There has been plenty of technology-related legal activity in the European Union this month. Last week the Court of Justice of the EU (CJEU) ruled that data retention regulations, as they currently stand, are not in accordance with EU law and the European Parliament voted in favour of introducing net neutrality into EU telecoms regulation the week before.
As Australia is currently in the midst of a data retention inquiry – the second in three years – what effects will this ruling have on the debate?
What is the data retention directive?
The particular law at issue is the data retention directive from 2006.
The directive applies to data generated by users of electronic communications services and networks, and stipulates that the operators of these services and networks must keep this data on all users for a period of time between six months and two years.
The kind of data that should be kept includes telephone numbers, account holders’ and recipients’ names and addresses, IP addresses, and location data, but not information about the content of the communications.
The purpose of these rules is to ensure that this information is available for “the investigation, detection and prosecution of serious crime”.
What did the CJEU decide?
For some time there has been concern that the data retention directive was too intrusive of law-abiding European citizens’ privacy.
This resulted in privacy campaigners in Austria and Digital Rights Ireland mounting a challenge to the measures. They argued that the rules were disproportionate and unnecessary to achieve the aim of ensuring data was available for the purposes of fighting serious crime.
They also argued that the rules were incompatible with the rights to privacy, data protection and free expression contained in the EU’s Charter of Fundamental Rights.
The CJEU found that, although the retention of data “genuinely satisfies an objective of general interest” (the fight against crime), the data protection rules went beyond what was strictly necessary to achieve this goal.
In practice, the rules entailed an “interference with the fundamental rights of practically the entire European population”, with the vast majority of those people not being “even indirectly in a situation which is liable to give rise to criminal prosecutions”.
The CJEU also condemned the lack of limitations to the access of this data by national authorities and their subsequent use. For instance, there was no restriction on the access and use of the data to the purpose of fighting serious crime.
Also of concern to the CJEU was the weakness of security measures around the data, and the fact there was no requirement to retain this data within the EU.
It’s unclear what exactly is going to happen now since the CJEU declared the data retention rules invalid. Different European countries have had different reactions to the CJEU’s decision.
A Finnish government minister responded by saying that Finland must revise its laws on data protection and retention, but it seems that the legislation implementing the data retention directive in Luxembourg will still apply and bind telecoms operators.
Furthermore, the day after the CJEU’s decision, the Romanian government issued a new draft law that would increase surveillance of its citizens.
What’s going on in Australia?
The decision comes at an important point in the data retention debate in Australia. We are currently in the midst of the second inquiry within three years from two successive Commonwealth governments.
In 2012 the Labor government’s inquiry into potential reforms of National Security Legislation received 240 submissions and 29 exhibits.
Many responses pointed to a significant shortcoming in the 2012 discussion paper’s vague proposal for up to two years of mandatory data retention by internet service providers.
Despite the prominence of the need for mandatory data retention in pro-surveillance arguments, the discussion paper’s proposal for data retention managed to be both so short and so broad as to allow egregious overreach. The proposal was:
tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities, and privacy and cost impacts.
The accompanying definition of data retention was equally vague: “The storage of telecommunications data for prescribed periods of time.”
No further information was supplied.
The 2012 inquiry resulted in a May 2013 report of the inquiry into Potential Reforms of Australia’s National Security Legislation, but no actual reforms were carried out due to the proximity of the looming 2013 election.
In this climate of increasing disquiet over surveillance overreach, the Coalition government initiated another inquiry into the comprehensive revision of the Telecommunications (Interception and Access) Act 1979.
This current inquiry asks for responses to the May 2013 Report and the recommendations of the Australian Law Reform Commission’s For Your Information: Australian Privacy Law and Practice report.
The May 2013 report contains an entire chapter on data retention. While it notes the public backlash against data retention, and recommends oversight mechanisms and an exposure draft of any legislation, it nevertheless treats data retention as a critical part of Australian security policy.
At core, the report perpetuates distinctions between “metadata” and “content” that many civil liberties groups argue are increasingly impoverished in the age of “pattern-of-life” searches.
Implications for Australia
The May 2013 report spent quite some time discussing the European experience of data retention. The Attorney-General put forward the same data retention directive as the CJEU has just declared invalid as an appropriate model for Australia.
The May 2013 report notes that a voluntary scheme was implemented in the UK while controversies occurred in countries with “human rights frameworks that are significantly different to those in Australia”.
Australia tends to follow rather than lead in security issues, and tends to try to follow traditional allies and those with whom it believes it has most in common.
If the UK decides to include more accountability its data retention implementation as a result of the CJEU ruling, this might bode well for Australian civil liberties – but given the fragmented response so far from European countries, arguably the time to look for models is over. It is time for Australians to take their own rights seriously.