Fighting crime doesn’t justify mandatory data retention: European Court of Justice

The European Court of Justice (ECJ) has effectively banned the general use of telecommunications data retention for combating crime across the European Union.

In a judgment delivered by the ECJ’s Grand Chamber on Tuesday, the court ruled that when the objective is combating crime, “the general and indiscriminate retention of traffic and location data exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society”.

“Criminal behaviour, even of a particularly serious nature, cannot be treated in the same way as a threat to national security.”

Traffic data is defined in EU law as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”.

Location data is “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.

This is more or less the same as what has been called “metadata” in Australia’s data retention debate.

The now-invalid Irish Communications (Retention of Data) Act 2011 required telecommunications providers to retain all metadata for two years, and make it available to the Gardaí, the Irish national police, following a “disclosure request” issued by an officer ranked chief superintendent or above.

A disclosure request could be issued for “(a) the prevention, detection, investigation or prosecution of a serious offence, (b) the safeguarding of the security of the State, [or] (c) the saving of human life.'”

A “serious offence” was defined as one which is punishable by five years or more in jail, or one listed in a schedule to the Act.

Metadata is “no less sensitive” than the content

“In view of the sensitive nature of the information that traffic and location data may provide, the confidentiality of those data is essential for the right to respect for private life,” the court wrote.

The Charter of Fundamental Rights of the European Union guarantees both “the right to respect for his or her private and family life, home and communications” and “the right to the protection of personal data concerning him or her”.

While the Charter protects all personal data, the ECJ noted that traffic and location data is particularly sensitive.

“[Such] data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health.”

This information enjoys special protection under EU law, for historical reasons which should be obvious.

“Taken as a whole, those data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data have been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them,” the court wrote.

“In particular, those data provide the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.”

The ECJ judgment does not prevent data retention to address threats to national security, however.

These threats include such things as “protecting the essential functions of the State and the fundamental interests of society through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities”.

“Unlike crime, even particularly serious crime, a threat to national security must be genuine and present, or, at the very least, foreseeable, which presupposes that sufficiently concrete circumstances have arisen to be able to justify a generalised and indiscriminate measure of retention of traffic and location data for a limited period of time.”

A decision to implement data retention should be “subject to effective review” by a court or an independent administrative body, the court said.

Convicted murderer Graham Dwyer may now be set free

The ECJ decision relates to the 2015 conviction in Ireland of Graham Dwyer for the August 2012 murder of Elaine O’Hara, a childcare worker.

As the Guardian put it, Dwyer had killed O’Hara after “grooming her for sadomasochistic fantasies that included stabbing women during sex”.

“He committed what prosecutors called ‘very nearly the perfect murder’ but was caught and sentenced to life in prison after police tracked his movements through texts and phone data. There were no witnesses or physical evidence,” the Guardian wrote.

“Dwyer appealed on the grounds the retention and accessing of his mobile phone data breached EU law.”

According to the Irish Examiner, families of homicide victims are saying some murders could now go unsolved. They said it was “common sense” that the protection of life should take precedence over rights to privacy.

But as the ECJ noted, “the effectiveness of criminal proceedings generally depends not on a single means of investigation but on all the means of investigation available to the competent national authorities for those purposes.”

Dwyer is not yet free, however. His lawyers must now convince the Irish Supreme Court that the ECJ decision applies retroactively.

European decision gives ammunition to Australian privacy advocates

Australia’s mandatory data retention scheme is similar to the now-discredited Irish system.

Australian telcos must retain metadata for two years.

Officers from a range of agencies above a certain rank may request the retained data to investigate crimes punishable by three years or more in jail — a lower threshold than in Ireland.

In the 2020-2021 financial year, more than 314,000 requests for telco data were made under this system.

The ECJ’s judgment now gives ammunition to Australian digital rights campaigners who have long objected to data retention.

“Australia’s data retention regime is essentially the same as the one the ICJ has found to be unlawful. It should be dismantled immediately,” said Justin Warren, chair of Electronic Frontiers Australia.

“Surveillance is not safety. If Australia wishes to continue to claim to be a democratic society, we must abandon the reflexive surveillance set up to assuage the authoritarian desires of law enforcement and certain political actors. Our individual and collective privacy must be restored,” he told ZDNet.

“Australia needs to decide what sort of country it wants to be. We can either be a liberal democracy or a country that uses indiscriminate mass-surveillance. We cannot be both.”

However unlike the EU, and unlike other liberal democracies, Australia lacks a charter or bill of rights, the document which underpinned the ECJ decision.

In December 2021, the Department of Home Affairs started work on a complete overhaul of Australia electronic surveillance laws.

The creation of a new Electronic Surveillance Act was a key recommendation of a comprehensive review of Australia’s intelligence community. It aims to unravel the tangle of surveillance laws.

Public submissions on that discussion paper closed on 11 February. An exposure draft of the proposed electronic surveillance legislation is planned to be released for public comment in late 2022.

Related Coverage

• Australian government to introduce crypto exchange ‘badge of approval’
• We are headed for an ecosystem of cyber haves and cyber nots: Cisco advisory CISO
• NSW Supreme court orders local elections impacted by iVote failure to be recast
• Meta sued for allegedly displaying scam ads using Australian public figures