New Privacy International report shows that 21 European countries are unlawfully retaining personal data

Press release

Key points

  1. Privacy International surveyed 21 EU member states' legislation on data retention and examined their compliance with fundamental human rights standards
  2. 0 out of the 21 States examined by PI are currently in compliance with these standards (as interpreted in two landmark judgements by the Court of Justice of the European Union: Tele-2/Watson and Digital Rights Ireland)
  3. Privacy International is calling for:
    • EU member states to review their legislation on data retention and, if necessary, amend it to comply with European standards, including the CJEU jurisprudence;
    • Telecommunications and other companies subject to data retention obligations to challenge existing data retention legislation which are not compliant with European standards, including the CJEU jurisprudence;
    • The European Commission to provide guidance on reviewing national data retention laws to ensure its conformity with fundamental rights, as interpreted by the CJEU.

Privacy International have today released a report detailing the current data retention regimes across 21 European Union member states and the state of their (lack of) compliance with two landmark judgements by the CJEU which determined that EU law prohibits general and indiscriminate retention of communications data and requires that all data retention regimes comply with the principles of legality, necessity, and proportionality.

The report shows that, out of the 21 states Privacy International examined, zero are in compliance with current data retention standards (notably the e-privacy directive and the EU Charter of Fundamental Rights), including: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

Privacy International Head of Policy and Advocacy Tomaso Falchetta said:

"Blanket and indiscriminate retention of our digital histories—who we interact with, when and how and where—can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep. Our communications data is no less sensitive than the content of our communications. It is clear that current data retention regimes in Europe violate the right to privacy and other fundamental human rights. In particular the European Court has made clear that general, indiscriminate retention of communications data is disproportionate and cannot be justified, not even on the grounds of fighting crime.  While some states have recognised the need to reform, there is little evidence that they are moving to change their laws to bring them into line with their obligations under existing human rights law."



The practice of mandating the retention of communications data (or metadata) by Telecommunications companies, as prescribed by the laws of most European Union Member States, raises significant privacy, transparency, and security concerns. Telecommunications companies and service providers are required by law to store large amounts of personal data on an ongoing basis for later access by Government agencies and local authorities, but such storage and access is often indiscriminate and fails to guarantee sufficient safeguards from abuse. As the data generated by smart phones increases, the data Governments’ demand is retained, is or is likely to go far beyond that necessarily required for business purposes.

Communications data refers to the who, what, when, where of a communication. The welter of information derivable from communications data in the age of 24-hour browsing, mailing, messages, instant apps, where our online activities replace conventional social interactions, is huge. It tells you everything about a person. One need only think that a visit to an IP address hosting a medical self diagnosis website, followed by a visit to your GP's website, followed by a telephone call to an oncologist, followed by an appointment with a solicitor, then a hospice, may well reveal that the person in question has terminal cancer. This type of data is massively valuable in the hands of the state, but it is also liable to misuse and a valuable target for theft.

In two judgements, the Digital Rights Ireland case (2014) and the more recent Tele-2/ Watson decision (2016), the Court of Justice of the European Union (CJEU) reaffirmed the requirement that all data retention regimes must comply with the principles of legality, necessity, and proportionality. Unfortunately, this basic standard laid down by the CJEU is not adhered to by most EU member states, despite their legal obligation to comply with the Court’s jurisprudence. This report sheds light as to the current state of affairs in data retention regulation across the EU post the Tele-2/Watson judgement.

Privacy International will be speaking about the report findings at the "E-volution of data protection" conference in Estonia on 7 September.