In spite of repeated rulings by the European Court of Justice against data retention, a group of EU governments insist that new legislation is „urgently needed“. France, Spain and five other countries spoke in favour of a new data retention law at a closed-door video meeting of member states on February 8, a working paper drawn up by the Portuguese council presidency reveals (full document here).
Data retention laws require providers of telecommunications service to keep records of their customers data for use by law enforcement. However, the ECJ has struck down the EU’s 2006 Data Retention Directive and has ruled against similar provisions in national law for violation of fundamental rights.
In the past few months, the EU court has doubled down on its position by ruling that collection of retained data by intelligence agencies „cannot be considered to be justified, within a democratic society“. The court also set limits on the access to retained data by law enforcement.
However, limits on data retention set by the court would „lead to discrimination and could be ineffective and insufficient given the needs of law enforcement authorities“, member states believe according to the working paper. In an earlier document, the Portuguese presidency had raised the question of whether data retention could be made legally compliant by limiting it to IP addresses.
DSA should „not limit data retention regime“
While calling for safeguards for fundamental rights as part of new legislation, member states argued in private for changes in secondary legislation such as the General Data Protection Regulation. Ongoing law-making in the Digital Services Act should ensure that it does „not limit the scope of the future data retention regime“.
The Council Legal Service suggested the possibility of using traffic and content data retained by providers for commercial purposes. To allow for this, officials suggested to change the council mandate for negotiations on the ePrivacy Regulation, to created a „general obligation to retain data, and combining this obligation with the provisions on the retention period and the time limits for complaints“.
In the meeting, the Commission raised objections to a new data retention law. It was the „political reality“ that the EU Parliament was keen to limit mass surveillance rather than expand it. Officials also pointed out that changes in secondary legislation could „lead to a reinforcement of the ECJ position in future case-law“.
MEP blasts „surveillance fantasies“
The position of other member states is unclear from the document. In Germany, Federal Minister of the Interior Horst Seehofer has pushed for data retention at the national level, although that is unlikely to hold up before the ECJ, according to legal experts of the German parliament.
MEPs voiced scepticism at the new push for data retention. The demands of member states amounted to „surveillance fantasies“ not borne out by legal realities, said German deputy Moritz Körner. His colleague Patrick Breyer, a German Pirate Party MEP who is part of the Greens/EFA group, told netzpolitik.org the push was „absurd and a mockery of the rule of law“.
Meanwhile, France mulls going it alone on data retention. The French government asked the Conseil d’État, which is the highest authority on administrative law in France, to shield its data retention legislation from European law as part of France’s „constitutional identity“. The move, which will likely prove controversial in Brussels, was first reported by French news sites Contexte and Next Inpact.
Should France proceed with its data retention plans in disregard of European law, the Commission can launch an infringement procedure. The reaction from Brussels will likely be closely watched in other capitals, who might find that if there is not solution within European law, there could be one without.