Next month the advocate general of the Court of Justice of the EU (CJEU), Yves Bot, will publish an opinion on the extent to which the Data Retention Directive, one of the most controversial security measures introduced by the EU in the past decade, is compatible with human rights law. Although not a binding judgement (this will come later), the CJEU’s opinion is a significant intervention in the ongoing debate over how to balance human rights with states' perceived surveillance needs.
The security-related retention of communications by telecoms firms was on the European agenda well before 9/11, but privacy concerns had led to a limited approach. Telecoms companies in the EU were obliged to delete communications data as soon as all business needs had been met; the data could not be retained for security or criminal investigation purposes. Some states had attempted to adjust this and introduce a retention system in 2000, but this failed - again, largely because of privacy concerns. All this changed, however, after 9/11.
As early as May 2002, a “data retention amendment” had been made to existing EU privacy laws to allow for security-related data retention, and drafts of a provision that would require retention began to circulate. Those proposals attracted so much rights-based criticism that they were apparently abandoned; however, they quickly reappeared in the wake of the London and Madrid bombings, and in 2006, the Data Retention Directive was adopted.
It obliges all member states to introduce national data retention regimes, even where -— as in the UK —- there had already been significant resistance to such regimes when they were previously proposed at national level. The directive requires telecommunications providers to retain data on the source, destination, time, date, duration and type of all communications by fixed and mobile telephone, fax and internet, and on the location and type of equipment used.
The data is to be retained for between six month and two years, with national law deciding on the duration, and can be accessed by state agencies investigating “serious crime” —- a term that has different definitions across the member states.
The volume and extent of information retained under the directive is stunning; in effect, it has introduced a system of blanket surveillance across the entire EU. Although access to the information is regulated by law, state agencies can nonetheless access an enormous amount of information about our communications patterns and activities. This naturally raises serious human rights concerns, especially about privacy.
Security services insist that data retention is an indispensable tool for investigating serious crimes, such as terrorism and the production and distribution of child pornography. Yet different states make use of the Directive to wildly varying extents: in 2012, for example, Cyprus made 22 requests for access to data, while the UK made 725,467.
The question for the advocate general, the CJEU and the EU more broadly is whether or not the approach taken by the directive privileges perceived security needs over human rights. Data retention unquestionably constitutes a prima facie infringement on privacy; the real issue is whether this infringement is justified because it is necessary, effective, and limited. This question is at the core of all debates about “balance” in the security context: how far are we prepared to allow state power into our individual, family, social and democratic lives in order to “secure” us?
Answering this question requires us to decide on what we think “effectiveness” means in the context of security. If the directive helps to resolve a handful of serious crimes per year, or to prevent one terrorist attack, is it effective? Could a more limited approach -— such as requiring telecoms companies to collect data related to certain investigations but not to retain all data -— achieve the same security objectives while better protecting rights?
These are difficult questions, but they are ones we must resolve if we are to have a balanced security system. The advocate general’s opinion will be an important contribution to the debate, but it will not be the final word. Achieving a balanced approach to security requires critical scrutiny at practical, political, social and legal levels. This is all the more true given that, as the Data Retention Directive illustrates, security measures operate upon and have implications for the rights of all of us, all of the time.