Skip to main content
SpringerLink
Log in

Redefining the Relationship Between Security, Data Retention and Human Rights

  • Chapter
  • First Online:
Freedom, Security and Justice in the European Union

  • 1256 Accesses

Abstract

Under pressure to ensure citizen safety following 11 September and the Madrid and London bombings, the EU and member states pushed through a large number of laws empowering law enforcement authorities, at times seemingly at a high cost for citizens’ fundamental rights. The Commission is now in the process of evaluating and reviewing some of these laws, amongst which the Data Retention Directive. This paper argues that, given the operational experiences with the Directive and implementing laws and the legal and political changes that have taken place in the past six years since its entry into force, it is time to redefine the relationship between security needs and fundamental rights regarding data retention. While arguing for this redefinition, the paper also reflects on the chances that this process of redefinition will actually come about: disagreements between EU institutions may, at best, lead to yet another case of opportunistic pragmatism or, at worst, produce no reform at all.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For a more complete list of laws introduced on information sharing in the Area of Freedom, Security and Justice, see Boehm, Franziska, ‘Information Sharing in the Area of Freedom, Security and Justice—Towards a Common Standard for Data Exchange between agencies and EU information systems’ in Gutwirth, Serge, Ronald Leenes, Paul de Hert and Yves Poullet (eds.) European Data Protection: In Good Health? (2012) Springer, and Boehm, Franziska, Information Sharing and Data Protection in the Area of Freedom, Security and Justice: Towards Harmonised Data Protection Principles for Information Exchange at EU-level (2012) Springer.

  2. 2.

    Article 5, Directive 2006/24/EC.

  3. 3.

    Article 6, Directive 2006/24/EC.

  4. 4.

    In 2004.

  5. 5.

    Note from the Presidency of the Council of the European Union to CATS on Exchange of data within AFSJ and EU data retention and data protection standards: need for further harmonisation/approximation, Doc 14957/11.

  6. 6.

    The Stockholm Programme—An open and secure Europe serving and protecting citizens: 5731/10.

  7. 7.

    McIntyre, T. J. (2008) Data Retention in Ireland: Privacy, policy and proportionality. Computer Law & Security Report Vol. 24, at p. 327.

  8. 8.

    In Article 14, the Commission is requested to submit, no later than 15 September 2010, an evaluation of the application of the Directive and its impact on economic operators and consumers.

  9. 9.

    Kosta, Eleni and Valcke Peggy (2006) Retaining the Data Retention Directive. Computer Law & Security Report Vol. 22, at pp. 371–373.

  10. 10.

    Case C-301/6 Ireland v Parliament and Council [2009] ECR I-00593.

  11. 11.

    COM (2010) 573/4, dated 19 October 2010.

  12. 12.

    COM (2010) 573/4, at p. 5.

  13. 13.

    COM(2012) 11 final.

  14. 14.

    COM/2012/010 final—2012/0010 (COD).

  15. 15.

    Recital 21, Data Protection Directive.

  16. 16.

    Kosta, Eleni and Valcke Peggy (2006) Retaining the Data Retention Directive. Computer Law & Security Report Vol. 22, at p. 376.

  17. 17.

    Opinion of 26 September 2005 on the Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC (COM(2005) 438 final), OJ C 298, 29.11.2005, p. 1.

  18. 18.

    Opinion 4/2005 on the Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC (COM(2005) 438 final of 21.09.2005), available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp113_en.pdf.

  19. 19.

    See Maras, Marie-Helen (2012) The economic costs and consequences of mass communications data retention: is the Data Retention Directive a proportionate measure? European Journal of Law & Economics Vol. 33, Issue 2, pp. 447–472.

  20. 20.

    ETS 108 of 1981.

  21. 21.

    See Explanatory Report to Convention 108, at para. 41.

  22. 22.

    8691/79[1984] ECHR 10 (2 August 1984).

  23. 23.

    Decision no 1258 of 8 October 2009 of the Romanian Constitutional Court.

  24. 24.

    Bundesverfassungsgericht, 1 BvR 256/08.

  25. 25.

    Judgment of the Czech Constitutional Court of 22 March on Act No. 127/2005 and Decree No 485/2005.

  26. 26.

    Bulgarian Supreme Administrative Court, Decision no. 13627, 11 December 2008.

  27. 27.

    Supreme Court of Cyprus Appeal Case Nos. 65/2009, 78/2009, 82/2009 and 15/2010-22/2010, 1 February 2011.

  28. 28.

    The Hungarian constitutional complaint was filed by the Hungarian Civil Liberties Union on 2 June 2008.

  29. 29.

    Digital Rights Ireland Ltd v Minister for Communication & Ors [2010] IEHC 221 (05 May 2010).

  30. 30.

    See http://www.eisionline.org/index.php/projekty-m/data-retention-m/49-slovak-case-on-data-retention accessed on 15 October 2012.

  31. 31.

    Case C-301/06 Ireland v European Parliament and Council of the European Union [2009] ECR I-00593.

  32. 32.

    Directive Article 15.

  33. 33.

    The passage into law in Austria was not without its share of drama, with the opposition claiming that the government tried to pass the regulations later at night, hidden from public attention and the government justifying the regulations by simply saying that these were necessary to avoid EU sanctions.

  34. 34.

    Case C-185/09 European Commission v Kingdom of Sweden (4 February 2010 OJ C80/6).

  35. 35.

    Case C-270/11 European Commission v Kingdom of Sweden (pending).

  36. 36.

    See http://www.stockholmnews.com/more.aspx?NID=8522 last accessed on 15 October 2012.

  37. 37.

    Case C-461/10 Bonnier Audio AB, Earbooks AB, Norstedts Förlagsgrupp AB, Piratförlaget Aktiebolag, Storyside AB v Perfect Communication Sweden AB (CJEU, 19 April 2012).

  38. 38.

    Case C-293/12: Reference for a preliminary ruling from High Court of Ireland made on 11 June 2012—Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General (still pending).

  39. 39.

    The discussion in this section is limited to the decisions of the Constitutional Courts, not because the decisions of the courts of Cyprus and Bulgaria are not interesting, but rather because they reiterate the same lines of argument as the three decisions of the Constitutional Courts. Indeed, in a decision delivered on 1 February 2011, the Supreme Court of Cyprus declared some of the provisions of Law 183(1)/2007 (Retention of Telecommunication Data for Purposes of Investigation of Serious Criminal Offences Law of 2007) in breach of the Constitution of Cyprus. The Court decided that Articles 4 and 5 of the national law granting police forces access to the retained data were in conflict with Article 15 (right to private life) and Article 17 (confidentiality of communications) of the Constitution. See the decision of the Supreme Court of Cyprus of 1 February 2011, available at http://www.supremecourt.gov.cy/Judicial/SC.nsf/All/5B67A764B86AA78EC22, last accessed on 15 October 2012.

  40. 40.

    As translated and quoted by Adrian Bannon. Bannon, Adrian (2010) Romania retrenches on data retention. International Review of Law, Computers & Technology Vol. 24 No. 2, at p. 150.

  41. 41.

    Hornung, Gerrit and Christoph Schnabel (2009) Data protection in Germany II: Recent decisions on online-searching of computers, automatic number plate recognition and data retention. Computer Law & Security Review Vol. 25 (2009), at p. 119.

  42. 42.

    Decision no 1258 of 8 October 2009 of the Romanian Constitutional Court.

  43. 43.

    The court decision refers to Rotaru v Romania (2000) on this particular issue.

  44. 44.

    Bannon, Adrian (2010) Romania retrenches on data retention. International Review of Law, Computers & Technology Vol. 24 No. 2, pp. 145–152.

  45. 45.

    EDRI, ‘Romanian Parliament Adopts the Data Retention Law. Again’ (23 May 2012) at http://www.edri.org/edrigram/number10.10/romanian-parliament-adopts-data-retention-law-again, last accessed on 15 October 2012.

  46. 46.

    Hornung, Gerrit and Christoph Schanbel (2009) Data protection in Germany II: Recent decisions on online-searching of computers, automatic number plate recognition and data retention. Computer Law & Security Review Vol. 25 (2009), at p. 120.

  47. 47.

    Bundesverfassungsgericht, 1 BvR 256/08.

  48. 48.

    Bundesverfassungsgericht, 1 BvR 256/08, para. 215. Commission Report COM(2011) 225 final, at p. 20.

  49. 49.

    Case C-329/12: Action brought on 11 July 2012—European Commission v Federal Republic of Germany (still pending).

  50. 50.

    See http://www.slidilove.cx/en/english/constitutional-court-spying-communi, last accessed on 5 October 2012.

  51. 51.

    See also Molek, Pavel ‘Unconstitutionality of the Czech implementation of the Data Retention Directive’ European Constitutional Law Review Vol. 8 Issue 2, pp. 338–353.

  52. 52.

    It has been argued by German civil society organisations that “Blanket data retention can actually have a negative effect on the investigation of criminal acts. In order to avoid the recording of sensitive personal information under a blanket data retention scheme, citizens increasingly resort to Internet cafés, wireless Internet access points, anonymisation services, public telephones, unregistered mobile telephone cards, non-electronic communications channels and such like.” (http://www.vorratsdatenspeicherung.de).

  53. 53.

    Para. 56 of the judgment; Lazarová, Daniela ‘Constitutional Court invalidates telecommunications data retention law’, 1 April 2011.

  54. 54.

    At para 44 of the judgment.

  55. 55.

    Presentation given by Matej Myska (Masaryk University), Retaining telecommunication data in Czech Republic: past, present and future, at the ‘Surveilling Surveillance Policy Workshop’ held in Florence, Italy, on 25–26 September 2012 (http://prezi.com/nccfe87o2edy/retaining-telcomm-data-in-cz/).

  56. 56.

    Report from the Commission to the Council and the European Parliament: Evaluation report on the Data Retention Directive (Directive 2006/24/EC) (18 April 2011) COM(2011) 225 final.

  57. 57.

    In Romania, Germany, Cyprus, Bulgaria and the Czech Republic.

  58. 58.

    Commission Report COM (2011) 225 final, at pp. 13–14.

  59. 59.

    Commission Report COM (2011) 225 final, at p. 15.

  60. 60.

    Commission Report COM(2011) 225 final, at p. 27.

  61. 61.

    Commission Report COM(2011) 225 final, at p. 9.

  62. 62.

    Commission Report COM(2011) 225 final, at p. 6.

  63. 63.

    Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania, Luxembourg, Hungary, the Netherlands and Finland—Commission Report COM(2011) 225 final, at p. 6, Table 1.

  64. 64.

    Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia and Slovenia - Commission Report COM(2011) 225 final, at p. 6, Table 1.

  65. 65.

    Cyprus, Malta, Portugal and the United Kingdom—Commission Report COM (2011) 225 final, at p. 6, Table 1.

  66. 66.

    Article 4 of the Directive stipulates that member states are required to ensure that [retained data] are provided only to the competent national authorities in specific cases and in accordance with national law.

  67. 67.

    Starting with Malone v UK.

  68. 68.

    Commission Report COM (2011) 225 final, at p. 9.

  69. 69.

    Commission Report COM (2011) 225 final, at p. 9.

  70. 70.

    E.g., reports in the German press such as “Joachim Käppner, Gelöscht statt gespeichert. Der Polizei fehlen viele Verbindungsdaten des Terror-Trios”, in: Süddeutsche Zeitung, 26./27.11.2011, p. 1. This is not to say that the facts reported in this article are not shocking and no action should be taken. Rather, this case alone may not pass a proportionality test that would justify the collection and retention of communication details of millions of innocent European citizens.

  71. 71.

    The United Kingdom, France and Ireland.

  72. 72.

    Directive Article 15(3).

  73. 73.

    Commission Report COM(2011) 225 final, at p. 31.

  74. 74.

    Commission Report COM(2011) 225 final, at p. 32.

  75. 75.

    Commission Report COM(2011) 225 final, at p. 31.

  76. 76.

    Commission Report COM(2011) 225 final, at p. 32. The full list reads:

    “The following areas in particular should be examined in the impact assessment:

    • consistency in limitation of the purpose of data retention and types of crime for which retained data may be accessed and used;

    • more harmonisation of, and possibly shortening, the periods of mandatory data retention;

    • ensuring independent supervision of requests for access and of the overall data retention and access regime applied in all member states;

    • limiting the authorities authorised to access the data;

    • reducing the data categories to be retained;

    • guidance on technical and organisational security measures for access to data including handover procedures;

    • guidance on use of data including the prevention of data mining; and

    • developing feasible metrics and reporting procedures to facilitate comparisons of application and evaluation of a future instrument”.

  77. 77.

    Unreported speech by MEP Renate Weber at the CONSENT Second Policy Workshop held at the University of Cluj-Napoca, Romania, on 6–7 September 2012, in which Mrs Weber describes how the ALDE Committee regularly requests Mrs Malmström to proceed with the reform while knowing full well that the Council will block any attempt at reform.

  78. 78.

    See https://publicaffairs.linx.net/news/?p=8453, last accessed on 15 October 2012.

  79. 79.

    See, e.g., the position of the Electronic Frontier Foundation (EFF) at the 32nd Annual Conference of the Data Protection and Privacy Commissioners “Privacy Generations” that took place on 27–28 October 2010. Accessed at http://www.edri.org/book/export/html/2438.

  80. 80.

    Commission Report COM(2011) 225 final, at p. 5.

  81. 81.

    Opinion of the European Data Protection Supervisor on the Evaluation Report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC), dated 31 May 2011.

  82. 82.

    Opinion of the European Data Protection Supervisor on the Evaluation Report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC), dated 31 May 2011.

  83. 83.

    Leaked document—The Data Retention (sic) Directive 2006/24/EC-Paper produced by France, Ireland and the United Kingdom for discussion at the member states’ “Workshop to consider future options for data retention in the EU” on 30 June 2011, at p. 1, available at http://www.edri.org/files/Data-retention-opinion-Uk-fr-Ie.pdf, last accessed on 15 October 2012.

  84. 84.

    While one may be reluctant to put Ireland in the same basket as the United Kingdom and France, given that it did challenge the legality of the Directive in Case-C301/06 Ireland v European Parliament and Council of the European Union [2009] ECR I-00593, Ireland has had a wide data retention regime pre-dating the Directive. See McIntyre, T.J. (2008) Data Retention in Ireland: Privacy, policy and proportionality. Computer Law & Security Report Vol. 24, pp. 326–334.

  85. 85.

    Eerste Kamer der Staten Generaal (Vergaderjaar 2010–2011) 32 797 EU-verslag: Evaluatie van de richtlijn dataretentie (Richtlijn 2006/24/EG)–COM(2011)225, in particular De commissies vinden het rapport niet bevredigend. Zij missen vooral een overtuigende analyse van de noodzaak (“pressing social need”) van de richtlijn en zijn van mening dat het rapport onvoldoende aandacht besteedt aan de proportionaliteit van dataretentie zoals geregeld in de richtlijn. Verder gaat het rapport niet in op de vele mogelijkheden die er zijn om de bewaarplicht te omzeilen, waardoor ook inzake de effectiviteit van de richtlijn dataretentie bij de commissies nog steeds vele vragen leven.

  86. 86.

    Such as in Romania, where the Senate rejected the draft of the new law while the Chamber of Deputies acted otherwise.

  87. 87.

    COM (2010) 573/4, dated 19 October 2010.

  88. 88.

    COM (2010) 573/4, at p. 5.

  89. 89.

    COM(2010) 385 final, dated 20 July 2010.

  90. 90.

    ECHR 4 December 2008.

  91. 91.

    Article 3(2) Data Protection Directive.

  92. 92.

    COM(2010) 609 final, dated 4 November 2011.

  93. 93.

    ‘Czech police was gaining phone statements of Klaus’ aides’ published 20 June 2011, accessed at http://www.ceskenoviny.cz/zpravy/policista-nelegalne-ziskal-i-vypisy-t.

  94. 94.

    Daily reports in the Guardian, BBC news and the Times from August 2011 to late September 2011.

  95. 95.

    SWIFT, PNR, Cloud-computing, etc.

  96. 96.

    The Canadian Ministry of Justice defends its position on data preservation in the following manner: “This is not data retention. Contrary to what is the case in some countries, the amendments would not require custodians of data to collect and store data for a prescribed period of time for all subscribers, regardless of whether or not they are subject to an investigation. A preservation order would be restricted to the data that would assist in a specific investigation.” See http://www.justice.gc.ca/eng/news-nouv/nr-cp/2010/doc_32567.html.

Author information

Authors and Affiliations

  1. University of Groningen, Groningen, The Netherlands

    Jeanne Pia Mifsud Bonnici

Authors
  1. Jeanne Pia Mifsud Bonnici
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jeanne Pia Mifsud Bonnici .

Editor information

Editors and Affiliations

  1. University of Groningen, Groningen, The Netherlands

    Ronald L. Holzhacker

  2. Austrian Institute for International Aff, Vienna, Wien, Austria

    Paul Luif

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Mifsud Bonnici, J.P. (2014). Redefining the Relationship Between Security, Data Retention and Human Rights. In: Holzhacker, R., Luif, P. (eds) Freedom, Security and Justice in the European Union. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-7879-9_4

Download citation

Publish with us

Policies and ethics

Search

Navigation