Mass surveillance laws in operation across the European Union for nearly ten years have been dealt a serious blow by Europe’s highest court, the European Court of Justice. Though recent NSA revelations have cast a spotlight on spying and surveillance by the United States in Europe, few European citizens know about similar tactics, allowed unchallenged until now, by their own governments.
The Data Retention Directive, passed by the EU about a decade ago, allows phone companies and internet service providers to retain data of customers’ phone calls and email, as well as internet usage—the sites we visit, the searches we make—for two years. It also lets governments and intelligence agencies track and store this data on the movements, meetings, and phone and internet use of every EU citizen.
The Directive indiscriminately target half a billion people across Europe. The data can be used to build up a profile of someone’s private and social life, medical history, political connections, and economic activities. The opinion presented by the European Court of Justice advocate general, Pedro Cruz Villalón, is a first step towards more robust privacy and civil liberties in Europe.
In the opinion, Cruz Villalón decided that the massive infringement of privacy allowed by the Directive, and the threat this poses to fundamental rights in Europe, outweighed any alleged benefits. This decision affects everyone in the European Union who uses email, makes telephone calls, or has a smart phone that records their location.
Privacy is fundamental for democracy; we all need to be free to share and consume ideas and viewpoints without having to look over our shoulders. The Directive is a direct threat to this freedom and offers little protection when it comes to how our data may be used without our knowledge.
At best, the Data Retention Directive has a chilling effect on freedom of expression and media freedom; if people know their communications are being monitored this changes their behavior. At worst, the Data Retention Directive has allowed serious abuses to take place.
In Ireland, where the European Court of Justice case was started by my organization, Digital Rights Ireland, the protection and confidentiality of journalists’ sources is feared to be at risk through data retained under the Directive, in what journalists describe as a “Stasi-like” atmosphere of threats and surveillance by the Garda Siochána, the country’s police force.
Supporters of the Data Retention Directive point to its usefulness as a tool for law enforcement agencies. However, as the European Court of Justice has pointed out, the Directive does not effectively do that in its current form. Cruz Villalón criticized the Directive for not defining the concept of “serious crime” that allows law enforcement officials to use such data in the first place. He also found no reason why the upper limit for data retention is set at two years rather than less than one.
In the opinion presented, the advocate general described the Data Retention Directive as “a particularly serious interference with the right to privacy.” While this is not a binding decision, the opinion of the court’s advocate general tends to be a useful indicator as to how the court will rule on the matter.
Next year a binding decision from the European Court of Justice is expected. It is imperative that the court get this right. Quashing the Data Retention Directive is an important step in diverting Europe’s course away from becoming a surveillance state.