How we fought and beat governments unlawfully storing our data

Updated on 23 August 2022

Impact Case Study
@pechka-unsplash-comms_surveillance.jpg

@pechka on Unsplash

PI and our global partners have been at the forefront of challenging communications data retention for over a decade.

What is the problem

Communications data, also known as metadata, tells a story about your digital activity and answers the who, when, what, and how of a specific communication. While communications data doesn't include the contents of a message, all of the other information about the message can be very revealing about people, their habits, thoughts, health and personal relationships.
Because of its revealing nature, companies are supposed to delete this data when it is no longer necessary. And courts have declared that communications data can be as intrusive as message content.
Governments around the world seek to require companies to retain this communications data so that they can get access at some point in the future. Some governments, such as the United Kingdom, have even sought to have their intelligence agencies obtain communications data in bulk from companies.
In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention and collection poses risks to individual privacy and data security.
The data opens the door for governments and third parties to make intimate inferences about individuals, and to engage in profiling.

Why it is important

Many of the laws introduced by governments demand indiscriminate and mass retention or collection of data, beyond what is deemed necessary under international human rights standards.
In turn, these laws result in the creation of huge records containing information on everyone’s activities, including location data and communications with friends, family and work colleagues.
There are alternative methods of surveillance that are less intrusive, for example, getting a court order to require operators to retain data related to a specific individual suspected of criminal activity.
Instead, under mass retention, everyone has data retained on them, even if they're never suspected of wrongdoing.

What we did

Privacy International has been at the forefront of challenging data retention. We have been tracking the spread of these laws, raising awareness about the risks of communications data surveillance, and campaigning against their adoption.
Much of the battleground on data retention has been in Europe. Not just because of its international influence, but also because the US has to date refrained from enacting laws that require US companies to retain communications data.
By the early 2000s, some EU member states had enacted national data retention laws, and were pushing for mandatory data retention regulations across the entirety of the EU.
We built coalitions, drafted joint letters, and repeatedly gave evidence at various Parliaments. For a while we were successful in pushing back against repeated attempts to create a legal data retention regime across Europe. Following the terrorist attacks in London in July 2005, the European Parliament, under the UK Presidency of the European Commission, decided to approve the Data Retention Directive - a directive which required communications providers to retain data for up to two years.
That directive was immediately challenged at the Court of Justice of the European Union (CJEU) by Digital Rights Ireland, a Irish-based organisation and PI partner within European Digital Rights (EDRi). In 2014, the court ruled in favour of Digital Rights Ireland, finding that the directive “entails an interference with the fundamental rights of practically the entire European population.”
Despite the decision, some EU member states continued to mandate data retention at the national level. The UK parliament rushed through the Data Retention and Investigatory Powers Act (DRIPA), to intense criticism from legal and technical experts.
As a result, DRIPA was challenged in court through judicial review by two Members of the UK Parliament. Intervening at the UK High Court, PI argued that mass data retention was in itself unlawful, and reform couldn't be limited to just creating a system of safeguards around government access to retained data.
The case was referred all the way up to the CJEU, whose job it is to rule on the application of EU law across the Union.

What we achieved

Blanket data retention obligations violate the right to privacy and data protection law.
In December 2016, the Court of Justice of the European Union reaffirmed the 2014 Digital Rights Ireland ruling against data retention and expanded upon it. It held that:

  • “general and indiscriminate retention” of data was in fact prohibited
  • retention and any access to the data must be strictly necessary for the purpose of fighting serious crime
  • access to retained data by the Government must be subject to prior review by a court or independent authority.

The decision has far-reaching implications. While the judgment was not specific about other surveillance powers, it also implicated other surveillance laws, such the UK’s Investigatory Powers Act. The judgment raised significant questions about whether the new laws needed to be amended.
As a result, the UK Court of Appeal found DRIPA unlawful. UK’s Investigatory Power Act was also amended to better protect people data through independent approval for access to communications data.
Despite the above mentioned legal challenges, other EU countries continued to enforce their national level data retention laws.
PI again found itself before the CJEU, intervening in challenges to French and Belgian data retention laws. In October 2020, the CJEU issued a judgment in both cases, as well as a related case brought by PI challenging the UK's bulk data collection practices. The CJEU ruled that mass data retention and collection practices for national security purposes undertaken by member states, must comply with EU law, and therefore must be subjected to its privacy safeguards.

What we learned

Governments play a long game. This was a 17 year battle. We thought we had achieved victory after victory only for them to be undermined. Governments would find various reasons to avoid necessary legislative adjustments or even ignore courts' decisions.
While European telecommunications companies such as Telia announced that they stopped retaining specific data, it remained unclear how different EU member states interpreted or acted upon the Court's decisions.
In 2017 we ran a survey of 21 EU member states data retention practices in consultation with industry and other organisations, assessing their legislation and jurisprudence with regard to data retention. We found that while some countries such as the Netherlands and Slovakia had repealed national legislation on retention, no country surveyed was in compliance with the 2016 CJEU ruling. On the contrary, in many states their legislation isn't even in compliance with the 2014 ruling in favour of Digital Rights Ireland against the Data Retention Directive. This is what led to subsequent cases, such as the French and Belgian challenges.
Overall, we learned that challenging such practices such as mass data retention takes a lot of time and effort. Governments are still not ready to fully accept the human rights requirements being imposed on bulk data retention.

What we are going to do

The fight against unlawful data retention is one of the most long-running and important privacy issues in the modern era, involving stakeholders from across government, the courts, industry, and civil society.
Above all, it shows how collaborative and coordinated campaigning can achieve results for the protection of privacy on a highly contentious and murky issue.
Now the challenge becomes ensuring respect for the rule of law in an era when human rights legislation is coming under increasing attack. It is essential to continue to research and expose data retention practices, to raise awareness about the fundamental threat they pose for everyone’s freedom and security, and to challenge them through the courts and in parliaments. Ultimately, it is only through public attention and pressure that this right will be protected and respected.
As we move into a world where our data affects every aspect of our lives and will increasingly do so in ways we don’t yet know, this fight is more crucial than ever.
We continue to monitor the evolving data retention landscape in Europe, and around the world, as one of the main lessons we learned through this process is that implementing court victories requires continued vigilance.