Privacy International, Liberty, and Open Rights Group joined other organisations across the EU to file complaints over Member States’ non-compliance with mass surveillance rulings
Privacy International, Liberty, and Open Rights Group have joined over 60 NGOs, community groups, and academics across the European Union to file complaints to the European Commission. The complaints call for the EU governments to stop requiring companies to store all communications data. The practice was ruled unlawful by the Court of Justice of the European Union (CJEU) in two separate judgments in 2014 and 2016. The UK complaint was filed by Privacy International, Liberty, and Open Rights Group.
Blanket and indiscriminate retention of communications data — who we interact with, as well as when, how, and where — is a very intrusive form of surveillance. Communications data is no less sensitive than the content of communications.
Despite two major rulings by the CJEU, which made blanket and indiscriminate retention of personal data unlawful, the majority of EU Member States have yet to stop the form of surveillance. While member states continue to discuss behind closed doors how to address the implications of the CJEU rulings, there is an urgent need to implement the jurisprudence of the CJEU by reforming national data retention laws. Privacy International is concerned by attempts by some Member States to circumvent the jurisprudence of the CJEU. We are also concerned by the lack of transparency of the process thus far.
It is clear that current data retention regimes in Europe violate the right to privacy and other fundamental human rights. In particular the CJEU has made clear that general and indiscriminate retention of communications data is disproportionate and cannot be justified.
Complaints have been filed in 11 EU Member States: Belgium, Czech Republic, France, Germany, Ireland, Italy, Poland, Portugal, Spain, Sweden and United Kingdom.
Tomaso Falchetta, Head of Advocacy and Policy at Privacy International said:
“There should have been no need for Privacy International and our colleagues across Europe to file complaints to the European Commission today. Governments have already been told clearly and unequivocally through two key rulings that they must stop blanket and indiscriminate retention of personal data. In a world when more and more data can be generated, collected, shared, and exploited by governments and companies alike, strong privacy protections must be enforced.”
Corey Stoughton, Advocacy Director at Liberty said:
“Our Government knows full well that it’s breaking the law. Every single day intelligence agencies collect details of thousands of our calls and messages in arrogant defiance of the courts. By invading our privacy they undermine our free press, our freedom of speech and our ability to explore new ideas.
“In a democratic society no one is above the law — and that includes politicians in power. Our client Tom Watson won his case in January. It’s time the Government stopped spying on innocent people and built a surveillance system that targets those who pose a genuine threat.”
Jim Killock, Executive Director at Open Rights Group said:
“The courts were completely clear: no blanket retention. Governments do not get to pick and choose what courts tell them. When they do, they undermine the rule of law itself.”
Notes for Editors
- Directive 2006/24, which required the collection and retention of personal data, significantly infringed privacy and data protection of people. Although it expressly excluded the content of telephonic or electronic communications and the communicated information from its scopes, it obliged Member States to ensure the conservation of personally identifiable data and allowed investigatory authorities to trace back a person’s communication patterns and online activities.
- Four years ago, the CJEU judged that Directive 2006/24/EC was invalid (CJEU April, 8th 2014, Digital Rights Ireland) and, more than a year ago, the Court reiterated the same points, clearly and without ambiguity (CJEU, December 21st 2016, Tele2 Sverige/Watson).
- In Tele2 Sverige/Watson judgment, the Court stated that: “Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime (…). National legislation such as that at issue in the main proceedings therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society”.
- The Court’s judgments must apply to all similar legislations across the European Union. Yet, we have found that at least 17 EU Member States still implement national measures mandating general and non-targeted bulk data retention, thus directly infringing the CJEU’s interpretation of data retention law and interfering indiscriminately in each individual’s rights to the respect for private and family life, the protection of personal data, and freedom of expression. These countries are: Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, Poland, Portugal, Slovenia, Spain, Sweden, and the United Kingdom (see https://privacyinternational.org/sites/default/files/2017-12/Data%20Retention_2017.pdf). On the issue of data retention, these countries’ legal frameworks do not comply with the case law of the CJEU.
- Today, 60 organisations, community networks and academics in 19 EU Member States are sharing their concerns to the European Commission, to demand action, and to stand for the protection of fundamental rights enshrined in Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union, as interpreted by the Grand Chamber of the CJEU. We call for the application of sanctions for non-compliant Member States by referring to the CJEU, which should logically strike down all current data retention national frameworks. See dedicated website for this campaign: http://stopdataretention.eu