European Data Protection Supervisor questions need for Data Retention Directive: no public reply from the spooks expected…

by

This week the European Data Protection Supervisor (EDPS) published an opinion that concludes that:

“the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, for the following reasons:

  • the necessity of data retention as provided for in the Data Retention Directive has not been sufficiently demonstrated;
  • data retention could have been regulated in a less privacy-intrusive way; and
  • the Data Retention Directive lacks foreseeability.”

and goes on to:  

“…call upon the Commission to consider seriously all options in the impact assessment including the possibility of repealing the Directive, either per se or combined with a proposal for an alternative, more targeted EU measure.

A future Data Retention Directive could be considered only if there were agreement on the need for EU rules from the perspective of the internal market and police and judicial cooperation in criminal matters and if, during the impact assessment, the necessity of data retention, supported and regulated by the EU, could be sufficiently demonstrated, which includes a careful consideration of alternative measures. Such an instrument should fulfil the following basic requirements:

  • It should be comprehensive and genuinely harmonise rules on the obligation to retain data, as well as on the access and further use of the data by competent authorities.
  • It should be exhaustive, which means that it has a clear and precise purpose; and the legal loophole which exists with Article 15(1) of the ePrivacy Directive is closed.
  • It should be proportionate and not go beyond what is necessary.”

The opinion is not entirely unexpected. The EDPS published a critical opinion in 2005 before the Data Retention Directive was implemented, and more recently intervened in a case before the ECJ challenging the validity of the Directive.

At the heart of this debate is where the line between the interests of the state and the interests of the individual is drawn. That is ultimately a political rather than a legal debate, although the legal framework of article 8 of the European Convention on Human Rights and articles 7 and 8 of the EU Charter of Fundamental Rights clearly provide a locus for the courts to intervene and are the backdrop against which the EU legislates. 

It is difficult to accurately track both sides of this debate, as whilst the EDPS sets out the case for the interests of individuals, the case for the state interfering with individuals rights for the purposes of preventing serious crime for the benefit of society has in general not been well articulated by the relevant security agencies that are not used to engaging in public debate, but rather tend to prefer influencing  ‘behind the scenes’. Put another way, I am not expecting a contrary view to be published any time soon by a joint committee of the various national security services and agencies – instead their views will be filtered through national representatives within the Council.

As a result, it isn’t clear what the next steps will be. There is no doubt that the Data Retention Directive was in part a knee-jerk reaction to terrorist attacks and that there are serious questions about its legal validity (discussed in detail in the EDPS opinion). However, the influence of those putting the (less public) counter-arguments leads me to think that it highly likely that data retention requirements will survive for the forseeable future, albeit in an attenuated and more closely controlled form.