Indiscriminate data retention: Advocate General of the ECJ loses patience with politicians
It was an unusually strong rebuke coming from a prominent figure at the European Court of Justice, targeted at politicians of some EU member states who, despite unambiguous legal clarity and existing rulings, continue to call for indiscriminate data retention measures to be introduced. Advocate General Campos Sánchez-Bordona, a legal adviser for the European Court of Justice, caused a bit of a furore last week after releasing a statement about an upcoming ECJ ruling on the matter (Press release). In it, he makes blistering remarks about recent calls for indiscriminate data retention for the sake of fighting crime, coming out of France, Germany, and Ireland, and points out that such measures would be illegal for the purpose.
FAZ: All questions were answered long ago
Although his work titled “Advocate General's Opinion in Joined Cases” is not a law but a contribution to the legal debate and by no means binding, it is not unusual for the ECJ to follow the recommendations of their legal counsel. A decision on the issue of data retention is expected to come in early 2022. According to Sánchez-Bordona’s opinion, the case is absolutely clear, and the matter was thoroughly examined and explained over and over again. All open questions were addressed a long time ago, with the result that normally, data retention measures may only be used selectively and if there is probable cause. This has not changed, no matter the frequent attempts to undermine the fact.
Considering that Sánchez-Bordonas is a lawyer, his choice of language may appear somewhat unusual, in that he leaves no doubt about what he thinks. Perhaps this is one of the reasons why media outlets such as the German FAZ see the publication as the harbinger of a resounding defeat for the politicians. Indeed, the legal expert repeatedly states his surprise at the fact that some member states still demand a measure that previous rulings by the ECJ, made over the course of the past ten years, have deemed inappropriate and illegal. One might have expected the debate about this to be long over, especially as the European Court had actively sought the dialogue with national courts and explained its position in detail. In a nutshell: Probable cause is always required, and the state may not use surveillance measures without good reason. The only exception is a “threat to national security”, as was recognised in the case of Ireland:
“37. According to the Court, the general and indiscriminate retention of traffic data could be justified only on grounds of safeguarding national security, the importance of which goes beyond that of the other objectives referred to in Article 15(1) of Directive 2002/58’. (25)” (Original document)
The ECJ has made it clear that introducing measures to impose indiscriminate mass surveillance on European citizens for the purpose of fighting serious crime is not reconcilable with our fundamental European rights and values.
Experts and politicians have been arguing about data retention for almost fifteen years. Those in favour cite the need to fight organised crime, child pornography, illegal file sharing, and more recently also hate speech and other crimes. Those against argue that politicians cannot ignore judicial decisions and point out the importance of our fundamental rights and values.
However, unlike politics, both the national and the European judiciary have always been consistent: The German parliament first introduced data retention measures in 2007 to implement a corresponding EU directive that required the capture and storage of communication meta data, meaning information about who communicated when, where and with whom. As it happened, the German Constitutional Court overturned this law in 2010 and furthermore, the ECJ overturned the original EU directive in 2014. Sánchez-Bordona points to the unambiguous rulings dating from 2014, 2016, 2018, and 2020 to seriously wonder why there even is a debate about this today, considering the facts have not changed and the related judgments are considered final.
Meanwhile, the bodies representing industry and business, including the German Association of the Internet Economy (ECO), stand united in their opposition to indiscriminate data retention. The current case went to the ECJ through what was originally a federal court complaint lodged by two German Internet providers. mailbox.org is party to a wider constitutional complaint, with a decision by the Federal Constitutional Court pending since 2015, and currently still awaiting a ruling by the ECJ. The fight goes on, as the topic forms part of the coalition negotiations of the future German government, where it turns out the Liberals and the Greens are against it, while the Social Democrats are in favour – even though some of their digital experts, like the D-64 Foundation, strongly dissent. For the time being at least, indiscriminate data retention remains a zombie issue that refuses to die.
The coalition agreement adopts the proposals of the SPD-affiliated organisation D-64 and buries the VDS. It is to be replaced by concepts such as the login trap:
"In view of the current legal uncertainty, the upcoming ruling of the European Court of Justice and the resulting security policy challenges, we will develop the regulations on data retention in such a way that data can be stored in a legally secure manner on an ad hoc basis and by judicial order. With the login trap, we want to create instruments that protect fundamental rights and are freedom-oriented in order to achieve the identification of perpetrators."
With the login trap, operators of social networks are to be forced to cooperate with investigators via open standards, but they are only allowed to receive login data on an occasion-related basis, for example if there is a report of hate speech or child pornography.