The curious case of Angela Merkel and her EU data retention ideas

In the wake of last week’s terrorist attacks in Paris, German Chancellor Angela Merkel has called on the European Commission to deliver on its “promise” of a new EU-wide data retention directive to replace the one struck down by the EU’s highest court last year.

Merkel wants to implement this new directive into German law. There’s only one problem: the Commission doesn’t seem to have promised any such thing, at least not in public.

The Court of Justice of the European Union struck down the Data Retention Directive 2006 in April of last year because it was disproportionate and had insufficient safeguards. The directive had mandated that EU countries had to force telecommunications firms to retain metadata about their customers’ communications for between six and 24 months. Even before the CJEU scrapped it, Germany had already stopped implementing it on constitutional grounds.

On Thursday, according to a DPA report, Merkel told German parliamentarians:

Given the cross-party conviction among all interior ministers, both state-level and federal, that we need such minimum retention periods, we should insist that the revision of the directive promised by the EU Commission is quickly completed and then implemented into German law.

That DPA report claims “Brussels is drafting a follow-up that meets the judges’ standards,” but that’s not what the Commission says.

Last month, Netzpolitik reported that new Home Affairs Commissioner Dimitris Avramopoulos was planning to make such an announcement, and that his department was “now reflecting on the how, rather than the if.” However, after that report came out, the department backtracked, with a spokeswoman saying: “I meant that we are now reflecting on the how to take things forward, rather than if we need a new directive or not.”

Avramopoulos’s predecessor, Cecilia Malmström, had previously said she wouldn’t propose any new data retention directive until the EU’s new data protection rules had been finalized – something that now may not happen before 2016.

An EU source confirmed to me today that the Commission is taking its time evaluating the issues raised by the CJEU ruling, and intends to have an open dialog with the European Parliament, member states, civil society, law enforcement and data protection authorities. Only then will it be able to decide whether there is a need for a new proposal, the source said.

Technically, Merkel could try setting up a new German data protection law without a broader EU directive. However, her own justice minister has firmly rejected the mass surveillance idea, telling German television a few days ago: “With data retention, we also store all data from journalists and restrict freedom of the press. That does not fit together.”

She would also need to somehow make sure that her data retention law didn’t fall foul of the arguments the CJEU used to strike down the EU Data Retention Directive, advice from the EU Legal Service division suggests.

EU legal advisers cast doubt on data retention legality

The European Parliament’s legal advisors have issued a report into the repercussions of last year’s ruling by the Court of Justice of the European Union, in which the CJEU struck down the E.U. Data Retention Directive. And the lawyers’ opinions suggest that surviving national data retention laws are on shaky ground.

The Directive forced E.U. member states to have a data retention regime in which telecommunications and internet service providers had to maintain records of their customers’ communications – metadata about who contacted whom and when, as opposed to the contents of those communications. After the CJEU judgement in April 2014, countries including Austria, Slovenia and Romania scrapped their national data retention laws (a couple others, notably Germany, had already rolled theirs back on constitutional grounds).

However, some countries have continued or – in the case of the U.K. with its DRIPA surveillance law — even expanded their national data retention regimes. Here’s a breakdown of what the Legal Service department said about the ruling’s implications in that regard (a copy of the opinion was obtained and published by the digital rights group Access).

  • The CJEU ruling was specific to the Data Retention Directive, which had been challenged by Digital Rights Ireland (DRI), so it did not have a direct effect on national data retention laws, apart from saying that it’s now okay by the E.U. for countries to repeal them.
  • With the Data Retention Directive now out of the picture, the continuing national laws are now governed by the earlier e-Privacy Directive of 2002, which allows member states to implement data retention regimes “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.”
  • Because member states’ national data retention laws are therefore still in the realm of E.U. law, they have to be compatible with the E.U.’s Charter of Fundamental Rights, specifically Articles 7 and 8, which set out the rights to privacy and personal data protection respectively, and Article 52(1), which says any limitations to rights must be proportionate.
  • The Charter is what informed the CJEU judgement striking down the Data Retention Directive – the court said the directive was not proportionate and didn’t provide “clear and precise rules” to limit the interference to what is “strictly necessary” and provide “minimum safeguards”.
  • Therefore, countries maintaining national data retention laws must re-examine those laws to check whether they fulfil the requirements “as interpreted by the Court of Justice in the DRI judgement”, and fix them if they’re not. What’s more, anyone who wants to challenge those national laws can now point to the CJEU judgement as a guideline, even though it doesn’t have a direct effect.
  • The same goes for existing E.U.–level data retention programs such as the Terrorist Finance Tracking Programme (TFTP) and the Union’s international passenger name record (PNR) agreements – they’re still valid, but if someone wants to challenge the legality of those, they can also point to the CJEU’s DRI judgement. The CJEU ruling should also be heeded when formulating any new E.U. data retention legislation. As it happens, TFTP and the international PNR agreements are about to be renegotiated.

This is particularly good news for the two British members of Parliament that are challenging DRIPA in the U.K. High Court. DRIPA was fast-tracked as an “emergency” law because the Data Retention Directive had been implemented in the U.K. as secondary rather than primary legislation, so the government feared that the CJEU judgement left it without a proper legal justification for continuing to demand that ISPs and web service providers keep retaining communications data.

DRIPA is temporary, time-limited to the end of 2016, but the underlying primary legislation that it expands on – the Regulation of Investigatory Powers Act (RIPA) – is not. RIPA is however up for review, as the government will want to make the DRIPA powers permanent before the end of 2016, so those conducting the review will now also need to take the E.U. legal advice into account.

RIPA was designed as anti-terrorist legislation but it’s widely used by local authorities in the U.K. to spy on citizens, in order to see whether they’re putting their trash out in the prescribed manner or trying to cheat their kids into schools in a different neighborhood. It’s also used to spy on lawyers and journalists. Around half a million RIPA requests for communications data are made each year.

The CJEU ruling will make it hard to justify the continuation of this situation, and even in the case of terrorism and more serious crime, the British government may have a struggle proving the proportionality of its mass surveillance regime. Proper reviews of data retention laws in other countries such as Sweden may uncover similar problems.

Charlie Hebdo murders are no excuse for killing online freedom

There’s been a predictable split in the reactions to Wednesday’s slaughter of the staff of French satirical newspaper Charlie Hebdo, along with others including police who were trying to protect them. On the one hand, hundreds of thousands of people have rallied in France and across Europe in defiance against those behind this attack on free speech…

… while others have taken a decidedly different tack, using the outrage as a justification for the rolling-back of online civil liberties. This approach was taken by Dan Hodges in the Telegraph, and by the Sun in an editorial arguing that “intelligence is our best defense… yet liberals still fret over the perceived assault on civil liberties of spooks analyzing emails.”

Here’s what Hodges (a well-known admirer of Tony Blair, the British prime minister who was no friend of civil liberties) wrote:

We hear a lot about freedom, and threats to our freedom. We heard about it, for example, when the government asked the Guardian to stop publishing the Snowden files because of the risk to national security. We heard about it last year, when David Cameron announced he was bringing back plans to allow the security agencies to monitor, and retain data on, our electronic communications – the so-called ‘snooper’s charter’. We heard about it in the wake of the Lee Rigby killing, where we [were] told the state would use the murder as an excuse for a further erosion of our liberties.

But those are not real assaults on our freedom. Switch on your TV. You will see and hear what an assault on freedom really looks like…

If one way of stopping obscenities like today is providing the security services a bit more access to our e-mails, we must give it to them. If it means internet providers handing over their records, the records must be handed over. If it means newspapers showing restraint the next time an Edward Snowden knocks on their door, then restraint will have to be shown. Because look who came knocking at the door today.

Hodges must be given credit for at least calling himself a “coward” in that piece, saving time for the rest of us.

I’m not going to go into the rights and wrongs of Charlie Hebdo’s content, much of which I personally found grossly offensive. That, after all, is the publication’s aim – to make points offensively (to a multitude of targets, it should be noted) and to meet calls for restraint with more proud offense. Freedom of expression is an essential civil liberty, not only in France, but across much of the democratic world. It was set out in the Declaration of the Rights of Man and of the Citizen, which emerged from the French Revolution in 1789, and it is today enshrined on an international level in the International Convention on Civil and Political Rights (ICCPR) .

The ICCPR’s signatories, including France, the U.K. and most of the world, have also pledged to ensure that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence.” Yes, this is a right that needs to be balanced against others, most notably the right to security, but arguably no calculation of that balance can justifiably permit mass surveillance.

To quote last year’s report on online mass surveillance by Ben Emmerson, the U.N.’s special rapporteur on the protection and promotion of human rights while countering terrorism:

International human rights law require States to provide an articulable and evidence-based justification for any interference with the right to privacy, whether on an individual or mass scale. It is a central axiom of proportionality that the greater the interference with protected human rights, the more compelling the justification must be if it is to meet the requirements of the Covenant. The hard truth is that the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether. By permitting bulk access to all digital communications traffic, this technology eradicates the possibility of any individualized proportionality analysis.

Apart from the fact that mass surveillance hasn’t been shown to work – France’s extensive surveillance regime, expanded just weeks ago, clearly failed in this case – it is no way to protect freedom of expression. It is a tool for chilling free speech, of dissuading people from speaking their minds, and the same British government that wants to introduce the “snooper’s charter” is also working to stop its citizens from seeing extremist material online, by getting ISPs to filter out such content. It is cracking down on free expression on social media, leading the police there to tweet things like this:

It forced the Guardian‘s editors to destroy computers holding copies of the Snowden cache with angle grinders, for whatever that was worth. And the Sun, so keen on Blair’s Regulation of Investigatory Powers Act (RIPA) this week, recently made an official complaint about the police using the mass surveillance law to spy on its journalists and their sources in a case that was embarrassing the government.

After a cartoon featuring Mohammed led to the firebombing of Charlie Hebdo’s offices in 2011, editor Stéphane “Charb” Charbonnier famously said: “It perhaps sounds a bit pompous, but I’d rather die standing than live on my knees.”

On Wednesday, Charb died for liberty. To suggest that the correct response is the curtailment of liberty — to effectively argue that terrorism should be met with fearful capitulation — is more offensive than anything he ever published.

UK court to review legality of web snooping law

Two British members of Parliament have won the right to have the contentious Data Retention and Investigatory Powers Act (DRIPA) – an expansion of the U.K. authorities’ surveillance powers – reviewed by the High Court.

DRIPA was fast-tracked in July after Europe’s highest court struck down an EU-wide mandate for telcos to store records of their users’ communications. Although it was billed as an emergency measure to allow the U.K. to continue its data retention efforts – and it is indeed time-limited until the end of 2016 — it effectively expanded the scope of what information must be stored, to include metadata about people’s social media conversations and potentially many other kinds of web communications.

Labour’s Tom Watson and the Conservative David Davis applied for a judicial review later in July, alongside the civil rights group Liberty. The case was subsequently joined by the Open Rights Group and Privacy International.

On Monday, the High Court granted them the judicial review, to see whether DRIPA does indeed fall foul of European human rights law. Open Rights Group legal director Elizabeth Knight said in a statement:

After the Court of Justice of the EU declared the Data Retention Directive invalid, the UK government had the opportunity to design new legislation that would protect human rights. It chose instead to circumvent the decision of the CJEU by introducing the Data Retention and Investigatory Powers Act (DRIPA), which is almost identical to the Data Retention Directive.
Through our submission, we hope to help demonstrate that DRIPA breaches our fundamental human right to privacy and does not comply with human rights and EU law.

Despite DRIPA’s recent introduction, the British government is already amending it to take in more data. The government will require ISPs to maintain records of which customers use which IP addresses, and will also force web service providers who have British users to retain “data required for IP resolution”. The idea is to be able to match specific devices to terrorist or extremist communications, or crimes committed online, such as bullying.

Wider human rights problem

The U.K. isn’t the only European country that’s trying to push ahead with mandatory data retention despite the striking-down of the EU directive. The Swedish government, for example, is also forcing ISPs to keep customers’ metadata for the benefit of the authorities, and rebel ISP Bahnhof has reacted by offering customers free VPN in conjunction with a local digital rights group, so as to make the stored metadata unusable.

Meanwhile, late last week a coalition of Dutch lawyers, ISPs and journalists sued the government there over its insistence on data retention. The group claims data retention is in conflict with the CJEU ruling, though the Dutch government says it would be able to keep its legislation legal with a few tweaks. Dutch lawyers and journalists have already sued the government over its NSA intelligence-sharing arrangements.

As has been demonstrated in the U.K., data retention laws can be used to spy on lawyer-client communications and (systemically, in the case of the U.K.) on journalists too.

Meanwhile, on Monday the Council of Europe’s human rights commissioner, Nils Muižnieks, issued a report saying that “suspicionless mass retention of communications data is fundamentally contrary to the rule of law.” He said mass surveillance was not justified by the war on terror, and ran counter to established human rights laws. Muižnieks said he was “watching closely” what the U.K. was doing.

This article was updated at 7.30am PT to add further context, and again at 10am PT to remove the suggestion that viewing terrorist material online is a crime in the U.K. — the police there have suggested that it is, but this is almost certainly nonsense. Instead I have noted that the IP resolution move is intended to target terrorists and bullies.

Swedish ISP protects customers from surveillance with free VPN

Bahnhof was the last Swedish ISP to resist the enforcement of a data retention law that is arguably illegal under EU law. Now it’s technically giving in, but it intends to make the retained data useless to spies and law enforcement.