This week, the European Union’s top court invalidated the EU’s data retention law, calling into question whether blanket data retention can ever be consistent with human rights requirements. This decision is a major victory for digital rights groups which have worked to rescind the law since its adoption in 2006. It is also signals to the US that any new data retention mandate that may be percolating as part of surveillance reforms would raise serious privacy concerns.
Data retention mandates are laws that require companies to store personal data for a set period of time. At issue was the EU Data Retention Directive, which requires telecom providers across the EU to collect and store all user Internet traffic, phone, and location data for up to two years. While the mandate’s purpose was to ensure such data was available to investigate and prevent serious crime, including terrorism, telecom firms were required to retain the data of all individuals, not just those connected to an investigation.
The European Court of Justice (ECJ) found that the blanket nature of the mandate invaded the privacy of those “persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.” It said the directive’s “wide-ranging and particularly serious” interference with fundamental rights affected “practically the entire European population,” flouting the principle of proportionality. The Court’s ruling also renders unenforceable laws EU member states enacted to comply with the directive.
The ECJ is just the latest body to evaluate the legitimacy of blanket data retention requirements. On March 27, the UN Human Rights Committee weighed in for the first time on privacy and digital surveillance, expressing concern about the National Security Agency’s (NSA) surveillance programs. Critically, to safeguard privacy, the committee called on the US to “refrain from imposing mandatory retention of data by third parties.”
These opinions send a clear message across the Atlantic, where the Obama administration continues to float trial balloons on possible surveillance reforms.
The administration has pledged to end a program that has allowed the NSA to collect all phone records in bulk from phone companies, implicating the privacy of millions of people. In a proposal outlined last month, the US government would no longer collect phone records. Instead, the data would stay with companies, and the government could only seek information about specific numbers. Yet unnamed US officials stated that the plan may require phone companies to collect and store user data that they currently are not legally obligated to keep, raising the specter of new data retention requirements as part of proposed reforms.
In considering possible reforms, the US should heed growing global agreement that blanket data retention mandates are a no-go. To ignore the ECJ’s ruling would only exacerbate cross-Atlantic tensions over data protection and the right to privacy.