In the 1990s, Europe led the way in recognising how emerging technological trends threatened individual privacy and in providing countervailing protections. Since September 2001, however, security concerns have driven the European Union to water down these protections, in particular by granting Member State authorities discretion to gather data for security and criminal investigation purposes. A draft Framework Decision on data retention under discussion by EU Justice and Home Affairs Ministers would accelerate this trend dramatically. The proposed measure would oblige Member States to require communications providers to retain for up to two years traffic data relating to every communication carried, in case of need in a subsequent criminal investigation or prosecution. Some Member States already have taken matters into their own hands, and enacted data retention laws in their own right.
The data retention regime envisaged by the Framework Decision, and now appearing in various forms at the Member State level, is unlawful. Article 8 of the European Convention on Human Rights (ECHR) guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative. The Framework Decision and national laws similar to it would interfere with this right, by requiring the accumulation of large amounts of information bearing on individuals’ private activities. This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society. The indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behavior to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served. Under the case law of the European Court of Human Rights, such a disproportionate interference in the private lives of individuals cannot be said to be necessary in a democratic society.
If the Framework Decision is adopted, it would mark a dramatic departure from the European Union’s formerly protective and cautious attitude towards personal privacy and data retention. Most recently, Community legislators enacted Directive 2002/58/EC in mid-2002 to regulate the processing of personal data, including traffic data, on electronic networks. That Directive sensibly and prudently only permitted retention measures where “necessary, appropriate and proportionate” within a democratic society. The notion of unrestricted, blanket data retention was expressly rejected. The Framework Decision, on the contrary, would compel European businesses to retain communications data, thereby creating a regime far more intrusive than anything previously known in the EU or even in comparable democratic societies. By requiring the accumulation of huge stores of data traffic, containing countless items of private and personal information, it would generate opportunities for abuse by public authorities or private actors, such as hackers. Further, the additional regulatory burdens imposed by such a regime would be costly and would adversely affect the competitiveness of telecommunications and network service providers in Europe.