Data Retention Revisited European Digital Rights 20 Rue Belliard, 1040 Brussels www https://edri.org twitter @edri_org tel +32 (0) 2 274 25 70 Distributed under a Creative Commons 4.6 License: https://creativecommons4org/licenses/b1-nc-sa7546 Authors: Melinda Rucz, Sam Kloosterboer Co-supervisor: Diego Naran o, EDRi "his publication has bene#ted from the input o$ the EDRi net%or& including Kristina Irion and Sarah Es&ens from the Institute for In$ormation La% ('*iR), Re o Zenger from Bits o$ Freedom, /esper Lund from IT Pol Denmar&, Romain Robert from no1b, Dou%e Kor$$ from fipr, Christiana Mauro from AK Vorrat and Walter van Holst from Vri schri$t4 Contents 65 !8ecutive Summar1 69 Back from the Dead: Data Retention in the E: 6; (egal Framewor& 6< "he Impact of Data Retention Practices on .undamental Rights => Strict Necessity: Proven or Assumed? =; Issues with the !$fectiveness of Data Retention Practices >= An Inherently High Data Security Ris& >@ A False Appeal to Harmonisation Executive Summary "his report critically revisits the question o$ data retention, and concludes that the ongoing aspirations to reintroduce a data retention obligation in the !: remain in violation o$ !: la% as long as the strict necessit1 o$ data retention is unproved and no genuinel1 targeted retention obligation is considered4 .ollo%ing the judgments o$ the Court o$ /ustice o$ the !uropean Union in Digital Rights Ireland and Tele2/Watson, it appeared that the sun had set on blan&et data retention in Europe4 Ho%ever, the data retention saga continues %ith rene%ed attempts to reinstate an !: legislative frame%or& for blan&et retention o$ telecommunications data4 Data retention practices are highly privac1 intrusive as the1 reveal vast personal, even sensitive, information about the persons %hose data is retained4 Retention o$ telecommunications data discourages the contacting o$ single purpose numbers and undermines the protection o$ journalistic sources4 An inherently high ris& o$ securit1 breaches only ampli#es these harmful e$fects o$ data retention, %ith numerous c1berattac&s, data lea&s, data abuses and misuses documented4 In light of the far-reaching negative implications of data retention for fundamental rights, the Court of Justice of the European Union has required data retention practices to !e strictly necessary" #evertheless, the necessity of data retention for la$ enforcement purposes is most often simply assumed, while evidence is lac%ing a!out the marginal !ene&ts of data retention compared to less intrusive alternatives" 'oreover, data errors, incorrect interpretations and false positives raise serious uestions a!out the effectiveness of !lan%et data retention" (he !lind !elief in the effectiveness of data-driven solutions manifests a $orrying trend to$ards technological solutionism. )hile calls to reintroduce data retention often voice the need for harmonisation and legal certainty, enforcing the Court*s +udgments must !e the default solution to ensure a harmonised approach to data retention in Europe. (his report critically revisits the uestion of data retention, and concludes that the ongoing aspirations to reintroduce a data retention o!ligation in the EU remain in violation of EU la$ as long as the strict necessity of data retention is unproved and no genuinely targeted retention o!ligation is considered" 4 ," -ack from the Dead. Data Retention in the EU Mandator1 retention o$ communications data b1 telecommunications providers has inspired signi#cant privac1 concerns in !urope4 "he !: Data Retention Directive, prescribing blan&et retention o$ all communications metadata, spar&ed %idespread controvers1 around !urope4 According to the !uropean Data 0rotection Supervisor )!D0S+, the Directive %as “the most privac1 invasive instrument ever adopted b1 the !:C4= 'n the seminal Digital Rights Ireland ruling, the Court of /ustice of the European Union (C/!:+ invalidated the Directive because of its privac1 intrusive nature4 'n the subseAuent Tele2/Watson decision, the C/!: con#rmed that !: Member States ma1 not impose an indiscriminate data retention obligation on telecommunications providers4 'n these cases, the C/!: has made clear that an1 data retention obligation is illegal unless the retention is targeted and is limited to %hat is strictly necessar1 in terms o$ the persons a$fected, the categor1 o$ data retained and the length o$ retention4 Regardless o$ the categorical condemnation o$ general data retention b1 the highest court o$ !urope, the issue o$ data retention continues haunting the agenda of political institutions of Europe4 As a report b1 0rivac1 'nternational in >6=; reveals, !: Member States are reluctant to conform their national data retention practices to the reAuirements laid do%n in clear terms b1 the C/!:4> 'n >6=;, the Council o$ the !: initiated a ‘reflection process’, “e8ploring optionsC to ensure the availabilit1 o$ communications data for la% enforcement authorities4 "he reflection process has largely focused on the concept of ‘restricted data retention’, proposed b1 !uropol. "his envisages = !uropean Data 0rotection Supervisor, D"he Gmoment o$ truthG $or the Data Retention Directive: !D0S demands clear evidence o$ necessit1F )@ December >6=6+, available at: https:77edps4europa4eu7sites/edp7#les/edpswebHpress_releases/edps->6=6- =;HdataHretentionHdirectiveHen4pd$4 > 0rivac1 'nternational, DNational Data Retention (a%s since the C/!:Fs "ele->72atson /udgmentF )September >6=;+, available at: https:77privac1international4org7sites/de$ault7#les/>6=;-=>7DataI>6RetentionH>6=;4pd$4 5 the e8emption o$ categories o$ data from the retention obligation that are “not even potentially relevantC for la% enforcement, citing the length o$ the antenna or the number o$ ringtones as e8amples4@ As the C/!: has ruled that it is unla%ful to mandate the retention o$ data o$ people %ho are not even in a remote connection to serious crime, it is hard to see ho% ‘restricted data retentionF would pass the test4 In Ma1 >6=<, the Council concluded the reflection process, calling on the European Commission to consider a future legislative initiative on data retention4 'n the meantime, negotiations continue on the revision o$ the e0rivac1 Directive, protecting privac1 and con#dentialit1 o$ communications4 "he Council’s reflection process has made clear the preference o$ Member States to establish a more favourable environment $or data retention in the revised e0rivac1 Regulation, $oreshado%ing the potential o$ introducing a data retention obligation through the bac& door4 .urthermore, the outbrea& o$ the coronavirus crisis has triggered an increasing demand for telecommunications data to be shared %ith governmentsJ and some have pointed to this tendenc1 to call for a ne% harmonised data retention legislation of the E:45 'n light o$ the demonstrable attempts to bring data retention bac& from the dead, it is necessar1 to critically revisit the Auestion4 "he !uropean Commission has ordered a stud1 $or “possible solutionsC $or data retention in order to navigate its contemplation o$ a potential legislative initiative $or a ne% data retention frame%or&4 "he plans $or this stud1 have been partially published4 Regrettably, as Digital Courage highlighted the stud1 appears $ar from independent49 "he plans reveal a biased focus on the needs and interests o$ la% enforcement, and a lac& o$ assessment o$ the impacts o$ data retention on the fundamental rights o$ !uropean citizens4 "his report has been prepared to complement the stud1 ordered b1 the Commission4 't %ill critically assess the impact o$ data retention on fundamental rights and freedoms, evaluate the necessit1 and e$fectiveness o$ data retention and discuss threats posed b1 data retention such as misuse, abuse and data lea&s4 @ !uropol, D0roportionate Data Retention $or (a% !n$orcement 0urposes’ )September >6=;+, available at: http:77%%%4state%atch4org7 ne%s/>6=K7$eb7eu-council-data-retention-europol-presentation-targeted-data-ret-%&-<<9;-=;4pd$4 5 .or e8ample: 0atrícia Corrêa, D(ocation privac1 and data retention in times o$ pandemic and the importance o$ harmonisation at !uropean levelF )April >6>6+, available at: https:77blogs.&cl4ac4u&7&slreuropeanla%blog7?pN=59KO4PtogQ-dSK>84 9 Digital Courage, D-lan&et Data Retention: -iased Stud1 the !: CommissionF )March >6>6+, available at: https:77digitalcourage4de7blog7>6>67data-retention-biased-stud1-b1-the-eu-commission4 6 /" 0egal 1rame$or% "he Charter o$ .undamental Rights o$ the !: )Charter+ a$$ords protection to the right to privac1 and communications freedom in article ;, and the right to protection o$ personal data in article K4 According to article 5> of the Charter an1 limitation on the e8ercise of articles 7 and 8 must be provided b1 la%, respect the essence o$ the rights and freedoms, genuinel1 meet an objective o$ general interest and satis$1 a proportionalit1 test4 Charter rights that correspond to rights in the !uropean Convention on 3uman Rights )!C3R) must be interpreted in accordance %ith the meaning and scope of the !C3R rights4Q Article 8 of the EC3R safeguards the right to private and family life, which also encompasses the right to protection of personal data4 "he !uropean Court of 3uman Rights )!Ct3R) has invo&ed article 8 o$ the !C3R to condemn data retention practices in various cases and has consistentl1 held that indiscriminate data retention constitutes an interference %ith article K !C3R4; "he !Ct3R’s jurisprudence on data retention is an important guiding authorit1 for the interpretation of the relevant Charter