The European Court of Justice (ECJ) has effectively banned the general use of telecommunications data retention to fight crime across the European Union.
In a judgment delivered Tuesday by the Grand Chamber of the ECJ, the Court ruled that when the objective is the fight against crime, “the widespread and indiscriminate retention of traffic and location data exceeds the limits of what is strictly necessary and does not can be considered justified in a democratic society”.
“Criminal behavior, even of a particularly serious nature, cannot be treated in the same way as a threat to national security.
Traffic data is defined in EU law as “any data processed for the purpose of routing a communication over an electronic communications network or billing it”.
Location data is “any data processed in an electronic communications network or by an electronic communications service, indicating the geographical position of the terminal equipment of a user of a publicly available electronic communications service”.
It is more or less the same as what has been called “metadata” in the Australian data retention debate.
Ireland’s now invalid Communications (Data Retention) Act 2011 required telecommunications providers to retain all metadata for two years and make it available to the Gardaí, Ireland’s national police, following a a “request for disclosure” issued by an officer ranked chief superintendent. or above.
A request for disclosure could be made for “(a) the prevention, detection, investigation or prosecution of a serious crime, (b) the safeguarding of state security, [or] (c) the safety of human life.'”
A “serious offence” was defined as an offense punishable by five years or more in prison, or an offense listed in a schedule to the law.
Metadata is “no less sensitive” than content
“Given the sensitive nature of the information that traffic and location data can provide, the confidentiality of this data is essential for the right to respect for private life,” the court wrote.
The Charter of Fundamental Rights of the European Union guarantees both “the right to respect for one’s private and family life, one’s home and one’s communications” and “the right to the protection of personal data concerning one”.
While the Charter protects all personal data, the ECJ noted that traffic and location data are particularly sensitive.
“[Such] the data may reveal information about a significant number of aspects of the private lives of data subjects, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and the state health.
This information enjoys special protection under EU law, for historical reasons which should be obvious.
“Taken together, this data can allow very specific conclusions to be drawn about the privacy of the individuals whose data has been retained, such as daily living habits, permanent or temporary places of residence, daily movements or others, the activities performed, the social relationships of these people and the social environments they frequent,” the court wrote.
“In particular, these data make it possible to establish a profile of the persons concerned, information which is no less sensitive, with regard to the right to privacy, than the content of the communications themselves.”
The CJEU judgment does not, however, prevent the retention of data to deal with threats to national security.
These threats include “the protection of essential functions of the state and the fundamental interests of society by preventing and suppressing activities likely to seriously destabilize the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities”.
“Unlike even particularly serious crime, a threat to national security must be real and present, or at the very least foreseeable, which supposes that sufficiently concrete circumstances have occurred to justify a generalized and indiscriminate measure. retention of traffic and location data for a limited period. »
A decision to implement data retention should be “subject to effective review” by a court or independent administrative body, the court said.
Convicted murderer Graham Dwyer could now be freed
The CJEU’s decision concerns the 2015 conviction in Ireland of Graham Dwyer for the August 2012 murder of Elaine O’Hara, an educator.
As the Guardian In other words, Dwyer had killed O’Hara after “preparing her for sadomasochistic fantasies that included stabbing women during sex.”
“He committed what prosecutors called ‘the near perfect murder’ but was arrested and sentenced to life in prison after police tracked his movements through text messages and phone data. There was no witness or physical evidence,” said the Guardian wrote.
“Dwyer appealed on the grounds that the retention and access to his mobile phone data breached EU law.”
According to Irish Examiner, families of homicide victims say some murders may now remain unsolved. They said it was “logical” that the protection of life should take precedence over the right to privacy.
But as noted by the CJEU, “the effectiveness of criminal proceedings does not generally depend on a single means of investigation but on all the means of investigation available to the competent national authorities for these purposes”.
Dwyer is not yet free, however. His lawyers must now convince the Irish Supreme Court that the ECJ’s ruling applies retroactively.
EU ruling gives ammunition to Australian privacy advocates
Australia’s mandatory data retention system is similar to the now discredited Irish system.
Australian telecom operators must retain metadata for two years.
Officers from a range of agencies above a certain rank can request the retained data to investigate crimes punishable by three or more years in prison – a lower threshold than in Ireland.
In fiscal year 2020-2021, more than 314,000 telco data requests were made through this system.
The ECJ ruling now gives Australian digital rights campaigners a leg up on their long-standing opposition to data retention.
“Australia’s data retention regime is essentially the same as the one the ICJ ruled illegal. It should be dismantled immediately,” said Justin Warren, president of Electronic Frontiers Australia.
“Surveillance is not security. If Australia is to continue to claim to be a democratic society, we must abandon the reflexive surveillance put in place to satisfy the authoritarian tendencies of law enforcement and certain political actors. Our individual and collective privacy must be restored,” he told ZDNet.
“Australia has to decide what kind of country it wants to be. We can either be a liberal democracy or a country that uses indiscriminate mass surveillance. We can’t be both.”
However, unlike the EU and unlike other liberal democracies, Australia does not have a charter or bill of rights, the document that underpins the ECJ’s decision.
In December 2021, the Home Office began work on a complete overhaul of Australia’s electronic surveillance laws.
The creation of a new Electronic Surveillance Act was a key recommendation of a comprehensive review of Australia’s intelligence community. It aims to unravel the tangle of surveillance laws.
Public submissions on this working document closed on February 11. An Exposure Draft of the Electronic Surveillance Bill is expected to be released for public comment in late 2022.