News

Pandora’s box and data retention obligations in Europe

Telcos, (fixed, mobile & internet services providers) generate huge amounts of data. Increasingly, law enforcement officers around the world seek such information from service providers for use in criminal and national security investigations. In order to ensure the availability of such data, mandates are imposed (imposed by law or regulation or through licensing conditions), where data must be collected and stored in such a manner that it is linked to users’ names or other identification information. Government officials may then demand access to this data, pursuant to the laws of their respective countries, for use in investigations[1].

The first thoughts for a data retention law can be traced back to the “International Law Enforcement and Telecommunications Seminars” (ILETS) held at the FBI academy in Quantico, Virginia, in 1993. Later, a memorandum on the requirements of law enforcement agencies was signed between EU member states on a secretive committee working on plans for storage of telecommunications data in the Enfopol Papers[2]. The terrorist attacks in Madrid in March 2004 and in London in July 2005 further reaffirmed the need to adopt common measures on the retention of telecommunications data.

Soon after, Europe adopted the  Data Retention Directive (DRD) in 2006 and placed an obligation on all Member States to transpose obligations on providers of publicly available electronic communications services and of public communications networks to retain the following data: the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of a communication; where available users’ communication equipment or what purports to be their equipment; and the location of mobile communication equipment to identify every subscriber or registered user specifically to be accessed for the investigation, detection and prosecution of serious crimes. The retention period was set as minimum of six months and a maximum of two years. Member States had to decide exact duration as well as the conditions under which it may be accessed.

Ever since its inception, the DRD met significant resistance during its adoption process . After its adoption, we also witnessed a plethora of cases in Europe and ensuing preliminary references to the Court of Justice of the European Union (CJEU), attacking specific provisions of the national laws transposing the DRD. In 2014 through one of these cases, the CJEU in the Digital Rights Ireland Ltd ruling  declared the DRD invalid as it would allow Member States to make indiscriminate retention of user’s data mandatory and thus going as well against the E Privacy Directive. In 2016, the CJEU reaffirmed this in the Tele2 Sverige AB & Watson ruling (Watson ruling). This ruling also emphasized that any measures mandating data retention must also meet what is called a prior independent review, high level of protection of data retained as well as adequate notification after the facts to affected individuals whose data was retained.

Following this ruling, it was thought that the infamous DRD regime was finally dead and that all national laws which did not comply with the requirements as set out in the Watson ruling would be declared unconstitutional, to be either withdrawn or amended. This however was not the case. To be fair, there were countries like Netherlands who immediately removed the DRD, courts like the ones in Romania and the Czech Republic who have ruled that national data retention laws based on the DRD, are unconstitutional. Malta just left the DRD regime as is and no court action or consultation was initiated on this front.

Surprisingly however, back in 2007, in a case in Malta in which I was involved in, Go Plc and Vodafone won an appeal which was lodged before the coming into force of the DRD, in the court of Judge Philip Sciberras, when they resisted a blanket request for mass disclosure of clients’ location data in various localities in Malta over established dates and times, by the police, despite a ruling to do so by the then Data Protection Commissioner and also confirmed by the data protection Appeals Tribunal. In this landmark judgment, the judge declared that any restriction on a human right had to be interpreted restrictively, and that it was not acceptable for a large number of mobile phone subscribers, about whom there was no suspicion, to have their data being subjected to scrutiny without their knowledge.

As a brief context the Maltese DRD regime (Subsidiary Legislation 586.01) is still intact. Service providers are obliged to indiscriminately retain their user’s data (ergo nearly every person who has a telephone line, internet and mobile subscription) as mentioned above and make such data is accessible to law enforcement agencies for the purpose of the prevention, investigation, detection and prosecution of serious crimes (which means any crime which is punishable by a term of imprisonment of not less than one year).

Other countries-initiated processes at a national level, sometimes even pushed by local service providers, to declare their DRD laws unconstitutional and in some cases also ending up rebutting the outcomes of the Watson ruling. What is of interest from these cases here are the following pending references in front of the CJEU, a preliminary ruling filed on the 25 September 2019, by German Federal Administrative Court, the Estonian Case (Case C-746/18) and the following cases, in France (case C‑511/18), in Belgium (case C‑512/18), and in UK (case C‑623/17). Last January 15th, 2020, Advocate General (AG) Manuel Campos Sánchez-Bordona released his opinions on the last three cases.

The AG in a nutshell, upheld the Watson ruling however also conceded that real-time collection of traffic and location data of individuals suspected to be connected to a specific terrorist threat (this was specific to the French case) would be permissible under the E Privacy Directive so long as it does not impose on the service providers an obligation to retain additional data beyond what it is already required for billing or marketing services. He also stressed that the E Privacy Directive would not apply if public authorities implement retention methods on their own accord without any retention obligation on the service providers to safeguard national interest. The CJEU is expected to issue a final ruling on these cases by the third quarter of this year.

If the CJEU follows the AG’s opinion, even thou the DRD regime might vanish, uncertainty might still reign and pandora’s box will still remain open on data retention obligations in Europe. The Lex Vigilatoria, and the surveillance monster which Thomas Mathiesen describes in his book “Towards a Surveillant Society: The Rise of Surveillance Systems in Europe” might already be gearing for that eventuality.

Ian Gauci is the Managing partner at GTG Advocates, Afilexion Alliance & Caledo Group. He lectures on Legal Futures and Technology at the University of Malta.

This publication is provided for your convenience and does not constitute legal advice.

This publication is protected by copyright © 2020 GTG Advocates.


[1] Center for Democracy & Technology “Data Retention Mandates: A Threat to Privacy, Free Expression, and Business Development” (Oct. 2011), http://cdt.org/files/pdfs/CDT_Data_Retention_Paper.pdf

[2]  Surveillance and Governance, Crime Control and Beyond Emerald Group Publishing Limited, 2008 (Mathieu Deflem; Jeffrey T Ulmer) Pg 111.