01 August 2017
Data retention: Can the mass retention of data be justified under the planned ePrivacy Regulation?
Follow us: | | Tweet
See "Digital Rights Ireland and Seitlinger and others": The Court of Justice declared the Data Retention Directive to be invalid (Press release, pdf) and Judgment (pdf).
This judgment said that the Data Retention Directive adopted in 2006 has been unlawful since it was adopted. The Court came to the same conclusions in December 2016 in: Watson/Tele2 Sverige AB case: The Members States may not impose a general obligation to retain data on providers of electronic communications services (Press release, pdf) and Full-text of CJEU judgment (pdf)
The Council is now trying to justify mass data retention for the "prevention and prosecution of crime". Council document (LIMITE,11110-17, pdf) asks Member States to consider a "mind map" (see p3).
Seeking a backdoor through the new ePrivacy Regulation
Now the Council's attention has turned to the planned ePrivacy Regulation: Processing and storage of data in the context of the draft ePrivacy Regulation = Introduction and preliminary exchange of views [LIMITE doc no:11107-17, pdf) the:
"Friends of Presidency on Data Retention should examine all legislative and non-legislative options to address the data retention issue, including in the context of the proposed e-Privacy Regulation." [emphasis added]
The Council recognises that:
"In the Tele 2 judgement, the Court ruled that Art. 15(1) of the e-Privacy Directive read in light of Art. 7, 8, 11 and Art. 52 (1) of the Charter of Fundamental rights precludes national legislation in which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communications.
The e-Privacy Directive aims to ensure the confidentiality of communications and as a general rule prohibits storage of communication data without the consent of the user concerned, except under certain conditions prescribed by law. The Court confirms that Art. 15(1) allows Member States to introduce exceptions from the obligation of principle of confidentiality, but since this is a restriction of rights, it takes a strict interpretation of the provision. The Court upheld that "(t)hat provision cannot, therefore, permit the exception to that obligation of principle and, in particular, to the prohibition on storage of data, laid down in Article 5 of Directive 2002/58, to become the rule, if the latter provision is not to be rendered largely meaningless"(paragraph 89) [emphasis added].
"Article 6 lists the situations where processing of communication data is allowed, e.g. to meet quality of service requirements, for billing purposes, detecting or stopping fraudulent use of communication services, or upon consent of the end-user for specified purposes.
Article 7 requires erasing content and metadata or making it anonymous when no longer needed for the purposes of transmission, but allows keeping it for billing purposes under the conditions of paragraph 3.
Article 8 sets out the grounds for collecting of information from end-users terminal equipment (including cookies) or the collection of information emitted by terminal equipment to enable it to connect to another device (Wi Fi tracking).
Article 11 allows the EU or Member States to legislate on restrictions of the scope of rights and obligations under the regulation that are necessary, appropriate and proportionate to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of the GDPR." [emphasis added]
Footnote 8 states that
"Article 23 (Restrictions), GDPR
1. Union or Member State law to which the data controller or processor is subject may
restrict by way of a legislative measure the scope of the obligations and rights provided for
in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) national security;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State,
including monetary, budgetary and taxation a matters, public health and social security;
(f)the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); (i)the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims." [emphasis added]
However, Article 2(2)(d) of the draft ePrivacy Regulation says:
"excludes from the application of the Regulation the activities of competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."[emphasis added]
The Council Presidency Note ends up by asking whether:
"For the purposes of the prevention and prosecution of crime, to what extent can competent authorities rely on traffic and location data processed for billing and interconnection payments or for detecting or stopping fraudulent or abusive use of, or for the subscription to, electronic communication services ? Would these data be sufficient to respond to the operational needs of competent authorities for the purposes of the prevention and prosecution of crime?" [emphasis added]
Background: Council in a twist over data retention judgment (Statewatch News)
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: 10 Queen Street Place, London EC4R 1BE. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.