Surveillance and Data Retention in the EU

13 Jan 2022

The Commission considers three policy approaches
Data Retention of traffic and location data
The retention of traffic and location data for a certain time by providers of electronic communication services has been a controversial topic over the past years amongst journalists, legal experts, human rights groups, privacy groups, and IT security firms.  It aims to safeguard national security and tackle crimes by detecting, preventing, prosecuting, or investigating them.

Directive 2006/24/EC
The EU Data Retention Directive came into force in 2006 (Directive 2006/24/EC). Its main objective was the harmonisation of member states` laws through the requirement of the retention of communication data for internet communications and mobile telephony, to achieve the aforementioned outcomes. The Directive made it necessary to retain the data that was required for tracing and identifying the source of communication and its destination, as this would allow the identification of the date, the duration, the time, and the type of the named communication. It would also help in identifying the communication equipment used by the specific user, the location of the mobile communication equipment, the data that consists of the name and address of the subscriber or the user, the telephone calling or caller`s number, the IP address for internet services, the communications` frequency of the user or the subscriber with specific persons during a specified period. Lastly, member states were required to retain details of call and internet data for a minimum of six months; and at most twenty- four months. This data had to be made available on request to law enforcement authorities.

Directive 2006/24/EC- Challenges
The Directive 2006/24/EC was applied into Romanian law in 2009, and the Constitutional Court of Romania (CCR) declared it to be in violation of constitutional rights of privacy, free speech, and confidentiality in communications. The European Commission sued Romania for not implementing the Directive. In 2012, the Romanian parliament passed a new law which two years later was also declared unconstitutional by the CCR, further highlighting the controversy of Data Retention. Similarly, the Czech and German Federal Constitutional Court supported that the national laws implementing the Data Retention Directive oppose the national constitutional laws in those member states.

Annulment of Directive 2006/24/EC
On 8 April 2014, the Court of Justice of the European Union (CJEU) declared the Directive 2006/24/EC invalid in the landmark Digital Rights Ireland case, as it was found to be in violation of fundamental rights. The reason was that it required the retainment of metadata about consumers` communication by the providers of electronic communications services, identifying the “who”, “where” and “when” of communications rather than the content of those communications. It has further been reported that the Council`s Legal Services has stated in a closed session that the European Court of Justice`s ruling`s paragraph 59, "suggests that general and blanket data retention is no longer possible". By annulling the Directive, the CJEU shed light on its faulty parts. Specifically, the data blanket retention violated the EU Charter of Fundamental Rights. Instead, the Directive should have differentiated the categories of data retained; and the objectives pursued. Those factors should also have an impact on the data retention period. Further, the Directive should have included objective criteria concerning the access to data by national authorities.

In 2014, the court confirmed and reinforced its reasoning regarding how indiscriminate data retention obligations on telecommunications providers are unjustified in a democratic society in Tele2/Watson case.

Despite the clarity of the judgments, several EU member states disregarded the CJEU’s rulings and continued implementing and/or adopting national data retention legislation. In the majority of those cases, the argument put forward was that the national regime was compliant because it was not in any way “restricted”, or outside of EU competence, consequently remitting the Court`s jurisdiction.

The Commission`s reluctant stance to tackle this issue is evident by its refusal to launch a single infringement procedure against the Member States that may be infringing the fundamental rights of their citizens. Instead, the Commission simply monitors the existing national data retention laws. As seen in the European Digital Rights` (EDRi) comparative report on data retention, individuals have to rely on civil society organisations and other stakeholders for challenging mass surveillance laws in their respective Member States and for protecting their rights.

Article 15(1) of the ePrivacy Directive (ePD)
The ePrivacy Directive of 12 July 2002 created an obligation for providers of services to erase or to anonymise the traffic data in their possession when it is no longer needed. This was highlighted in the La Quadrature Du Net and Others, French Data Network and Others, Orde des Barreaux Francophones et Germanophone and Others, and Privacy International cases. In these connected cases, the CJEU was asked to confirm its position for the third time, and it was asked to weaken the protections in place.

Article 15 includes the conditions that form the exceptions to the absolute obligation. Specifically, Article 15(1) allows member states to adopt their own national data retention laws in situations where such laws would be a necessary, appropriate, and proportionate measure within a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection, and prosecution of criminal offences when a crime is a ‘serious crime’. The Article does not prevent the retention of traffic and location of all users of electronic communications systems if such retention will be for a limited period of time. The instructions for such retention of data must be reviewed by a court or an independent legal administrative body, as verification that one of the situations that justify the retention exists and that the conditions and safeguards are observed.

Cyprus and phone data retention
In October 2021, the Supreme Court of Cyprus decided that the law (N.183(Ι)/07) requiring the retention of customers` data by telephone providers for six months and allowing the police to access the retained data was unconstitutional because it did not respect the right to private life and private correspondence. 

The potential future of data retention
Even though the CJEU has been repeating its rulings against data retention, seven countries including France and Spain, supported the idea of new data retention legislation at EU level at a closed-door video meeting that took place on February 8, 2021.

The leaked non-paper drafted by the Commission shows the three policy approaches the EU Law maker is considering, namely ‘’no EU initiative’’, ‘’non-binding guidance’’, and ‘’EU legislative initiative’’. The Commission`s choice is going to have an impact on the policy objectives of harmonisation, enforceability, and legality. If no legislation is produced, the EU would have to offer guidance at the EU level aiming to align the national approaches and to ensure that the Member States` national laws are in line with the CJEU rulings.
According to the no EU initiative approach, the Member States would have to ensure that their judgments at the national level adhere to the Charter of Fundamental Rights and the CJEU law so that the national specificities are considered. The Commission would not interfere through a regulatory or non-regulatory initiative but would support the Member States in this process.

The non-regulatory initiative on data retention is a non-binding approach aiming at assisting the member states to bring their laws to conformity. This approach includes the idea of the European Commission recommending or guiding the Member States through the issuance of an appropriate document.

Lastly, several regulatory initiatives on data retention could be used. The first proposal included in the Commission`s non-paper involves the harmonization of the criteria for generalized retention of and access to metadata for national security while leaving the Member States to conduct a risk assessment. On the other hand, there is a risk that the Member States may be misusing the risk assessment, as seen in France and its declaration of “state of emergency”, following the 2015 terrorist attacks. In its decision on mass telecom surveillance, the French Conseil d’Etat, reinterpreted the extend of “national security” more widely than the fight against terrorism, and included the prosecution of criminal offences. The French government considering the French data retention legislation its "constitutional identity" has asked the Conseil d’Etat, as it is the highest authority on administrative law in France, to shield it.

The second proposal includes the idea of categorising persons and geographical areas. Aiming to avoid discriminatory effects, the Commission describes in detail what would be included in those “objective” factors. Arguably, the targeting of “individuals convicted of a serious crime” may come in conflict with the principle of ne bis in idem, according to which nobody should be judged twice for the same offence. At the same time, this approach could be discriminative in “areas with above-average crime rates”, where communities could be unfairly stigmatized. The communities affected by the surveillance priorities are likely to be the poorer, racialised, and working-class areas.

The quick freeze option forms the third proposal, which would give the authorities fighting serious crimes, the possibility to order service providers to quickly retain traffic and location data they have in their possession.
Further, under the fourth proposal, the general retention of source IP addresses would be permitted for addressing serious crimes. Finally, the fifth proposal suggests that the same would apply for civil identity data when fighting ordinary crimes.

A major difference between the proposals and national laws is the type of national data retained as most national data retention laws only cover telecommunications providers. On the other hand, all the proposals include the OTT, including Facebook, Skype, and WhatsApp, as they collect more data for business purposes than traditional telecommunications operators.

What should be further considered, is how ‘serious crimes’ should be defined to ensure that member states have a common understanding of the term. Further a definition of the term ‘civil identity data’ should be given, as this is not included in the non-paper. This definition should include what should be covered in terms of technical and non-technical data, considering the latest CJEU ruling, according to which access to retained data should strictly be given in cases of serious crimes as the data would allow for a precise conclusion to be drawn about the users private lives.

In conclusion, a harmonised approach on data retention on surveillance is important in ensuring that Member States seize circumventing the CJEU’s requirements linked to fundamental rights by illegally maintaining data retention schemes. In order to achieve the best possible outcome, it is pivotal to actively engage civil society in this debate. 


ENISA Report on Engineering Personal Data Protection in EU Data Spaces
Google Commits to Deleting Browsing Data in Settlement Over ‘Incognito’ Lawsuit
Privacy Stakeholders Take Aim at Meta's 'Pay or Okay' Model
EU AI ACT: Plenary Vote Tomorrow, March 13th | On the Verge of History
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24 32 33 33

Click here to Subscribe