European Court of Justice rules against UK on data retention
The Court of Justice of the European Union (familiarly known as the European Court of Justice or ECJ) issued a judgment this week explicitly against laws in the United Kingdom and in Sweden that require telecommunications service providers to collect and retain data about telephone calls and other electronic communications (for 12 months in the UK law and for six months in the Swedish law). In its ruling, the ECJ found that the British and Swedish data retention regulation “prescribes general and indiscriminate retention of data” in a manner inconsistent with norms of democratic society and, in particular, with privacy protections for electronic communications included European Council Directive 2002/58/EC. The Court’s ruling makes clear that it is possible for European Union member nations to establish targeted data retention rules for specific purposes, such as supporting criminal or anti-terrorism investigations, but the December 21 judgment further clarifies interpretations of EU policy since the Court ruled invalid the EC-wide Data Retention Directive in 2014.
EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary.
To put this recent ruling in context, a little history may be in order. Even those with only a casual interest in personal privacy protections are often aware that, in general, regulations governing the collection, use, and disclosure of personal data are stronger in the European Union than privacy regulations in the United States. Despite those overarching privacy protections, enumerated in multiple EC Directives dating at least to 1995, the European Parliament and the European Council established Directive 2006/24/EC in March 2006 to harmonize member countries’ retention of data related to electronic communications services. The 2006 Directive concerned location and telecommunications metadata that could be used by law enforcement authorities or other authorized entities to identify the source and destination of electronic communications (including telephony services and Internet transmissions such as email) and the identity of the subscriber or registered user initiating such transmissions. Individual countries were free to establish their own specific retention periods, but Directive 2006/24/EC set the minimum at six months and the maximum at two years. Laws such as the Swedish regulation addressed in this week’s ECJ ruling were crafted specifically to conform to the guidelines in 2006/24/EC.
Directive 2006/24/EC was in effect for approximately eight years; in April 2014 the ECJ declared the data retention directive invalid, largely because it did not require any “differentiation, limitation, or exception” in the collection of electronic communications data nor did it ensure that government authorities could only use the collected data for preventing, detecting, or prosecuting serious crime. The Swedish case brought to the ECJ challenged a law that was enacted prior to the 2014 ruling invalidating 2006/24/EC, while the UK case concerned the Data Retention and Investigatory Powers Act of 2014, which was enacted specifically in response to the invalidation of the EC data retention directive. Dubbed the “snoopers’ charter” by opponents, the UK law requires telecommunications carriers and Internet service providers to hold data about all electronic communications by subscribers or users for a period of 12 months. While many national data retention laws (and Directive 2006/24/EC) exclude the content of electronic communications, news reports about the UK law suggest that service providers would be required to retain, and to make available to law enforcement, details such as the Internet websites individuals visit and the applications and messaging services individuals use. The UK efforts to increase this type of data retention stand in stark contrast to actions by other EU nations in the years while 2006/24/EC was still in effect, such as the rejection by the German Federal Constitutional Court of a data retention law that had been designed to comply with the EC Directive. As for the U.S., while there is no mandatory data retention law currently in place, Congress has tried several times to enact these rules, including failed efforts in 2009 and 2011, and U.S. law enforcement authorities have well-established legal procedures under the Stored Communications Act to access any data or records that electronic communications providers choose to maintain for their own business purposes.