Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Indiscriminate retention of data is not in accordance with law

Of course, not all interferences with the right to private life violate Article 8 of the European Convention on Human Rights. Article 8(2) acknowledges that there are certain situations in which interference by the State is justified. But the Court has been clear that this paragraph, since it provides for an exception to a right guaranteed by the Convention, is to be read narrowly. The Court has accordingly interpreted Article 8(2)’s requirement that such interferences be in accordance with law, as meaning not only that there must be a law in place authorising the interference, but that it should meet the standards of accessibility and foreseeability inherent in the concept of rule of law. The data retention regime envisaged by the Framework Decision fails to meet these standards. Even if we assume that it was implemented by national laws that could be accessed by all citizens, the very idea of blanket data retention offends the standard of foreseeability as it has been developed by the Court.

The principle behind the foreseeability requirement is the simple notion that the State should give citizens an adequate indication of the circumstances in which the public authorities are empowered to interfere in their private lives. When laws are foreseeable in this way, individuals can regulate their conduct accordingly, so as to avoid invoking unwelcome intrusions by the State. Laws that offer citizens no reasonable means of avoiding surveillance of their private affairs by the State are the hallmark of the police state.

The requirement of foreseeability is not satisfied by blanket regulations, such as those envisaged in the Framework Decision, that allow everyone to foresee that the State will interfere with their right to a private life. As the Court said in respect of secret surveillance in Malone v. United Kingdom, it would be “contrary to the rule of law for the legal discretion granted to the executive to be expressed in terms of an unfettered power.” Rather, what makes a law foreseeable is the extent to which it distinguishes between different classes of people, thereby placing a limit on arbitrary enforcement by the authorities. Thus, in Kruslin v. France, the Court found that a law authorising telephone tapping lacked the requisite foreseeability because it nowhere defined the categories of people liable to have their telephones tapped or the nature of the offenses which might justify such surveillance. In Amann v. Switzerland, the Court reached the same conclusion with regard to a decree permitting the police to conduct surveillance, because the decree gave no indication of the persons subject to surveillance or the circumstances in which it could be ordered. Data retention laws that fail to distinguish between different classes of people would have a more pernicious impact on individual privacy than the vague laws at issue in Kruslin and Amann. Whereas the latter left every citizen vulnerable to a risk of surveillance, blanket data retention would subject every citizen to the certainty of ongoing and unremitting interference in his or her private life.

Blanket data retention laws also offend the principle of foreseeability because they make no distinction for relationships that the State already recognises as sufficiently special to warrant a degree of protection. In Kopp v. Switzerland, the Court observed that a law authorising interception of telephone calls would in certain circumstances contradict other provisions of Swiss law according protection to confidential attorney-client communications. The Court found that the telephone tapping law failed to meet the standard of foreseeability, because it provided no guidance on how authorities should distinguish between protected and unprotected attorney-client communications. The Framework Decision and laws like it suffer from the same flaw. Confidential attorney-client communications, to take one example, enjoy a protected status throughout the EU. Yet the proposed data retention schemes make no effort to distinguish between such communications (and others like it) and “normal” communications.