ORGcon 2014
Data Retention Takedown
Some notes from the UK’s biggest digital rights conference, this year focussing on government surveillance
Saturday, 15 November, 2014: Several hundred people interested in digital rights congregate at King’s College London’s Waterloo campus, for the Open Rights Group’s 2014 conference. I am proud to have been elected to the board of ORG in 2013, having been a founding member of the Advisory Council, so I figured I should share some of my notes from the conference.
I’ve already written about Cory Doctorow’s opening keynote, but there were many other sessions across the day. To avoid these pieces becoming too unwieldy, I’m covering individual sessions in each piece. I didn’t attend this session myself, so apologies for the somewhat sketchy write-up, based mainly on the speaker’s notes and omitting any record of the Q&A discussion.
While I was in the panel discussion on the topic “Nothing to hide, nothing to fear” and the other side-room hosted the session “TTIP on the horizon”, the third talk at 1200–1250 was about a recent legal victory in Luxembourg.
Digital Rights Ireland, a small campaign group of volunteers, successfully won a ruling at the European Court of Justice, which declared that the Data Retention Directive was invalid. This had a major impact on the legal basis for data retention. Their solicitor in the case, Simon McGarr (pictured here, with Elizabeth Knight, ORG’s legal director), explained how they did it.
Data retention is where telecoms providers (phone companies and ISPs) store records of our communications — things like who we called and when, which websites we visited, where our phone has been and so on — for longer than they strictly need it, such as for billing.
The Data Protection Directive (Directive 95/46/EC) requires organisations to delete our personal data once they no longer need it; the Data Retention Directive (Directive 2006/24/EC), however, required the opposite — it requires member states to store citizens’ telecommunications data for between 6 and 24 months for law enforcement and intelligence agencies’ potential access. To quote EFF:
Since its passage, the EU Data Retention Directive has faced intense criticism. The Directive lacked safeguards that limit government collection and access to individuals’ data. It also omitted controls over what the data can be used for.
The specific human rights protections relevant to the issue are Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which guarantee “the right to respect for [our] private and family life, home and communications” and “the right to the protection of [our] personal data”.
In 2001, Karlin Lillington revealed in The Irish Times that Irish phone companies were retaining data for up to six years. When this practice was challenged by the Data Protection Commissioner, the government stepped in and gave a secret directive to telecoms operators to retain all traffic data (including mobile phone location data) for three years.
The scandal resulting from the discovery of the Ministerial Order led the Irish government to pass data retention provisions in Part 7 of the Criminal Justice (Terrorism Offences) Act 2005. The legality of this — under both EU privacy regulations and the Irish Constitution — was challenged by the Data Protection Commissioner, so Ireland joined the UK and Sweden in pushing for an EU-wide Directive, in an archetypal example of policy laundering.
After repeated attempts to persuade other EU countries and despite the strong reservations of the EU Data Protection Supervisor (PDF), Directive 2006/24/EC passed, making the [slightly reduced] Irish retention powers became immune from Constitutional challenge.
[Sidenote: A good guide to the history of the Data Retention Directive can be seen on DRI’s blog from November 2005, before the Directive passed. The history of retention in Ireland before that can be seen in another post from July 2006, when DRI were preparing their lawsuit.]
Against this background of the Data Retention Directive being brought into being, Dr TJ McIntyre, a law lecturer from University College Dublin, and Damien Mulley, a technologist and blogger, came together in late 2005 to form Digital Rights Ireland, with a particular view to litigation against the data retention powers.
Litigation in Ireland had a handful of specific advantages. Ireland is a common law jurisdiction (so courts can overrule politicians, to oversimplify things). Ireland also has a written constitutional culture, where laws are regularly struck down by the courts. Importantly, though, Ireland is where all the big Internet companies have their datacentres!
DRI started their suit against the Irish government in September 2006 in the High Court of Ireland — DRI’s blogpost launching the case gives a great summary of the details. After delay after delay, the state argued that DRI didn’t have legal standing to pursue the case, they tried to seek “security for costs”, arguing the court should require DRI to make a payment into the court to cover the state’s costs in case DRI were to lose and arguing that it was inappropriate to refer this to the European Court at that stage. Despite the government making moves to retain more data by implementing the Directive in the interim, in May 2010 the High Court ruled in DRI’s favour on all three points, allowing an actio popularis, a suit on behalf of all individuals, rather than for DRI’s own corporate rights. Barely a week later, a leaked review from the European Commission showed that the Directive was fundamentally flawed.
Three years later, in 2013 after a hearing earlier that year, the Advocate General of the Court — who has to give a non-binding opinion before the judges can come to their conclusions — made an important ruling that:
the collection and, above all, the retention, in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period…
This was particularly good news as in around 80% of cases the Court follows the opinion of the Advocate General.
DRI benefited greatly from their membership of EDRi and their ability to share information with other groups in Europe. [Disclosure: The Open Rights Group is also a member of EDRi.] DRI’s data retention case was ultimately merged with a similar case from Austria, which helped signal to the ECJ that this was a matter of importance throughout Europe.
On 8 April 2014, the European Court of Justice declared the Data Retention Directive invalid, with back-dated force. So Data Retention was struck down in every member state, but the challenge of implementing that decision in the individual states still remains.
- The Austrian Constitutional Court struck down their data retention law (PDF) on 27 June 2014
- The Romanian Constitutional Court declared their data retention law unconstitutional on 8 July 2014
- The Slovak Constitutional Court suspended their data retention law on 23 April 2014
- The Slovenian Constitutional Court annulled their data retention law (PDF, in Slovenian) on 3 July 2014
However:
- The Danish Parliament commissioned a study into their data retention law, which predates the Directive. The government’s response is that the Danish retention practice is unaffected by the CJEU ruling.
- In Sweden, ISPs initially stated they would stop retaining data, then the telecoms regulator announced (in Swedish) that they’d suspend enforcement of the law. A government group of experts determined that Swedish data retention legislation is not contrary to EU law, after which most ISPs resumed retention. Despite a 13 October Stockholm court ruling reiterating the legality of the provisions (in Swedish), some ISPs are still resisting, including the ISP Bahnhof, who were threatened with a SEK 5m (£425k) fine by the regulator as a result. Update: When a November 2014 deadline loomed, Bahnhof subverted the regulation by offering free VPNs to all customers.
- In the UK, our previous retention law was a direct transposition of the Directive in secondary legislation and, thus, the legality of the provisions was in doubt. As a result, the government rushed a new data retention law through Parliament without scrutiny. The Data Retention and Investigatory Powers Act 2014 was a piece of “emergency” legislation — like several others, I wrote to my MP at the time — that reinstated the previous powers under new Parliamentary footing, extending the powers slightly. On 17 July, as the bill received Royal Assent, the Dept of Business, Innovation and Skills informed the TRIS that the UK does not consider that the new act requires notification under the Privacy and Electronic Communications Directive (2009/136/EC). Five days later, Liberty announced that they were assisting MPs Tom Watson (Lab) and David Davis (Con) in a Judicial Review of the Act, which is still pending at the time of writing; ORG has applied to make submissions to the Review as an interested third-party.
DRI’s legal action was an unprecedented success; it is great to see a small non-profit manage to take down such an iniquitous example of EU policy laundering. The EFF wrote a case study “How Digital Rights Ireland Litigated Against the EU Data Retention Directive and Won” giving more detail — and on which this write-up has relied in no small part.
ORGcon 2014 was generously sponsored by F-Secure and Andrews & Arnold Ltd. The Open Rights Group exists to preserve and promote your rights in the digital age; we are funded by hundreds of people like you.
This article is dedicated to the public domain under the terms of the Creative Commons Zero licence. Please translate, copy, excerpt, share, disseminate and otherwise spread it far and wide. You don’t need to ask me, you don’t need to tell me. Just do it!
