On Tuesday, the European Court of Justice (ECJ) delivered rulings that limit blind data retention in France and Germany.
The French case involves two suspects, VD and SR, accused of insider trading, corruption and money laundering, who challenged the legal basis relied on by the Financial Markets Authority to obtain personal data from ‘phone calls that had been stored for a year in case the information might be useful to criminal investigators.
The ECJ, based in Luxembourg, concluded [PDF] that the EU Market Abuse Directive and the Market Abuse Regulation cannot ignore the EU Privacy and Electronic Communications Directive.
These rules, said the ECJ, “do not authorize the general and indiscriminate retention by operators providing electronic communications services of traffic data for one year from the date on which it was recorded for the purpose of combating market abuse crimes, including insider trading”.
Separately, German telecommunications companies SpaceNet and Telekom Deutschland have challenged the German legal requirement that the companies retain traffic and location data for all customer communications.
The CJEU determined [PDF] that EU law prohibits national legislation that requires indiscriminate retention of telecommunications traffic and location data to fight crime and protect public safety.
“EU law precludes national legislation which provides, as a preventive measure, for the purposes of the fight against serious crime and the prevention of serious threats to public security, the general and indiscriminate retention of personal data traffic and location.”
German law’s requirement that telecom companies retain traffic data for 10 weeks and location data for four weeks could allow ‘very precise conclusions to be drawn regarding the privacy of individuals whose data is retained’ , explains the decision.
The CJEU ruling states that mandatory retention of data for the defense of national security is permitted where there is “a serious threat to national security which is demonstrated to be real and present or foreseeable”. Any such accommodation, the court said, must be subject to judicial review and must be of limited duration tied to a specific threat.
German Justice Minister Marco Buschmann voiced his support for the ECJ ruling by Twittercalling it “a good day for civil rights”.
Matthias Pfau, co-founder of privacy-focused email service Tutanota, also applauded the ECJ’s ruling on Germany’s data retention requirement.
“German governments have tried to pass data retention laws twice before,” Pfau said in a blog post. “Each time, the law has been successfully challenged in court and declared unconstitutional. In a free democracy, data retention can never be a proportionate method of prosecuting criminals because it brings the whole population under general suspicion.”
Pfau argues that while law-abiding citizens tend to be indifferent to data retention because they believe they have nothing to hide, such sentiment ignores the possibility of oppressive regimes coming to power and using data stores to target political enemies.
Putting everyone under blanket surveillance and violating their basic right to privacy, he argues, is simply not commensurate with the need to tackle crime. And that, he notes, is the position taken by the ECJ. ®
