The European Data Protection Supervisor (EDPS) adopted an Opinion on the European Commission’s Evaluation Report on the Data Retention Directive. The EDPS demonstrates that the Directive violates the privacy of all EU citizens and that the evaluation report itself is flawed. This is good news for your privacy.
In the Opinion (PDF), the EDPS comes to the conclusion that the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, primarily because the necessity for data retention has not been sufficiently demonstrated. He also believes that data retention could be regulated in a less privacy-intrusive way and that the Directive lacks foreseeability.
‘Although the Commission has clearly put much effort into collecting information from the Member States, the quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive. Further investigation of necessity and proportionality is therefore required, and in particular the examination of alternative, less privacy-intrusive means’ says the EDPS. In addition, the present Directive leaves too much room for Member States to decide on the purposes for which the data may be used, on who can access the data and under which conditions.
Therefore, the EDPS calls on the Commission to seriously consider ‘all options in the impact assessment including the possibility of repealing the Directive.’ An eventual future data retention directive should be considered only if the necessity of data retention, ‘supported and regulated by the EU, could be sufficiently demonstrated, which includes a careful consideration of alternative measures.’
The Opinion yet again demonstrates that the evaluation of the Commission is flawed. On 17 April, European Digital Rights (EDRi), of which Bits of Freedom is a founding member, produced its own ‘shadow report’ (PDF) providing a more accurate evaluation of the Data Retention Directive, using the Commission’s own methodology. The EDPS opinion and the EDRi report have much in common.
One crucial point needs to be added to §80 of the EDPS Opinion, however: the principle of data retention can never be justified. When the Opinion cites the verdict of the German Constitutional Court on the principle of data retention, it notes that ‘a well-defined obligation to retain telecommunications data may be justified under certain very strict conditions’. This goes beyond the Romanian Constitutional Court decision, that rules the principle of data retention incompatible with Article 8 of the European Convention on Human Rights. And the Opinion does not mention an essential observation by the German Constitutional Court in §218: that surveillance measures may not exceed an absolute overall constitutional threshold that exists for the collection of personal data by governments, and that telecommunications data retention would bring the surveillance situation in Germany very close to this barrier. Future surveillance measures may therefore be found unconstitutional not for being disproportionate in themselves, but for exceeding this absolute overall surveillance barrier.
We know that the effectiveness of wholesale data retention is highly questionable, as can be demonstrated when comparing crime clearance rates during periods with and without data retention in for example Germany. So maintaining blanket and superfluous data retention jeopardises the constitutionality of future, more effective investigation measures. Since the Directive is unlawful, data retention can’t ever be justified as a principle and data retention is an ineffective tool, it is in the interest of both privacy and law enforcement to abolish data retention altogether.
This contribution is based upon an article in the EDRi-gram, the bi-weekly newsletter about digital civil rights in Europe. Bits of Freedom is a founding member of EDRi, the European umbrella organisation of 29 civil rights organisations in 19 EU Member States.