Look who's fallen foul of Europe's data retention rules. France and Germany
'Indiscriminate' preemptive harvesting of personal info a big no-no. What a novel concept
On Tuesday, the European Court of Justice (ECJ) issued rulings that limit indiscriminate data retention in France and Germany.
The French case involves two suspects, VD and SR, accused of insider dealing, corruption, and money laundering, who challenged the legal basis cited by the French Financial Markets Authority (Autorité des marchés financiers) to obtain personal data from telephone calls that had been stored for a year in case the info might be useful for criminal investigators.
The ECJ, based in Luxembourg, found [PDF] that the EU's Market Abuse Directive and the Market Abuse Regulation cannot ignore the EU's Directive on privacy and electronic communication.
Those rules, the ECJ said, "do not authorize the general and indiscriminate retention by operators providing electronic communications services of traffic data for a year from the date on which they were recorded for the purpose of combating market abuse offenses including insider dealing."
Separately, German telecom firms SpaceNet and Telekom Deutschland challenged the German legal requirement that companies retain traffic and location data for all customers' communications.
The ECJ determined [PDF] that EU law disallows national legislation that requires indiscriminate retention of telecom traffic and location data to fight crime and protect public safety.
"EU law precludes national legislation which provides, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data."
The German law's requirement that telecom firms retain traffic data for 10 weeks and location data for four weeks could allow "very precise conclusions to be drawn concerning the private lives of the persons whose data are retained," the ruling explains.
The ECJ ruling says that mandatory data retention in defense of national security is allowable when there is a "a serious threat to national security that is shown to be genuine and present or foreseeable." Any such accommodation, the court says, must be subject to judicial review and must be of limited duration related to a specific threat.
- Dear Europe, here again are the reasons why scanning devices for unlawful files is not going to fly
- NSO claims 'more than 5' EU states use Pegasus spyware
- UK signs deal to share police biometric database with US border guards
- Draft EU AI Act regulations could have a chilling effect on open source software
German Justice Minister Marco Buschmann voiced support for the ECJ's decision via Twitter, calling it, "a good day for civil rights."
Matthias Pfau, co-founder of privacy-focused email service Tutanota, also applauded the ECJ's decision about the German data retention requirement.
"German governments have tried to pass data retention laws twice already," said Pfau in a blog post. "Each time, the law has been successfully fought in court and declared unconstitutional. In a free democracy, data retention can never be a proportionate method to prosecute criminals as it puts the entire population under general suspicion."
Pfau argues that while law-abiding citizens tend to be indifferent to data retention because they believe they have nothing to hide, such sentiment ignores the possibility of oppressive regimes coming to power and using data stores to target political enemies.
Putting everyone under blanket surveillance and violating their fundamental right to privacy, he argues, is simply not proportional to the need to combat crime. And that, he notes, is the position taken by the ECJ. ®