19 April 2023
The Swedish Presidency of the Council proposed to create a High-Level Expert group on data retention to strike a new "balance" between the right to privacy and the right to security, according to two documents published by Statewatch. Member state feedback has been enthusiastic. The aim is to change the rhetoric on surveillance to facilitate the adoption of new rules. The expert group format of discussion and the participation of civil society are still to be decided, with the Commission and the Council likely to co-chair.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Image: ChiffreO1, Creative Commons Attribution-Share Alike 4.0 International
At the informal meeting on Justice and Home Affairs on 26 January 2023 (pdf) ministers discussed, under the agenda point "going dark", the challenges judicial and law enforcement agencies face in effectively accessing relevant data in order to fight crime. To follow up on those discussions at the EU level, the Presidency proposed establishing a High-Level Expert Group (HLEG) to define the challenges related to access to data and to recommend measures to address them.
“These challenges include, inter alia, the need for effective approaches to access encrypted communications, the need for enhanced international cooperation to ensure access to evidence due to inherent cross-border nature of digital services, the need for a clear framework for data retention, the increased need for effective instruments and methods to address the volatility of electronic information, and the jurisdictional concerns engendered by the loss of location.”
The Swedish presidency added that:
“...the HLEG on information systems and interoperability was key in overcoming the previously prevailing silo approach and proposing concrete ways forward. This positive experience could serve as inspiration to address the similarly cross-cutting issue of access to data.”
At the request of the Swedish Presidency, member states submitted their views on the proposal (pdf).
All submissions highlighted the importance of the discussion and supported the initiative. The French illustrated their remarks by mentioning “the most striking example in recent years [..] Encrochat and Sky ECC cases”, two private messaging apps hacked by the French authorities.
Hundreds of suspects all around Europe were apprehended following the sharing of the data with Europol. The case illustrates the legal problems individuals are facing when data are being shared without care for legal safeguards and respect for the lawfulness of evidence.
In both hacking cases the French authorities did not provide sufficient information to guarantee the accuracy of the obtained data and the technical parameters of the hacks were suppressed on grounds of "defence security". Last year, a judge at the Berlin regional court lodged a preliminary reference request with the Court of Justice of the European Union (CJEU) to verify whether the sharing and use of evidence obtained from the EncroChat hack complies with EU law.
Break the CJEU’s gridlock
Member States have clearly expressed opposition to the “now constant case law of the CJEU on data retention and access in a law enforcement context” as noted by the French submission.
Since the Digital Rights Ireland judgment in 2014, the CJEU has issued a number of similar decisions against massive and indiscriminate retention of personal data for law enforcement purposes. The "data retention saga" shows, according to the academic Maria Tzanou, a trend of judicial pushback against the normalisation of surveillance.
However, the latest CJEU ruling in La Quadrature du Net might be the sign of a new approach. The court admitted that general and indiscriminate bulk retention is permitted where there is a "serious threat" to national security which is "genuine and present or foreseeable," so long as this is limited in time to what is "strictly necessary," and is "subject to effective review" either by a court or by an independent administrative body whose decision is binding.
Judge Pinto De Albuquerque commented that the ruling "fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests." Is the change in jurisprudence of the Court heralding of a new right to security? Up until now, the right to liberty and security in Article 6 of the EU's Charter of Fundamental Rights has been understood as an auxiliary of the right to liberty. There has been so far no autonomous meaning assigned to the concept of security.
It appears this questioning didn’t fall on deaf ears and, to break the gridlock, the Swedish Presidency claimed that it is time to reassess "the balance to be struck between the right to privacy and the right to security."
Estonia praised the Swedish Presidency for their statement defending the rights of the victims and:
“...the understanding [that] begins to emerge that there are other fundamental rights as well that must be guaranteed: the safety and security of everyone, everyone's right to life and health, etc.”
The objective of this change of rhetoric was clearly laid out by Slovakia, which is:
“...convinced that a change in such a terminology can eventually lead to a change in political perception in the European Parliament which will be crucial for any future changes to secondary legislation interpreted by the Court of Justice of the EU.”
Will the HLEG seek to bury the right to privacy to protect national security?
This is undoubtedly a worrying development at a time when the definition of terrorist suspect is interpreted widely by member states. A shocking example is the case of a French publisher arrested in London on suspicion of being engaged in terrorist acts or in possession of material for use in terrorism. The reason given by the English police was his participation in demonstration... in France. He was arrested and later accused of obstruction because of his refusal to give up his phone and pass codes to the officers.
High-Level Expert Group: discussion behind closed doors?
While a lot is expected by member states from the discussion of the HLEG, the format of the discussion will be decisive. The Swedish Presidency's suggested participants are representatives from the European Parliament, academia, representatives of the industry and representatives of non-governmental organisations.
The legal framework of their participation is still under discussion: "especially when it comes to private bodies," the Greek representation further argued that "the terms of the invitation, participation and utilisation of the input of non-institutional actors should be more clearly detailed and agreed upon." Respect for the confidentiality requirement is particularly important in that context, recalled the French.
The rules on expert groups at the European level have evolved enormously since the intervention of the European Ombudsman that recommended the principle of a balanced representation of all relevant interest in each expert group. In their remarks on the Presidency plan, member states have however mostly been "positive about the involvement of data protection industry representatives and cooperation with academia," as stated by Poland.
The Fundamental Rights Agency has on the other side argued that the experts “should include not only actors from the industry developing and marketing tools for data analytics in law enforcement, but also actors that can independently assess these tools with respect to their efficacy, technical feasibility and their potential rights implications.”
While the HLEG on information systems and interoperability is the model, as recalled by Latvia, confidentiality requirements have evolved since its creation in 2016. The European Commission originally did not publish the name of the members, including the member states' authorities, as well as those of the observers in the public register of expert groups. Following the intervention of the European Ombudsman, after a complaint, the European Commission updated its transparency policy.
The growing number of EU digital policies should “benefit” justice and home affairs actors whilst “addressing and minimizing the associated risks,” the Swedish Presidency of the Council argues in a recent discussion paper. The Council’s internal security committee, COSI, should continue to “monitor and discuss” relevant legal proposals to create “a positive narrative… on the justice and internal security needs related to technological development and digitalization,” says the document.
In order to implement a recent Council Recommendation on increasing operational cooperation between law enforcement authorities, the Swedish Presidency has produced a "roadmap" to show the state of play in each member state.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.