Data retention may interfere with privacy - ECJ

Thursday 12 December 2013 13.47
Digital Rights Ireland took a case over Government's retention of internet and telephone records
Digital Rights Ireland took a case over Government's retention of internet and telephone records

The European Court of Justice has issued a legal opinion that the obligation on telecoms and internet providers to store data on phone and email traffic for up to two years is a "serious interference" in citizens' fundamental right to privacy.

The opinion is a qualified victory for Digital Rights Ireland, a group campaigning for greater privacy in the area of digital information.

The group had taken a case to the High Court against the Government's retention of internet and telephone records.

That case was then referred by the High Court to the European Court of Justice.

Under the 2006 Data Retention Directive telecoms and network providers are obliged to retain certain categories of data for between six months and two years to make them available to police services investigating criminal activity.

Operators are required to hold data which would identify users, details of phone calls made and emails sent.

Figures issued by the European Commission show that between 2008 and 2012 there were over 14,000 requests for such data by Irish authorities.

There were over 470,000 requests in the UK.

The directive excludes the content of those communications.

In today's legal opinion, the ECJ held that the directive falls foul of the EU's Charter of Fundamental Rights because of the potential to restrict a person's privacy.

Because of this EU governments should have defined in law the "minimum guarantees" that would protect citizens whose data were collected, retained and used.

The court's Advocate General, Pedro Cruz Villalón, said the retention of data relating to emails and phone calls could make it possible to create a "faithful and exhaustive map of a large portion of a person's conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity."

He added that there was an "increased risk" that the retained data might be used for unlawful purposes which could be detrimental to privacy or could be fraudulent or malicious.

He said that the directive did not regulate access to the data collected and retained nor their use.

Furthermore the data was not retained by government bodies but by private service providers.

Because the retention of data was not limited to national territories it could be "accumulated at indeterminate locations in cyberspace."

Overall, the opinion held that the directive limited a citizen's fundamental rights, and that any such limitation had to be defined in EU law.

While acknowledging that such data could be of use to law enforcement authorities in prosecuting serious crime, the Advocate General suggested the retention of data could be limited to less than one year.

He said that the directive should not be deemed "invalid".  Such a finding should be suspended until the EU authorities addressed the privacy concerns through new legislation.

A European Commission spokesperson said that the Commission was in the process of evaluating the Data Retention Directive, examining in particular what the data was being used for, who had access to it, and how long it should be retained for.

He added that there were other directives, such as the e-privacy and data protection directives were currently in the pipeline.

Any revision of the Data Retention Directive would have to take place in conjunction with the other directives and it would also take into account the final judgment of the ECJ.

The full judgment on the issue is expected next year.

In 80% of cases Advocate General opinions are reflected in the final judgment.

Digital Rights Ireland chairman TJ McIntyre welcomed the ECJ’s opinion.

Speaking on the RTÉ's News at One, Mr McIntyre said the directive "introduces a form of mass surveillance.

“It requires telephone companies and internet service providers to log details of literally everything you that you do. So every email you send, every telephone call you make, every text message that you send and also your movements at all time via your mobile phone.

"This law requires them to record all these things and store them for up to two years."

Mr McIntyre said there is not sufficient justification for the directive and believes alternative methods are available that would provide much more privacy to individuals.