Judges of the Grand Chamber of the European Court of Justice in Luxembourg on 9 July 2013 adamantly asked for proof of the necessity and efficiency of the EU Data Retention Directive.
While the representatives of the EU member states, the Council, the Commission and the Parliament had to acknowledge a lack of statistical evidence, they still demanded the Court to reject the complaints from Digital Rights Ireland, the working group AK Data Retention Austria (who were joined by over 11,000 citizens in their legal action) and individual complainant Michael Seitlinger, an Austrian IT expert.
The recent revelations about surveillance programmes did not go unnoticed during the six hour hearing. The Advocate General will file his opinion on the case on 7 November 2013. Opponents of the controversial directive came out of the hearing optimistic for their cases.
The representative of the Austrian government provided the most extensive set of figures about the use of data stored by internet services and telecommunication providers, according to the now challenged Austrian data retention implementation programme.
Between 1 April 2012 und 31 March 2013, Austrian law enforcement asked for 326 sets of data. In 56 of the 139 procedures closed so far, the information received from data retained by providers helped to solve the cases, according to the Austrian government. The classification of these cases, 16 thefts, 12 drug cases, 12 cases of stalking, 7 frauds and 9 others resulted in one of the critical questions from Judge Thomas von Danwitz, the main court rapporteur for the case: "Was there a terrorist case?" Necessity, efficiency and, not the least, proportionality has been said by many observers to be the most sensitive points in the case.
Neither Austria's representative nor his colleagues from Ireland, Italy, the United Kingdom or Spain could deliver more solid statistics. There was no "scientific data" to underpin the need, said the representative of the United Kingdom, although the Madrid bombings of 2004 were cited as having motivated the passing of the legal instrument in the first place. The representative of the Council implored the Court not to take away instruments from law enforcement. Yet, Judge von Danwitz was obviously not to be convinced so easily. Given that the Commission in 2008 claimed not to have enough information for a sound review, the question was on what data the directive had been based in 2006, the rapporteur asked.
Judge von Danwitz also sharply called into question the reasoning of the Commission and some of the member states who argued that the protection of fundamental rights was up to member states, when transposing the directive into national law. The Court had, he said, to judge the directive itself and its compatibility with the European Charter of Fundamental Rights. Hielke Hijmans, head of the Policy and Consultations unit at the European Data Protection Suvervisor' office (EDPS), supported this. The EDPS was of the opinion that the data retention directive did not provide enough protection for privacy. It just passed the blindspot on to member states. The directive allows for storage of the traffic and location data for up to 24 months, something even the Austrian government representative who defended the directive seemed to be rather uneasy with. There could be chilling effects.
The surveillance programmes, including the tapping of EU citizen data by US agencies (via internet companies) under the Prism programme, were referenced by the Court. Thirty-six percent of the retained traffic data was stored by/at service providers in third countries, for example under the Safe Harbor agreement. Yet, it had become clear that this data in fact was not stored according to the legal obligation, calling into question the legality of the storage obligation in general, von Danwitz warned. Commission and most member states' representatives again had a hard time to answer these concerns. The Safe Harbor agreement allows for the transferal of data under the condition that companies sign up to certain minimal standards of data protection.
Have the opponents of data retention already won? While on Twitter many observers highly welcomed the critical questions, applauded the Court and even saw the data retention directive melting away, Rena Tangens, co-founder of Digitalcourage, and a spokesperson for Germany's working group AK Data Retention, said after the hearing: "No, the opponents have not yet won. But the extremely tough questions and harsh tone seem to be good signs. There is hope."
Internet Policy Review, Berlin, 09. Juli 2013