ePrivacy: Private data retention through the back door
The ePrivacy regulation
The ePrivacy regulation currently under negotiation is supposed to supplement the General Data Protection Regulation (GDPR) by specific guidelines regarding telecommunication. This sector is currently covered by an EU directive dating back to 2002. An amendment is long overdue, but member states keep vetoing the process in order to weaken privacy protections.
“Reflection process” going on since March 2017
Ever since 2017, the EU ministers of justice and interior have been “deliberating” the Tele2 verdict by the European Court of Justice. The Court had declared the blanket retention of telecommunications metadata inadmissible. Yet the EU member states are unwilling to accept this ruling. During an informal discussion in Valetta on 26th and 27th January 2017, the justice and interior ministers expressed their wish for a “a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union.” (Ref. EU Council 6713/17) to implement EU-wide data retention. This process was set in motion in March 2019 by the Presidency of the Council of the European Union. A sub-group of the Council's Working Party on Information Exchange and Data Protection (DAPIX) was put in charge. From the very beginning, this reflection process has mainly served the purpose of finding opportunities to implement yet another instance of data retention on the EU level. This has been proven by documents published by Statewatch.
Member states defiant
Instead of complying with the clear ruling by the European Court of Justice, the responsible ministers of member states are doing everything they can to resurrect data retention from its grave. Apparently, the delegations have agreed that the ePrivacy regulation that is negotiated in parallel should not interfere with this plan. On the contrary, they intend for it to serve as a basis for a new era of data retention. In a working document (WK 11127/17), the Presidency of the EU Council in 2017 concluded:
Delegations agreed that alongside developing specific legislation on data retention for the purposes of fighting crime, a complementary approach could be considered in the context of the e-Privacy Regulation. The aim of such an approach would be to ensure the availability of communications metadata processed for business purposes, while not imposing a specific storage obligation on providers for the purposes of prevention and prosecution of crime as such in the draft Regulation. Delegations expressed an interest to examine relevant elements of the e-Privacy Regulation proposal to that end.
Private data retention
In plain words, this means: If the courts will not allow us to impose data retention, then we will simply provide the service providers with incentives to ensure that they will do so by their own choice. That is why the ePrivacy regulation is intended to give the service providers manifold permissions to store data for a wide variety of reasons (see article 6 of the draft of an ePrivacy regulation). Those responsible are relying on the assumption that the providers’ appetite for data will be sufficient even without an explicit obligation to retain data. With this, a large hurdle for EU-wide data retention would be overcome: retention is assured. All that would be missing is an authorisation for the police, the secret services and others to access those data.
Outsourcing governmental functions to private corporations
The immediate problem with this type of private data retention is the fact that it weakens the protection of all users’ personal data against data hungry corporations that are only interested in profit. What's even worse is that once again, a governmental function is being outsourced to private corporations. These corporations are not subject to democratic scrutiny, and they are given ever more power over the countries concerned.
Legal uncertainty for business
The hurdles for criminal investigators to get access to data are already very low in Germany. The e-mail provider Posteo for example had to pay a fine because they were unable to provide the IP addresses from which a certain e-mail account had been accessed to the criminal investigators. Posteo simply hadn’t stored those data; they were erased as soon as they were received. The Court declared the fine to be justified. This decision could easily lead to a situation where private companies prefer to err on the side of caution and store even more data, just to avoid such fines.
Ensuring the availability of data
The draft ePrivacy regulation as proposed by the European Commission in 2017 placed relatively strict duties on service providers regarding data protection. For example, they were obliged to either erase or anonymise all data that was no longer needed. That this is diametrically opposed to the goal of private data retention is something the DAPIX task force noticed, too. As the Presidency of the EU Council stated:
During discussions in DAPIX – FoP the idea to broaden the grounds of processing in Article 6(2)(b) (as the text stands at the moment) – fraudulent or abusive use – and introduce a concept to enable processing of data for addressing possible “illicit use” of electronic communications services. This would enable processing for a broader range of malicious behaviour beyond the “fraudulent or abusive use”. Should such approach be taken, further discussions would be needed, also taking due account possible changes in the structure of the e-Privacy Regulation.
In other words, service providers will be given the freedom to use and store data in order to prevent “fraudulent use or abuse”. And these data could then be picked up by criminal investigators.
Secrecy at all costs
Unfortunately, we do not know how the German Government argued with respect to the issues mentioned. Our request for the disclosure of related documents was largely denied by the Council of the European Union long after the legal deadline was missed. A disclosure would be a threat to public safety, the secretariat declared. The risk to the relationship of trust between the member states and Eurojust would be too severe.
Furthermore, such a disclosure would threaten ongoing criminal investigation or judicial procedures. We were not given any details. We have lodged an appeal against this dismissal. As of today, we have not received an answer from the European Commission. We have only been asked for patience as these procedures take time. Also, we have submitted several requests to German ministries pursuant to the Freedom of Information Act. Any results will be made known on this blog.
We liberate documents
It is impertinent to contemplate surveillance laws that would clearly be illegal. But this is exacly what the DAPIX task force is doing, and they are doing it behind closed doors. The changes they propose can be found in the current draft ePrivacy regulation. We will continue to request documents from the EU and the German government in order to inform you. And as soon as the Trilog negociations between EU Council, Commission and Parliament begin, we will voice our concerns and demand: No data retention through the back door!
► Digitalcourage e.V. engagiert sich seit 1987 für Grundrechte, Datenschutz und eine lebenswerte Welt im digitalen Zeitalter. Wir sind technikaffin, doch wir wehren uns dagegen, dass unsere Demokratie „verdatet und verkauft“ wird. Seit 2000 verleihen wir die BigBrotherAwards. Digitalcourage ist gemeinnützig, finanziert sich durch Spenden und lebt von viel freiwilliger Arbeit. Mehr zu unserer Arbeit.