Security

Look who's fallen foul of Europe's data retention rules. France and Germany

'Indiscriminate' preemptive harvesting of personal info a big no-no. What a novel concept


On Tuesday, the European Court of Justice (ECJ) issued rulings that limit indiscriminate data retention in France and Germany.

The French case involves two suspects, VD and SR, accused of insider dealing, corruption, and money laundering, who challenged the legal basis cited by the French Financial Markets Authority (Autorité des marchés financiers) to obtain personal data from telephone calls that had been stored for a year in case the info might be useful for criminal investigators.

The ECJ, based in Luxembourg, found [PDF] that the EU's Market Abuse Directive and the Market Abuse Regulation cannot ignore the EU's Directive on privacy and electronic communication.

Those rules, the ECJ said, "do not authorize the general and indiscriminate retention by operators providing electronic communications services of traffic data for a year from the date on which they were recorded for the purpose of combating market abuse offenses including insider dealing."

Separately, German telecom firms SpaceNet and Telekom Deutschland challenged the German legal requirement that companies retain traffic and location data for all customers' communications.

The ECJ determined [PDF] that EU law disallows national legislation that requires indiscriminate retention of telecom traffic and location data to fight crime and protect public safety.

"EU law precludes national legislation which provides, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data."

The German law's requirement that telecom firms retain traffic data for 10 weeks and location data for four weeks could allow "very precise conclusions to be drawn concerning the private lives of the persons whose data are retained," the ruling explains.

The ECJ ruling says that mandatory data retention in defense of national security is allowable when there is a "a serious threat to national security that is shown to be genuine and present or foreseeable." Any such accommodation, the court says, must be subject to judicial review and must be of limited duration related to a specific threat.

German Justice Minister Marco Buschmann voiced support for the ECJ's decision via Twitter, calling it, "a good day for civil rights."

Matthias Pfau, co-founder of privacy-focused email service Tutanota, also applauded the ECJ's decision about the German data retention requirement.

"German governments have tried to pass data retention laws twice already," said Pfau in a blog post. "Each time, the law has been successfully fought in court and declared unconstitutional. In a free democracy, data retention can never be a proportionate method to prosecute criminals as it puts the entire population under general suspicion."

Pfau argues that while law-abiding citizens tend to be indifferent to data retention because they believe they have nothing to hide, such sentiment ignores the possibility of oppressive regimes coming to power and using data stores to target political enemies.

Putting everyone under blanket surveillance and violating their fundamental right to privacy, he argues, is simply not proportional to the need to combat crime. And that, he notes, is the position taken by the ECJ. ®

Send us news
12 Comments

What do the US midterm election results mean for a federal privacy law?

Spoiler: it may hinge on California's voting block

US Supreme Court asked if cops can plant spy cams around homes

ACLU argues for the Fourth

San Francisco politicians to vote on policy endorsing lethal force for robots

Asimov would like a word

Security firms hijack New York trees to monitor private workforce

Employee management tech raises eyebrows in the Big Apple

90+ groups warn US Senate of 'damaging consequences' from Kids Online Safety Act

The kids aren't alright

After years without data privacy rules, India floats two sets in a week

And ponders subsidies to attract big datacenter and content delivery network builds

Commercial repair shops caught snooping on customer data by canny Canadian research crew

Naming no names, but study finds trustworthy techs are hard to find

Twitter search spam campaign hides China riots, researchers say

Elon Musk meanwhile muses whether Apple 'hate[s] free speech in America' because the company mostly stopped advertising on Twitter

Germany says nein to Qatari World Cup spyware, err, apps

Norway, France also sound data privacy alarms

International cops arrest hundreds of fraudsters, money launderers and cocaine kingpins

$155,000-a-month lifestyle ends in cuffs for suspected crim

Russia-based Pushwoosh tricks US Army and others into running its code – for a while

Russian data trackers … what could possibly go wrong?

Block Fi seeks bankruptcy protection as 'shocking' FTX contagion spreads

Crypto lending biz wants its money back "as promptly as practicable"