Most EU member states’ rules on data retention do not comply with fundamental human rights, according to a survey by civil rights campaign group Privacy International.
The group assessed (PDF) the legislation on bulk data retention - which ask telcos to store large amounts of data for access by government agencies - in 21 member states, finding that laws are “poorly drafted”, outdated and lack clarity.
The work focuses on how the member states’ legislation stands up to two recent landmark judgements from the Court of Justice of the European Union - the 2014 Digital Rights Ireland case and the 2016 case brought by Labour MP Tom Watson and Swedish telco Tele2.
The first of these saw the CJEU rule one EU directive (No2006/24) invalid, while the second reaffirmed the court's position, and stressed that access to retained data must only be given in cases of serious crime.
Member states are legally obliged to comply with CJEU rulings and should update their national legislation to do so - but an investigation by Privacy International has shown this is not the case.
The group asked whether 21 member states’ legislation - including that of the UK, Luxembourg and Germany - were up-to-date with the CJEU’s decisions.
It found that 40 per cent of the countries still had a pre-2014 regime in place: a number of countries, including Croatia, France and Portugal, have yet to repeal or amend their laws as a result of the Digital Rights Ireland case.
Privacy International said that some national courts had been interpreting Digital Rights Ireland “compatibly with their national legislation”, while others - including the Czech Republic - have "recognised the national regimes’ flaws but have not invalidated them".
The group added that most of the countries that have changed their laws have only done so in response to challenges brought by human rights NGOs in national courts, rather than by parliaments making proactive changes.
Governments and legislators have been “largely inactive”, the group said, with the exception of Luxembourg, as the Ministry of Justice formulated a new bill in 2015 - but this has yet to come into force.
Meanwhile, some 20 per cent of countries that do have new legislation are still not consistent with the most recent ruling, the Tele2 case in 2016, including Bulgaria, Belgium and Italy.
These regimes “might allow indiscriminate retention of data in bulk or provide vague and ill-defined regulation on access to that data by relevant authorities”, the report said.
In the UK and Sweden, litigation is still underway and no amendments have been made to existing laws, the report said.
Indeed, data retention legislation is still being considered, or is on hold, in 30 per cent of countries - including Austria and the Netherlands - the report said.
But Privacy International was critical of the delay, saying: “We are now eight months into the CJEU decision, and the slow pace by which changes are evolving in these jurisdictions is concerning, given how impactful these data retention regimes are on Europeans’ fundamental rights and freedoms.”
The group called on the member states to review their legislation and amend it as necessary, while asking the companies subject to the laws to challenge countries if the legislation isn’t compliant.
It also recommended that the European Commission issue guidance for states to review their data retention laws, to ensure they are compliant with the fundamental rights as the CJEU has interpreted them.
The countries surveyed were: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. ®