A document leaked by Access on Wednesday evening shows that the European Parliament has decided that EU member states do not have any obligation to retain citizen data. The Parliament made the distinction between Union and State legality regarding the April decision by the EU Court of Justice declaring the EU Data Retention Directive invalid.
The controversial EU Data Retention Directive states that all ISPs and telecommunications service providers operating in Europe are required by law to collect and retain incoming and outgoing phone numbers, IP addresses, location data, and other telecom and Internet traffic data. The data is required to be stored for six months to two years.
The advocacy group Digital Rights Ireland (DRI) challenged the Data Retention Directive in court. The Irish High Court requested the EU Court of Justice examine the directive in light of two rights as granted by the Charter of Fundamental Rights of the EU: respect for private life and protection of personal data.
In April, the EU Court ruled that the directive was invalid. A document released in June offers the history and legal cases involving the directive since it’s institution in 2006. The EU began a process to reform the laws in 2012 and it appears that this process may finally be complete this year. “I am now optimistic that the EU data protection reform process will be finished in 2015,” said Andrea Vosshoff, Germany’s Federal Data Protection Commissioner, introducing a panel discussion on Nov. 5, 2014.
The 2014 EU Court of Justice decision on the right to be forgotten will likely play a role in the upcoming data protection and privacy law reform.
The DRI decision prompted the Civil Liberties Committee of the European Parliament (LIBE) to request Legal Services to give an opinion to examine the impact on national laws regarding data retention, such as the Data Retention Directive as well as other international agreements based on data retention.
Following the EU Court ruling, member states began instituting their own data retention laws, varying in how much or how little they protect the right to privacy and data protection. For example, the UK passed the “emergency” DRIP in July giving law enforcement access to internet and phone records. It also proposed IP-based identification of users in November. While all of the UK legislation is positioned as necessary to prevent terrorism, it is eroding the protection of the fundamental rights offered by the EU Charter.
According to the Register, “MEP Birgit Sippel said [regarding the report] if mass surveillance guaranteed safety, the US would be the safest place on Earth. However, her German colleague Alex Voss took a more middle ground approach, saying the level of surveillance should be proportional to the security threat.”
The conclusion of Legal Services regarding Union law was that the EU Court judgement only affects the Data Retention Directive so it doesn’t have any direct bearing on whether any other EU act is illegal and will need to be assessed on a case by case basis.
“All new and pending EU legislation proposals which concern the special context of ‘general programmes of surveillance’ – as envisaged in the case-law of the European Court of Human Rights – will be subject to the same ‘strict’ method of judicial review followed by the Court in the DRI judgment,” according to the document. The same considerations will also apply to international agreements with the EU regarding data retention.
The conclusion of Legal Services regarding state law is that because the DRI decision only affects the invalidity of the directive, it “does not directly affect the validity of national measures adopted to implement this Directive. Nevertheless, it may produce indirect effects on Member State’s laws.”
Perhaps one of the most important parts of the Legal Services report is regarding EU State’s obligation to comply with the Directive which has been in question since the April ruling. “Firstly, Member States no longer have any obligation, but an option, to retain data in the electronic communications sector. They may therefore repeal their national legislation in this field.” If states retain laws implemented to comply with the Directive, they will need to examine the extent to which the laws are under the scope of the charter and whether they are in compliance based on that measure.
While this is a win for those who believe data retention violates the right to privacy, it will likely make a logistical mess for the Member States and service providers. Lack of consistent data practices will be a challenge for companies operating across the EU who will possibly have to retain data based on customer address, something that many of them are not equipped to do.
Since the EU Parliament has been in the process of drafting new data protection legislation since 2012, it is likely they requested this report as a tool to guide the final new proposals expected this year.