The wholesale, indiscriminate retention of telecommunications data continues to excite legislators and law enforcement. In the European Union, countries continue to debate and pursue such measures, despite legal challenges.
The EU General Data Protection Regulation (GDPR), passed in 2016, limits the ways personal data is collected in terms of legitimate purposes. The European Court of Justice has also made it clear that the mass retention of phone and location data violates the EU鈥檚 Charter of Fundamental Human Rights.
Despite this, EU member states continue to subvert, by varying degrees, such protections. Fixated by notions of protecting society from the unsavoury and the criminal, lawmakers continue to flirt and court the mass surveillance properties inherent in such regulations.
A neatly grim example of this arose in July, when the Belgian parliament mandating the retention of user data by telecommunications and internet providers. This was a second run by the parliament, in April 2021 by the Belgian Constitutional Court of the previous data retention law. That particular statute permitted the storage of every Belgian鈥檚 telecom, location and internet metadata for up to 12 months. Those behind the new law, such as the Minister of Justice Vincent Van Quickenborne, claim it is a targeted measure that preserves privacy; in truth it permits general data surveillance.
In Germany, the debate has been particularly strident. In 2010, the Constitutional Court annulled the first data retention law. Five years later, data retention was re-introduced, though not implemented, given court rulings.
Despite arguments favouring its implementation, the investigation and prosecution of crime with high degrees of success without any such regime in place. In January this year, the statistics on crime clearance rates published by the German government that聽a mere 3% of child sexual abuse material investigations between 2017 and 2021 could not be pursued for want of records of IP addresses.
The current coalition agreement, while supporting the retention of communications data, specifies that it be done 鈥渙n an ad-hoc basis鈥 and only via judicial order. But the Social Democratic Minister of the Interior, Nancy Faeser, is a steadfast devotee of such retention, a fan of indiscriminate surveillance.
Faeser and her surveillance fan club got an answer last month with the ruling by the Court of Justice of the European Union (CJEU) that Germany鈥檚 general data retention law breached EU law. The case was triggered by action taken by Deutsche Telekom unit Telekom Deutschland and the internet service provider SpaceNet AG. The CJEU鈥檚 opinion was duly sought by the German court. The judges found that 鈥淓U law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security鈥.
The court with the law鈥檚 鈥渂road set of traffic and location data鈥 retention requirements to be kept over periods of 10 and four weeks respectively. This could lead to 鈥渧ery precise conclusions to be drawn concerning the private lives of persons whose data are retained, such as habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them and, in particular, enable a profile of those persons to be established鈥.
The CJEU did not do away with the idea of bulk data retention, merely noting a growing list of exceptions that states are bound to exploit.聽 In the German case, specific contexts might involve a grave threat to national security.聽 There would also have to be court oversight, discrimination in terms of targeting, and a specific period of time.
In another joined case, the CJEU that financial market regulators cannot use EU laws to target insider dealing and market manipulation by forcing telecom providers to supply the personal data of suspect traders to the authorities. The French law in question, justified on the basis of fighting crime, permitted the retention of such traffic data for up to one year from the day of its recording.
National legislation requiring telecommunications operators 鈥渢o retain generally and indiscriminately the traffic data of all users of means of electronic communication, with no differentiation in that regard or with no provision made for exceptions and without establishing the link required [鈥 between the data to be retained and the objective pursued鈥 fell outside what was 鈥渟trictly necessary and cannot be considered to be justified, in a democratic society鈥.
While European judicial bodies with teeth rein in the way data retention is used, when and if it should even be permitted, countries such as Australia continue to show faith in the very idea. Last month鈥檚 hack of the country鈥檚 second largest telecoms company, Optus, was a reminder that unnecessary data retention measures are an incitement for unlawful access.
In 2015, when the Data Retention Bill was introduced, advocates and those in the telecommunications industry had reason to be worried. In testimony to the , Telstra's director of government relations, James Shaw, that the telco鈥檚 practice over peak times such as New Year鈥檚 Eve was to only retain some data for a few hours before being overwritten. This was markedly shorter than the Bill鈥檚 proposed two-year retention period.
Telstra鈥檚 chief information security officer Michael Burgess that such legislative requirements would embolden hackers. 鈥淲e would have to put extra measures in place 鈥 to make sure that data was safe from those that should not have access to it.鈥
Electronic Frontiers Australia executive officer Jon Lawrence was even more trenchant in to the Joint Committee that such data retention requirements were an 鈥渦nnecessary and disproportionate invasion of privacy鈥 and would 鈥渓iterally be a honeypot to organised crime, to any sort of person who can potentially access it鈥.
Despite such warnings, the Joint Committee approved the bill, subject to a number of vague and ineffectual recommendations about security and appropriate data use. This has left those in Australia vulnerable to data loss and unprotected by the woefully inadequate Privacy Act 1988. But even the European example shows us that the forces of law and order remain attritive in their efforts to undermine rights and liberties via requirements for data storage. Even in the face of judicial rulings and precedents, the attempt to maintain mass surveillance through data retention regimes remains a burning, threatening issue.
[Dr Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge.聽 He currently lectures at RMIT University. Email: bkampmark@gmail.com.]