Activists fighting to protect people in the European Union from mass surveillance rejoiced when the European Union Court of Justice (CJEU) invalidated the EU Directive on Data Retention in April of 2014, declaring it a violation of fundamental rights (see our previous post).
Since then, legislation on data retention has repeatedly been brought into question in courts across the EU.
After courts invalidated data retention laws in Ireland, Austria, Romania, Slovakia, and Slovenia in 2014, now, in the same week, data retention laws in the Netherlands and Bulgaria have also been rejected by their national courts. Yesterday, the Swedish Administrative Court of Appeal decided to refer the Swedish national data retention law, which was also based on the EU data retention directive, to the CJEU.
The good news doesn’t stop there. Data retention legislation is also being challenged beyond EU borders. Last month in Paraguay, a bill causing serious privacy concerns was rejected by the House of Representatives (see our post). This surprising victory demonstrated how powerful it can be when local and international digital rights organizations work together to fight for positive change.
New threats to privacy emerge
Unfortunately, we are also seeing new proposals emerge that would put privacy and other fundamental rights in jeopardy.
In Germany, a broad coalition at the Bundestag, the German legislature, has signaled its support for a new law on data retention. This development comes despite the fact that a previous bill was overruled by the German Constitutional Court, likely because recent terrorist attacks in the EU are serving to reinforce the arguments justifying the use of data retention for law enforcement purposes.
Also deeply troubling is a new proposal in France to reform intelligence services that was presented to the Parliament on March 19th. It includes highly worrying provisions that would allow law enforcement agencies to access metadata data in real time, indiscriminately collecting personal content within a certain geographical perimeter – all with limited or no judicial supervision. Activists are describing this proposal as a disastrous drift on surveillance. Several groups, including our friends at La Quadrature du Net and the FDN Federation, have already decided to bring a legal action (text in French is available here), denouncing the reinforcement of pervasive internet surveillance in France.
At the EU level, the European commission recently declared that it would not present any further legislation on data retention. Yet we’re seeing proposals such as EU PNR, which would allow authorities to collect and retain data on all passengers flying into, travelling across, or leaving the EU. The PNR proposal casts serious doubt as to whether there is enough political will in the EU to ensure that new laws protect people’s privacy.
Simultaneously, in Australia, new legislation on data retention has just jumped a legislative hurdle, passing in the lower house. If it comes into effect, it will allow Australian agencies to access some types of metadata without a warrant.
So where do we go from here?
Data retention laws are dangerous because they enable — and in some cases explicitly allow — untargeted mass surveillance. This is a dire threat to privacy and other fundamental rights, such as freedom of expression and freedom of assembly.
Access works to defend and extend the digital rights of users at risk around the world, and in the wake of our recent RightsCon summit in Manila, we’ve joined forces with the Electronic Frontier Foundation, Open Net Korea, and other digital rights groups to start a global coalition to fight data retention. At the same time, we are monitoring and participating in policy development processes around the globe, working to ensure that regulations aimed at enhancing security do not strip people of their rights.
We hope you join us in this fight.
Contribution by Justine Chauvin.