by two Members of the UK Parliament, Tom Watson and David Davis. Intervening in the UK High Court, we argued that data retention was in itself unlawful, and reform couldn't be limited to just creating a system of safeguards required around government access to retained data. The case was referred all the way up to the Courts of Justice of the EU (CJEU), whose job it is to rule on the application of EU law across the Union.
Courts have recognised that blanket data retention obligations represent a violation of the right to privacy and data protection law.
In December 2016, the European Court of Justice reaffirmed the 2014 ruling against data retention and expanded upon it, ruling that “general and indiscriminate retention” of data was in fact prohibited, that retention and any access to the data must be strictly necessary for the purpose of fighting serious crime, and that access to the retained data by the Government must be subject to prior review by a court or independent authority.
The decision has far-reaching implications. While the judgment was not specific about other surveillance powers, it also implicated other surveillance laws, such as those contained within the UK’s Investigatory Powers Act. The judgment raised significant questions about whether vast swathes of the new laws should now be repealed.
Governments play a long game. This was a 17 year battle. We thought we had achieved victory after victory only to for our victories to be undermined by governments. If we were winning at the national level, governments would seize on terrorist attacks. If we pushed back successfully, they would move forums.
Even if you win in court, governments may choose to ignore the decision. While European telecommunications companies such as Telia announced that they stopped retaining specific data, it remained unclear how different EU member states interpreted or acted upon the Court's decisions.
In 2017 we ran a survey of 21 EU member states data retention practices in consultation with industry and other NGOs, assessing their legislation and jurisprudence with regard to data retention. We found that while some countries, such as the Netherlands and Slovakia, had repealed national legislation on retention, no country surveyed was in compliance with the 2016 European Court ruling, and in many states their legislation is not even in compliance with the 2014 ruling in favour of Digital Rights Ireland against the Data Retention Directive.
What we are doing now
The fight against unlawful data retention is one of the most long-running and important privacy issues in the modern era, involving stakeholders from across government, the courts, industry, and civil society. Above all, it shows how collaborative and coordinated campaigning can achieve results for the protection of privacy on a highly contentious and murky issue.
Now the challenge becomes about ensuring respect for the rule of law in an era when human rights legislation is coming under increasing attack. To challenge this, it is essential to continue to research and expose data retention practices, to raise awareness about the fundamental threat they pose for everyone’s freedom and security, and to challenge them through the courts and in parliaments. Ultimately, it is only through public attention and pressure that this crucial right will be protected and respected. As we move into a world where our data affects every aspect of our lives and will increasingly do so in ways we don’t yet know, this fight is more crucial than ever.
We are now working to ensure that countries reform their legislation and come into compliance with Court rulings. We are pushing for states to review and amend their legislation to comply with European standards, including the CJEU jurisprudence, for telecommunications and other companies subject to data retention obligations to challenge existing data retention legislation which are not compliant with European standards, and for the European Commission to provide guidance on reviewing national data retention laws to ensure its conformity with fundamental rights.
In the UK, following the 2016 judgement, the case has been remitted back to the UK Court of Appeal. A hearing has not yet taken place. The government stated that “...in light of the CJEU judgment, and in order to bring an end to the litigation, the Government have accepted to the Court of Appeal that the (DRIPA) was inconsistent with EU law in two areas.” However, until a hearing takes place, the details of what the Government is prepared to accept, the response to this from the Claimants’ and ultimately what results from the CJEU’s ruling is unknown. We will be working hard to ensure that the rule of law is respected, and that the Government act upon the Court’s judgements.