How we fought and beat governments unlawfully storing our data

impact, surveillance

PI and our global partners have been at the forefront of challenging data retention for over a decade.

 

The Problem

The practice of data retention involves the gathering and storing of communications data for extended periods for future access. Such communications data, known as metadata, tells the story about your data and answers the who, when, what, and how of a specific communication. Several governments worldwide have implemented regulation that obliges providers of communication services or networks to retain such communications data.

The potential harms associated with data retention and access to such data are significant. In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention poses serious risks to individual privacy and data security. The data opens the door for governments and third parties to make intimate inferences about individuals, to engage in profiling and to otherwise intrude on people’s private lives. If the information is not properly protected there is the potential of unauthorised access to troves of information by third parties, including cyber-criminals. Many of these laws demand indiscriminate and mass retention of data, beyond what is admissible under applicable international human rights standards. The application of these laws result in the indiscriminate creation of vast dossiers of information on everyone’s activities, including location data and communications with friends, families and work colleagues. There are alternative methods of surveillance that are less disproportionate, for example, requiring a court order to allow operators to retain data related just to a specific individual suspected of criminal activity.

What we did

Privacy International has been at the forefront of monitoring, raising awareness about, and challenging data retention.

Given its international influence, and the fact that the US has to date refrained from placing data retention obligations on communications service providers, much of the battleground on data retention has been in Europe. By the early 2000s, several EU member states had enacted national data retention laws, and were pushing for mandatory data retention regulations across the entirety of the EU. In 2003, a draft Framework Decision on data retention under discussion by EU Justice and Home Affairs Ministers sought to oblige Member States to require communications providers to retain for up to two years. PI published a memorandum reviewing the proposal, current retention laws in Member States, and argued that such retention practices were not in accordance with law, were not necessary in a democratic society, and therefore violated the right to privacy as protected by the European Convention on Human Rights. Despite submitting open letters and evidence to European and EU national parliaments, the EU controversially passed the Data Retention Directive in 2006, but was immediately challenged at the European Court of Justice by Digital Rights Ireland, a Irish-based NGO and PI partner within European Digital Rights (EDRi). In 2014, the court ruled in favour of Digital Rights Ireland, finding that the directive “entails an interference with the fundamental rights of practically the entire European population.

Despite the decision however, some EU member states continued to mandate data retention provisions, with the UK parliament rushing through the Data Retention and Investigatory Powers Act (DRIPA), to intense criticism from legal and technical experts. As a result, DRIPA was challenged in court through judicial review by Members of Parliament Tom Watson and David Davis. Intervening in the UK High Court, we argued that DRIPA was contrary to EU law, in particular Article 15 of the E-Privacy Directive. In effect, we argued that data retention was in itself unlawful, and not just the system of safeguards required around government access to retained data. The case was referred all the way up to the Courts of Justice of the EU, whose job it is to rule on the application of EU law across the Union.

Result

In December 2016, the Court reaffirmed the 2014 ruling against data retention and expanded upon it, ruling that “general and indiscriminate retention” of data was in fact prohibited, that retention and any access to the data must be strictly necessary for the purpose of fighting serious crime, and that access to the retained data by the Government must be subject to prior review by a court or independent authority.

The decision has far-reaching implications. While the judgment was not specific about other surveillance powers, it also implicated other surveillance laws, such as those contained within the UK’s Investigatory Powers Act. The judgment raised significant questions about whether vast swathes of the new law should now be repealed:

  • In particular, the judgment raises concerns about the viability of the mandatory communications data retention powers. Under Part 4 of the Investigatory Powers Act, communications data — which includes the who, when and where of our telephone calls, emails and instant messages — can be subject to a retention order for up to 12 months for reasons that go far beyond what is strictly necessary for fighting serious crime.
  • The judgment also demands a rethink of the UK Government’s significant expansion of data retention powers to so-called ‘Internet Connection Records’, which could include the retention of peoples’ browsing histories for 12 months.
  • The judgment may also mean that the UK Government is forced to increase safeguards, such as judicial authorisation and notification, for data that it keeps about us. These were shown to be lacking in DRIPA.
  • The judgment could mean that the Government will need to introduce new safeguards for accessing communications data (including Internet Connection Records) and other intrusive powers contained within the new law.

While European telecommunications companies such as Telia announced that they stopped retaining specific data, it remained unclear how different EU member states interpreted or acted upon the Court's decisions. As a result, in 2017 we initiated a survey of 21 EU member states data retention practices in consultation with industry and other NGOs, assessing their legislation and jurisprudence with regard to data retention. We found that while some countries, such as the Netherlands and Slovakia, had repealed national legislation on retention, no country surveyed was in compliance with the 2016 CJEU ruling, and in many states their legislation is not even in compliance with the 2014 ruling in favour of Digital Rights Ireland against the Data Retention Directive.

Current Status

We are now working to ensure that these countries reform their legislation and come into compliance with the Court’s rulings. We are pushing for states to review and amend their legislation to comply with European standards, including the CJEU jurisprudence, for telecommunications and other companies subject to data retention obligations to challenge existing data retention legislation which are not compliant with European standards, and for the European Commission to provide guidance on reviewing national data retention laws to ensure its conformity with fundamental rights.

In the UK, following the 2016 judgement, the case has been remitted back to the UK Court of Appeal. A hearing has not yet taken place. The government stated that “...in light of the CJEU judgment, and in order to bring an end to the litigation, the Government have accepted to the Court of Appeal that the (DRIPA) was inconsistent with EU law in two areas.” However, until a hearing takes place, the details of what the Government is prepared to accept, the response to this from the Claimants’ and ultimately what results from the CJEU’s ruling is unknown. We will be working hard to ensure that the rule of law is respected, and that the Government act upon the Court’s judgements.

Going Forward

The fight against unlawful data retention is one of the most long-running and important privacy issues in the modern era, involving stakeholders from across government, the courts, industry, and civil society. Above all, it shows how collaborative and coordinated campaigning can achieve results for the protection of privacy on a highly contentious and murky issue. By developing an understanding of data retention practices and the associated legal issues, and by working with other civil society organisations, industry, legal and technical experts, and politicians concerned about the right to privacy from across political spectrums, Courts have recognised that blanket data retention obligations represent a violation of the right to privacy and data protection law.

The challenge facing Privacy International and everyone concerned about the right to privacy now is ensuring respect for the rule of law in an era when some governments are pursuing surveillance powers unimaginable and untenable just a few years ago and when human rights legislation is coming under increasing attack. To challenge this, it is essential to continue to research and expose data retention practices, to raise awareness about the fundamental threat they pose for everyone’s freedom and security, and to challenge them through the courts and in parliaments. Ultimately, it is only through public attention and pressure that this crucial right will be protected and respected. As we move into a world where our data affects every aspect of our lives and will increasingly do so in ways we don’t yet know, this fight is more crucial than ever.

 

RELATED LINKS

Media