By Chris Jones, Researcher for Statewatch
As the Snowden leaks continue to make waves, the Court of Justice of the European Union (CJEU) is set to rule on a case (Digital Rights Ireland, Seitlinger and Others) that could potentially invalidate the EU’s Data Retention Directive in its present form. This directive mandates that private companies retain large amounts of their users’ telecommunications data, just in case law enforcement needs it for criminal or terrorism investigations.
This judgment comes after Advocate General Cruz Villalón issued a critical opinion in December 2013. Villalón suggested that the Court should declare the entire Directive incompatible with Articles 52(1) (limitations on rights) and 7 (right to privacy) of the EU Charter. This post, based on Statewatch’s work as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness), will provide context by outlining the history of the 2006 Data Retention Directive, highlighting its key points, and examining its controversial national implementation, which has sparked legal challenges across Europe. Subsequent posts will delve deeper into the implementation and challenges related to the Directive. The Data Retention Directive: a brief overview
The 2006 Data Retention Directive requires EU member states to ensure that telecommunications and Internet Service Providers (ISPs) hold onto specific types of data their users generate. This data, collected from landline phones, fax machines, mobile phones, and internet usage, must be retained “to ensure that it is available for the investigation, detection and prosecution of serious crime”. This includes:
- The source of a communication
- The destination of a communication
- The date, time, and duration of a communication
- The type of communication
- Users’ communication equipment or what appears to be their equipment
- The location of mobile communication equipment
The required retention period is at least six months and at most two years. Individual member states decide the specific duration and the conditions for accessing this data.
The European Data Protection Supervisor has stated that the Directive is “without doubt the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects." It’s considered one of the EU’s most contentious counter-terrorism laws, sparking fierce debates about its legitimacy and effectiveness from its initial drafting stages to the present day. The policy-making process
The preamble of the Data Retention Directive cites the 2004 Madrid and 2005 London terrorist attacks as reaffirming “the need to adopt common measures on the retention of telecommunications data as soon as possible.” However, law enforcement agencies were pushing for data retention legislation well before 9/11, and the Directive’s scope extends beyond combating terrorism.
The push for data retention can be traced back to the “International Law Enforcement and Telecommunications Seminars” (ILETS) held at the FBI Academy in Quantico, Virginia, starting in 1993. These seminars aimed to establish global “interception requirements” - essentially, standards for police and security agencies to tap phone networks worldwide. Following the first ILETS meeting, the EU Council of Justice and Home Affairs (JHA) Ministers adopted an unpublished Resolution in November 1993. This resolution called for experts to compare EU requirements for intercepting telecommunications with those of the FBI.
Building on ILETS’ work, a second EU Resolution in January 1995 introduced obligations for telecommunications companies. They were required to cooperate with law enforcement agencies in the “real-time” surveillance of their customers. Notably, this resolution wasn’t discussed by the Council of Ministers but was adopted through a “written procedure,” bypassing open debate. This Resolution, only published in November 1996, formed the basis for interception provisions within the 2000 EU Convention on Mutual Legal Assistance. ILETS continued annually, and in 1999, it highlighted a new concern. Service providers were deleting valuable “traffic data,” such as mobile phone and internet usage records, after billing cycles. This posed a problem in the EU, where the recently enacted EC Directive on privacy in telecommunications obligated providers to delete such data after billing (usually within three months). ILETS proposed mandatory data retention regimes, requiring providers to store this data for much longer. This demand then spread to other intergovernmental forums on police and judicial cooperation, including the G8. The American Civil Liberties Union, Privacy International, and Statewatch termed this process “policy laundering,” describing it as governments using foreign and international platforms to advance policies unlikely to gain approval through standard domestic processes.
In 2000, the EU sought to update the 1997 Directive on privacy in telecommunications to encompass “new technologies.” This resulted in what’s known as the “e-Privacy” Directive. The initial draft proposed removing the requirement for service providers to delete traffic data after billing. This fell under the First Pillar (internal market), giving the European Parliament a rare opportunity to vote on what was effectively a Justice and Home Affairs or Third Pillar issue (police surveillance). Due to a campaign by privacy advocates, the proposal was rejected. However, in 2002, with 9/11 providing new justification, the European Socialist Party (PSE) and the European People’s Party (PPE) formed an alliance. They agreed on the e-Privacy Directive and the “data retention amendment,” despite opposition from liberal, green, and left-wing parties. This opened the door for member states to implement their own, optional national data retention regimes.
Shortly after the e-Privacy Directive was finalized, a confidential draft Framework Decision was circulated among member states and leaked by Statewatch. This document proposed the mandatory retention of subscriber and traffic data for 12-24 months across the EU. Following criticism in European media, the Danish presidency of the EU stated that the proposal was “not on the table." However, it seems the proposal remained nearby. Following the March 2004 Madrid train bombings, the ‘EU Declaration on combating terrorism’ endorsed mandatory data retention across the EU.
One month later, the UK, France, Sweden, and Ireland submitted a revised draft Framework Decision on data retention to the Council. By this point, a majority of EU member states had already implemented their own data retention systems. The EU proposal faced another setback when Statewatch published confidential legal advice from the EU Council and Commission Legal Services. These documents, withheld from MEPs and the public, argued that the Framework Decision was unlawful due to an incorrect legal basis. Data retention, they stated, fell under the First Pillar as it regulated service providers in the single market.
The European Commission, despite prior opposition, redrafted the proposal as a Directive, further complicating matters. This shift from a Framework Decision, where the European Parliament had only an advisory role, to a Directive granted the Parliament full “co-decision” powers. Furthermore, during the Framework Decision consultations, the Parliament had voted to reject mandatory data retention, deeming it “incompatible with Article 8” of the ECHR (data protection).
Between the Framework Decision’s defeat and the Directive’s proposal, the July 2005 London bombings occurred. This event provided a renewed rationale for an EU data retention law, even though the UK prime minister himself suggested that “all the surveillance in the world” couldn’t have stopped the attacks.
Leveraging its EU Council presidency, the UK set a deadline of the end of 2005 for the European Parliament to approve the measure. Charles Clarke, UK Secretary of State, urged the Parliament to adopt the proposal. Reports indicated that Home Office officials privately warned MEPs that failure to comply would result in the European Parliament losing its say in justice and home affairs matters. Privacy International and the European Digital Rights Initiative spearheaded a campaign in which 90 NGOs and 80 telecommunications providers wrote to MEPs, urging them to vote against the measure. Despite these efforts, the Parliament approved the measure on December 14, 2005. A PSE-PPE alliance reversed the Parliament’s stance from just eight months prior. The Directive was passed after a single reading, meeting the UK’s deadline. The EU Council adopted the legislation by a qualified majority, with Ireland and Slovakia opposed. The Directive became law in March 2006.
Two additional points are crucial when examining this policy-making process. The first concerns the UK government’s role. After the UK Parliament blocked its attempts to enact a domestic mandatory data retention system, the UK took its efforts to the EU. In what appears to be “policy laundering,” the resulting EU Directive, championed by the UK, became binding on the UK itself. This was implemented through statutory instrument, specifically the Data Retention (EC Directive) Regulations 2007 and 2009.
The second point highlights the US government’s influence in promoting mandatory data retention in Europe. The US government advocated for this both through bilateral discussions with the European Commission and EU Presidency and in multilateral settings like the G8. This is notable because, at the time, the US had no comparable laws nor plans to implement them. Instead of blanket data retention, US law enforcement and security agencies obtain “preservation orders” from special surveillance courts. However, leaks like the FISA court order against Verizon show that US agencies and their “surveillance court” interpret these principles broadly, often encompassing entire telephone networks.
Nevertheless, a more principled implementation of such a system, involving judicial oversight to ensure necessary and legitimate data access, would be more privacy-conscious than the EU’s current approach. European opposition to the Data Retention Directive included advocacy from civil society for this alternative model. This approach, with judicial oversight, remains the preference of the German Ministry of Justice. Germany’s implementation of the Directive has been highly controversial, even prompting a Constitutional Court ruling demanding its revision.
Barnard & Peers: chapter 9