Will Europeans really be set free from data retention?

It appears the EU Data Retention Directive will soon be scrapped. On Thursday, the European Court of Justice General, Pedro Cruz Villalon, said the highly controversial law contravenes the Charter of Fundamental Rights of the European Union. While the statement was not a ruling, the Court of Justice usually follows the opinion of Advocate Generals. But will implementing Villalon’s recommendations really free Europeans from mass surveillance?

Firstly, Villalon’s findings certainly renew our faith in the EU’s ability to rectify its own mistakes. The reversal of opinion, is also a big win for online privacy activists and campaigners, especially for Digital Rights Ireland, which kicked off the court case against the directive back when it was first enacted in 2006 and pursued it all the way to the ECJ in 2010.

Villalon’s statement will also validate the justice systems of those EU countries who refused to implement the Data Retention Directive, despite the pressure from politicians. Sweden, Germany and Romania are all facing EU fines due to ruling the law unconstitutional, with Germany being fined 315,000 Euros per day until it obeys the directive.

Data retention 2.0

But if the ECJ does rule in favour of its advocate general, what will change exactly? Well, here’s where we can put our cynic hats back on. Let’s take a quick look at what Villalon actually said about the Data Retention Directive.

Firstly, we should remember the advocate general maintains the aims of the directive are valid and that it should remain in place until lawmakers come up with a better solution. However, Villalon agreed with what privacy campaigners have been saying for years, stating that, in its current form, the directive allows authorities to “create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.”

He also said this type of surveillance would have a “chilling effect” on freedom of expression and that the directive is “as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union” because it’s “not accompanied by the necessary principals for governing the guarantees needed to regulate access to the data and their use.”

So all good stuff, but what the advocate general is essentially saying is the aims of the Data Retention Directive are fine, and the actual process of collecting the data is fine, but there is not enough controls over how the data is accessed by the authorities. For instance, Villalon suggests that citizens must be notified after their data has been looked at. One of the reasons for this, is because the original directive was vaguely written, leaving scope for different countries to interpret what it could and couldn’t do with the collected data.

Villalon is also not calling for the directive to be ditched immediately. Rather he says the decision should be suspended in order for lawmakers to address his concerns. So this isn’t exactly a scrapping of the Data Retention Directive, nor is it a recommendation that ISPs should no longer be forced to record our internet activity.

Do you trust the authorities?

Now lets not rubbish Villalon’s recommendations – they’re all good and much needed. But he is not proposing an end to mass surveillance. What we really need is to end mandatory data retention altogether. Because as long as the data is being recorded and stored, the risk that it will be abused by the authorities, completely under the radar, will always remain.

But at the moment this is all speculation. It’s worth noting that a number of big EU countries (the UK and France in particular) are very pro-data retention. So it’s by no means certain that Villalon’s recommendations will be implemented. We will have to wait until some time next year to hear ECJ’s ruling.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.