20 November 2017
Member State data retention regimes - what's changed? The answer is very little so far
Follow us: | | Tweet
See: 2014: "Digital Rights Ireland and Seitlinger and others": The Court of Justice declared the Data Retention Directive to be invalid (Press release, pdf) and Judgment (pdf) and in December 2016: Watson/Tele2 Sverige AB case: The Members States may not impose a general obligation to retain data on providers of electronic communications services (Press release, pdf) and Full-text of CJEU judgment (pdf).
A review by Eurojust summarises current national laws and the observations of law enforcement agencies (LEAs) in answer to a questionnaire: Data retention regimes in Europe in light of the CJEU ruling of 21 December 2016 in Joined Cases C-203/15 and C-698/15 - Report (LIMITE doc no:10098-17, pdf).  At the outset the report says:
"For the sake of this questionnaire, the term data retention applies to non-content data (subscriber information, traffic, location and other transactional data) retained by Internet Service Providers (ISPs)." [ie: metadata]
Mandatory data retention regimes
"three types of legal regimes emerge from the replies:
- The vast majority of the countries do not have targeted data retention rules within the categories of location/traffic data, users/subscribers, and means of communication (internet/telephone).
- One country (DE) reported that it excludes some targeted users/subscribers from the retention obligation in the legislation that is to come into force in July 2017, as is the situation for (...) data pertaining to telephone connections to and from persons, public authorities or organisations in the social or the church domain that offer anonymous counselling as well as (...) data about websites being visited or regarding e-mail. This legislative model approaches the targeting criterion detailed in the CJEU judgement, but differs in so far as it stipulates data that may not be retained from a particular category of users/subscribers as opposed to targeting specific data to be retained.
- Finally, some countries (AT, NL, RO, SI, SK) reported that they do not have data retention laws for law enforcement purposes only, following the annulment of their previous laws by their constitutional/high courts in accordance with the DRD judgement. As a result, they all reported using data collected by private operators for business or/and commercial purposes. The questionnaire did not address the retention scheme in this context."
"The vast majority of the respondents (23) outline that a judicial review is required, prior to or after the request for access has been made. In most countries, prior authorisation/judicial review is required before access is granted to law enforcement (LEA). This review takes the form of a court order/order of an investigative judge, or an order by a prosecutor (...)
Two countries (BE and DE) reported restrictions regarding the access to data related to professions enjoying privileged communications (e.g.: lawyers, journalists, doctors)."
Impact of CJEU ruling
"The effect of the CJEU ruling on the availability and admissibility of evidence gathered from ISPs is or will consequently also be noticeable in the area of cross-border judicial cooperation in criminal investigations.
Both the ability of authorities to provide data to other countries upon their request as well as the possibility to receive and use data gathered from other countries, could potentially be affected by the CJEU ruling."
"The data retention legislative framework has either been changed, is currently being reviewed and/or has been subject to developing judicial precedent in a significant number of countries. With so many countries currently reviewing their domestic legislation to design data retention regimes that meet the requirements of the judgement, and so many variables at play, the potential for continued legislative disharmony within in the European Union is considerable."
Annex 1 contains useful national responses to the Questionnaire (pp.14-23).
Council Presidency Note
The Presidency has circulated a Note to Member States which is largely devoted to exploring how they can work around the court judgments: Retention of communication data for the purpose of prevention and prosecution of crime - specific elements in light of the ECJ case-law = exchange of views (LIMITE doc no: 13845-17, pdf).
The CJEU was clear the collection of data has to be restricted to and targeted on terrorism and serious crime if it is to meet the test of proportionality. This Note appears to want any changes to apply to crime as a whole.
 Previous: Eurojusts analysis of EU Member States legal framework and current challenges on data retention (LIMITE doc no:13085-15, dated 26 October 2015, pdf)
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.