Sections

Services

Information

UK United Kingdom

Data retention means you are on the record, like it or not

Next month the advocate general of the Court of Justice of the EU (CJEU), Yves Bot, will publish an opinion on the extent to which the Data Retention Directive, one of the most controversial security measures…

It may not be your choice. Mixy Lorenzo

Next month the advocate general of the Court of Justice of the EU (CJEU), Yves Bot, will publish an opinion on the extent to which the Data Retention Directive, one of the most controversial security measures introduced by the EU in the past decade, is compatible with human rights law. Although not a binding judgement (this will come later), the CJEU’s opinion is a significant intervention in the ongoing debate over how to balance human rights with states' perceived surveillance needs.

The security-related retention of communications by telecoms firms was on the European agenda well before 9/11, but privacy concerns had led to a limited approach. Telecoms companies in the EU were obliged to delete communications data as soon as all business needs had been met; the data could not be retained for security or criminal investigation purposes. Some states had attempted to adjust this and introduce a retention system in 2000, but this failed - again, largely because of privacy concerns. All this changed, however, after 9/11.

As early as May 2002, a “data retention amendment” had been made to existing EU privacy laws to allow for security-related data retention, and drafts of a provision that would require retention began to circulate. Those proposals attracted so much rights-based criticism that they were apparently abandoned; however, they quickly reappeared in the wake of the London and Madrid bombings, and in 2006, the Data Retention Directive was adopted.

Opinion: Yves Bot Court of Justice

It obliges all member states to introduce national data retention regimes, even where -— as in the UK —- there had already been significant resistance to such regimes when they were previously proposed at national level. The directive requires telecommunications providers to retain data on the source, destination, time, date, duration and type of all communications by fixed and mobile telephone, fax and internet, and on the location and type of equipment used.

The data is to be retained for between six month and two years, with national law deciding on the duration, and can be accessed by state agencies investigating “serious crime” —- a term that has different definitions across the member states.

Blanket surveillance

The volume and extent of information retained under the directive is stunning; in effect, it has introduced a system of blanket surveillance across the entire EU. Although access to the information is regulated by law, state agencies can nonetheless access an enormous amount of information about our communications patterns and activities. This naturally raises serious human rights concerns, especially about privacy.

Security services insist that data retention is an indispensable tool for investigating serious crimes, such as terrorism and the production and distribution of child pornography. Yet different states make use of the Directive to wildly varying extents: in 2012, for example, Cyprus made 22 requests for access to data, while the UK made 725,467.

The question for the advocate general, the CJEU and the EU more broadly is whether or not the approach taken by the directive privileges perceived security needs over human rights. Data retention unquestionably constitutes a prima facie infringement on privacy; the real issue is whether this infringement is justified because it is necessary, effective, and limited. This question is at the core of all debates about “balance” in the security context: how far are we prepared to allow state power into our individual, family, social and democratic lives in order to “secure” us?

Answering this question requires us to decide on what we think “effectiveness” means in the context of security. If the directive helps to resolve a handful of serious crimes per year, or to prevent one terrorist attack, is it effective? Could a more limited approach -— such as requiring telecoms companies to collect data related to certain investigations but not to retain all data -— achieve the same security objectives while better protecting rights?

These are difficult questions, but they are ones we must resolve if we are to have a balanced security system. The advocate general’s opinion will be an important contribution to the debate, but it will not be the final word. Achieving a balanced approach to security requires critical scrutiny at practical, political, social and legal levels. This is all the more true given that, as the Data Retention Directive illustrates, security measures operate upon and have implications for the rights of all of us, all of the time.

Join the conversation

4 Comments sorted by

  1. Rog Tallbloke

    logged in via Twitter

    If the state can afford to operate mass surveillance through the internet without a public mandate. It can afford to set up an online democracy system so we can vote to abolish it.

    report
  2. Gerhard Lohmann-Bond

    logged in via email @live.de

    The real issue is not whether this infringement is justified because it is necessary, effective, and limited, but rather whether we can afford to trust states to refrain from abusing the powers. The number of requests for data made by the British authorities suggests an all-out fishing expedition which may be against the spirit of the law, but nevertheless happened and was unstoppable under the circumstances. This then raises the question in whose interests (perceived and otherwise) the British state was acting. It would not be the first time that a state has begun to dismantle civil liberties and human rights in pursuit of security.

    report
  3. Fiona de Londras

    Professor of Law and Co-Director of Durham Human Rights Centre at Durham University

    Just to note: it has now been announced that the opinion is delayed to mid-December

    report
    1. Rog Tallbloke

      logged in via Twitter

      In reply to Fiona de Londras

      Colour me unsurprised. They are hoping it'll be lost in the Christmas buildup. Just like the MET Office's revised 5 year forecast showing no global warming last year.

      report