01 March 2021
The Portuguese Presidency of the Council of the EU is continuing long-standing discussions on the retention of telecommunications data for the purposes of law enforcement, with the focus currently on "selective/targeted retention" and "retention of source IP addresses and civil identity data".
After the Court of Justice of the EU struck down the 2006 Data Retention Directive in April 2014, member states have been keen to find a way to bring back EU-wide rules mandating the retention of telecommunications metadata: the who, why, when and where, but not the what, of phone calls, web and internet usage.
In the interim, a number of further rulings have clarified the situations in which Europe's top judges deem such surveillance measures might be permissible - and it is these situations that the Council will be discussing, according to a Portuguese Presidency paper obtained by Statewatch.
See: Examination of the ECJ rulings of 6 October 2020 (case C-623/17 and joint cases C 511/18, C-512/18 and C-520/18) - presentation by the Presidency and exchange of views (6231/21, LIMITE, 19 February 2021, pdf, emphasis added)
a) Regarding selective/targeted retention, we invite Member States to comment on the following:
1. Considering the recent jurisprudence of the Court of Justice, what are the Member States' views on the categories of data that should be retained based on law enforcement operational needs? How can the categories be limited e.g. volume, sensitivity, retention period etc.?
2. What are Member States views on the means of communication that should be covered? What are their views on the types of providers, including OTTs [over-the-top services]? Can these be limited based on size, geographical coverage, number of subscribers, cross-border presence?
3. Do Member States consider the reference to categories of person in the recent Court of Justice case-law problematic? How could such concept be developed and applied having in mind nondiscriminatory concerns? What kind of objective criteria can be applied to defining such a category of persons?
4. What would Member States consider an appropriate retention period? Which objective criteria can be applied to determine such a period, e.g. sensitivity of the data?
b) Regarding the retention of IP addresses and civil identity data, we would like to invite the Member States to comment on the following:
1. Do Member States interpret the possibility of retention of source IPs addresses, established in the recent case law of the Court, as including both static and dynamic IPs? Would or should this include source-port numbers? What are the views on only retaining source but not destination IP addresses?
2. Do Member States consider it to be in line with the jurisprudence of the ECJ that Internet Protocol addresses, strictly needed to identify a subscriber, should include first login IP, last login IP or the login IP used at a specific moment in time? Should this be considered as 'subscriber' or 'traffic' data if the IP address is used solely to identify a person?
3. Considering the ECJ jurisprudence, do Member States agree that IP addresses for the purpose of identifying a subscriber should be accessed by Criminal Justice Authorities below the threshold of “serious crime”, in line with the ECtHR jurisprudence (K.U. v. FINLAND, Application no. 2872/02) that considers that "Limiting access to or disclosure of subscriber information to investigations of serious crime would prevent governments from meeting their obligations to protect individuals and their rights against crime"? Which crimes would fall below the serious crime threshold under national laws?"
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.