The European Court of Justice has ruled that an EU directive forcing telecommunications companies to keep detailed metadata records for their customers is invalid, and an invasion of privacy. It’s a significant victory for European pro-privacy advocates.
Here’s the background: in the wake of the Madrid bombings of 2004, and the London bombings of 2005, the European Parliament passed the Data Retention Initiative. It was specifically designed to give European law enforcement bodies more chance of building a case against terror suspects by mandating that all telecommunications companies in the EU keep track of the metadata of phone calls and SMS messages sent by their customers. That doesn’t mean recordings of the calls themselves, but rather each caller, the time each call was made, who received each call, and the location from where the calls were made – and similar data for texts. All of that, kept for between six to 24 months in case it proved useful in a future criminal investigation.
Since its introduction the directive was criticised by those who felt it was an unjustifiable blanket collection policy which had no real oversight. A group of dozens of civil liberties groups from across the EU (and some from beyond its borders, like the Electronic Frontier Foundation), signed a letter in 2012 arguing:
Telecommunications data retention undermines professional confidentiality, creating the permanent risk of data losses and data abuses and deters citizens from making confidential communications via electronic communication networks. It undermines the protection of journalistic sources and thus compromises the freedom of the press. Overall it damages preconditions of our open and democratic society. In the absence of a financial compensation scheme in most countries, the enormous costs of a telecommunications data retention regime must be borne by the thousands of affected telecommunications providers. This leads to price increases as well as the discontinuation of services, and indirectly burdens consumers.”
One of the advocates general of the Court, Cruz Villalón, issued an opinion in December 2013 arguing that the directive was incompatible with Article 7 of the EU’s Charter on Fundamental Rights, which states that “everyone has the right to respect for his or her private and family life, home and communications”. The rest of the Court has now agreed. In its judgement today, it said:
It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”
That’s a very clear ruling that the directive mandates too much state surveillance of citizens. The judgement also goes on to point out that the directive says that any EU member state’s law enforcement body can request data if it’s to be used in fighting “serious crime”, but at no point is “serious crime” defined – giving the state effective carte blanche in choosing what it can use the data for – and there are also concerns that there aren’t any safeguards in place “to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data”. And, in a world where data can be stored in the cloud, on servers which are physically located in another country, the court was worried that there was nothing to mandate that EU citizens’ data stayed only within the EU, where it would be protected by data protection legislation and protocols.
We can thank Digital Rights Ireland, a digital rights advocacy group based in Dublin (and one of the co-signees to the 2012 letter against the directive), for bringing the case to court. However, as the organisation has pointed out, this judgement doesn’t spell the end of the metadata collection in all cases, as it just means that it’s something no longer mandated by the EU. Several member states have passed their own legislation – including Ireland – to enforce similar guidelines, and they’re still in place – and digital rights groups will have to pursue overturning those state-level laws through the national courts, with the European Court of Justice ruling as an added weapon.