New Times,
New Thinking.

8 April 2014updated 09 Jun 2021 8:15am

European court rules that continent-wide phone call info collection violates privacy

Privacy advocates secure a big win as EU metadata collection by telecommunications companies gets struck down.

By Ian Steadman

The European Court of Justice has ruled that an EU directive forcing telecommunications companies to keep detailed metadata records for their customers is invalid, and an invasion of privacy. It’s a significant victory for European pro-privacy advocates.

Here’s the background: in the wake of the Madrid bombings of 2004, and the London bombings of 2005, the European Parliament passed the Data Retention Initiative. It was specifically designed to give European law enforcement bodies more chance of building a case against terror suspects by mandating that all telecommunications companies in the EU keep track of the metadata of phone calls and SMS messages sent by their customers. That doesn’t mean recordings of the calls themselves, but rather each caller, the time each call was made, who received each call, and the location from where the calls were made – and similar data for texts. All of that, kept for between six to 24 months in case it proved useful in a future criminal investigation.

Since its introduction the directive was criticised by those who felt it was an unjustifiable blanket collection policy which had no real oversight. A group of dozens of civil liberties groups from across the EU (and some from beyond its borders, like the Electronic Frontier Foundation), signed a letter in 2012 arguing:

Telecommunications data retention undermines professional confidentiality, creating the permanent risk of data losses and data abuses and deters citizens from making confidential communications via electronic communication networks. It undermines the protection of journalistic sources and thus compromises the freedom of the press. Overall it damages preconditions of our open and democratic society. In the absence of a financial compensation scheme in most countries, the enormous costs of a telecommunications data retention regime must be borne by the thousands of affected telecommunications providers. This leads to price increases as well as the discontinuation of services, and indirectly burdens consumers.”

One of the advocates general of the Court, Cruz Villalón, issued an opinion in December 2013 arguing that the directive was incompatible with Article 7 of the EU’s Charter on Fundamental Rights, which states that “everyone has the right to respect for his or her private and family life, home and communications”. The rest of the Court has now agreed. In its judgement today, it said:

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.

The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”

That’s a very clear ruling that the directive mandates too much state surveillance of citizens. The judgement also goes on to point out that the directive says that any EU member state’s law enforcement body can request data if it’s to be used in fighting “serious crime”, but at no point is “serious crime” defined – giving the state effective carte blanche in choosing what it can use the data for – and there are also concerns that there aren’t any safeguards in place “to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data”. And, in a world where data can be stored in the cloud, on servers which are physically located in another country, the court was worried that there was nothing to mandate that EU citizens’ data stayed only within the EU, where it would be protected by data protection legislation and protocols.

We can thank Digital Rights Ireland, a digital rights advocacy group based in Dublin (and one of the co-signees to the 2012 letter against the directive), for bringing the case to court. However, as the organisation has pointed out, this judgement doesn’t spell the end of the metadata collection in all cases, as it just means that it’s something no longer mandated by the EU. Several member states have passed their own legislation – including Ireland – to enforce similar guidelines, and they’re still in place – and digital rights groups will have to pursue overturning those state-level laws through the national courts, with the European Court of Justice ruling as an added weapon.

Content from our partners
The power of place in tackling climate change
Tackling the UK's biggest health challenges
"Heat or eat": how to help millions in fuel poverty – with British Gas Energy Trust