Data retention and the devotees of mass surveillance

It is a stinker in terms of policy, and unconvincing in effect, but the wholesale, indiscriminate retention of telecommunications data continues to excite legislators and law enforcement. In the European Union, countries continue to debate and pursue such measures, despite legal challenges.

The EU General Data Protection Regulation (GDPR), passed in 2016, limits the ways personal data is collected in terms of legitimate purposes. The European Court of Justice has also made it clear that the mass retention of phone and location data violates the EU's Charter of Fundamental Human Rights.

Despite this, EU member states continue to subvert, by varying degrees, such protections. Fixated by notions of protecting society from the unsavoury and the criminal, lawmakers continue to flirt and court the mass surveillance properties inherent in such regulations.

A neatly grim example of this arose in July, when the Belgian parliament passed laws mandating the retention of user data by telecommunications and internet providers. This was a second run by the parliament, given the invalidation in April 2021 by the Belgian Constitutional Court of the previous data retention law. That particular statute permitted the storage of every Belgian's telecom, location and internet metadata for up to 12 months. Those behind the new law, such as the Minister of Justice Vincent Van Quickenborne, claim it to be a targeted measure that preserves privacy; in truth it permits general data surveillance.

In Germany, the debate has been particularly strident. In 2010, the Constitutional Court annulled the first data retention law. Five years later, data retention was re-introduced, though not implemented given court rulings.

Despite arguments favouring its implementation, the investigation and prosecution of crime could still take place with high degrees of success without any such regime in place. In January this year, the statistics on crime clearance rates published by the German government revealed than a mere 3% of child sexual abuse material (CSAM) investigations between 2017 and 2021 could not be pursued for want of records of IP addresses.

The current coalition agreement, while supporting the retention of communications data, specifies that it be done "on an ad-hoc basis" and only via judicial order. But the Social Democratic Minister of the Interior, Nancy Faeser, is a steadfast devotee of such retention, a fan of indiscriminate surveillance.

Faeser and her surveillance fan club got an answer last month with the ruling by the Court of Justice of the European Union (CJEU) that Germany's general data retention law breached EU law. The case was triggered by action taken by Deutsche Telekom unit Telekom Deutschland and the internet service provider SpaceNet AG. The CJEU's opinion was duly sought by the German court. The judges duly found that "EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security."

The court took issue with the law's "broad set of traffic and location data" retention requirements to be kept over periods of 10 weeks and four weeks respectively. This could lead to "very precise conclusions to be drawn concerning the private lives of persons whose data are retained, such as habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them and, in particular, enable a profile of those persons to be established."

The CJEU did not do away with the idea of bulk data retention, merely noting a growing list of exceptions that states are bound to exploit. In the German case, specific contexts might involve a grave threat to national security. There would also have to be court oversight, discrimination in terms of targeting, and a specific period of time.

In another joined case, the CJEU found that financial market regulators cannot use EU laws to target insider dealing and market manipulation by forcing telecom providers to supply the personal data of suspect traders to the authorities. The French law in question, justified on the basis of fighting crime, permitted the retention of such traffic data for up to one year from the day of its recording.

National legislation requiring telecommunications operators "to retain generally and indiscriminately the traffic data of all users of means of electronic communication, with no differentiation in that regard or with no provision made for exceptions and without establishing the link required […] between the data to be retained and the objective pursued" fell outside what was "strictly necessary and cannot be considered to be justified, in a democratic society".