Blanket data retention: biased study by the EU Commission

Screenshot des Vertrags der Studie
In November 2019, the EU Commission ordered a study on mass data retention of telephone and internet data. The Belgian consulting firm Milieu was awarded the contract and is to complete the study by mid-2020. Milieu is to prepare a retrospective fact finding support study, which is to provide the Commission with facts supporting the reflection process that has been ongoing since 2017. We have criticised this reflection process on several occasions, because it merely explores options for blanket mass surveillance without examining alternatives that may be more favourable to the people's fundamental rights.

Plans partly made public

In early 2020, MEP Patrick Breyer made the contract public with the help of a transparency request via AsktheEU.org (PDF document at digitalcourage.de).
However, when the Commission made the contract publicly available, it did so in redacted form, with a total of 32 completely blackened pages. We criticise that the Commission blacked out such a large proportion of the text, apparently valuing Milieu’s business interests higher than the public interest in political processes in the EU. 

Biased questions, biased answers

Judging by the parts of the contract that were made available, Milieu's contract for the EU data retention study is formulated in a way that neglects the perspective of freedom and fundamental rights. Accordingly, we expect a result that does not give sufficient regard to fundamental rights and freedoms.
 
The study, entitled Study on the Retention of Electronic Communications Non-Content Data for Law Enforcement Purposes, is to collect data from 10 member states (AT, EE, FR, DE, IR, IT, PL, PT, SI and ES) from the beginning of 2019 until August 2019, with at least six stakeholders being consulted per country. The objectives of the study (p. 5) are 
a) an overview of existing data retention laws and practices, 
b) an identification of operational storage practices of telecommunications service providers, 
c) identification of specific needs of criminal investigation authorities; and 
d) identification of challenges posed by technological developments (including 5G, dynamic IP addresses and encryption)
 
An interim report will be submitted to the Commission in March and the study is scheduled for completion in May to mid-June 2020.
 

Digitalcourage: Criticism of the EU Commission's study on retained data

No question whether data retention is of any use: In the contract on the data retention study, the benefit of data retention is assumed to be given (p. 1). For example, it is assumed that data retention is a necessary and effective means of combatting child pornography. We criticise that the necessity and effectiveness of mass surveillance still has not been proven. A neutral study should not assume the benefit of blanket mass surveillance, but should first prove it.
 
Core question ignored: The study regards the question of regulating access to retained data as a possible means to mitigate the encroachment of fundamental rights by blanket mass surveillance (p. 2). In our opinion however, this could lead to one decisive characteristic of data retention being overlooked: the collection and storage of the population's communication data is already a disproportionate encroachment on fundamental rights, regardless of who accesses the data at a later date, and for what purposes.
 
Legal expansion instead of law enforcement: The EU Commission is in favour of harmonising the regulations for data retention in the EU. At present, there are EU countries with data retention obligations of varying severity, countries with no data retention obligations, and countries where constitutional courts are currently reviewing data retention laws. While the study asks how member states enforce their mass surveillance, for instance by limiting it to certain categories of data or periods of time despite the rulings of the EU Court of Justice, it ignores the question of how the rulings of the EU Court of Justice can be enforced in order to achieve harmonisation.
 
The goal is surveillance, not freedom or security: In our view, the above-mentioned objectives of the study are lacking some essential points. For example, it does not include 1. an overview of investigation methods that do not require mass surveillance, 2. an evaluation of the necessity and effectiveness of data retention regimes, 3. an assessment of the technological impact, 4. an evaluation of the consequences for democracy and civil rights and freedoms, 5. an evaluation of the chilling effects that are induced by already existing measures of telecommunications surveillance, 6. an identification of the requirements of democracies and the rule of law, 7. an evaluation of investigative errors and weaknesses in both the police and the secret services in terrorism cases (in Germany, see for example: NSU, Anis Amri and others).
 
Biased selection of stakeholders: For a study like this, all stakeholders should be interviewed. However, only the following are explicitly mentioned: investigative authorities, telecommunications companies, telecommunications supervisory authorities and EU institutions (p. 6). Not explicitly mentioned are for example: data protection supervisory authorities, fundamental rights organisations or other civil society stakeholders.
 
Facts beyond court rulings: A retrospective fact finding support study is to be prepared. It looks like it is going to be hard to find facts that will be taken seriously and treated with respect: the EU member states have declared before the EU Court of Justice that they do not wish to implement its ruling on data retention, we reported on this.
Since surveillance is pursued so zealously that even rulings of the EU Court of Justice are no longer respected as facts, and the EU Commission is not taking any action to enforce these rulings, we assume that law enforcement agencies, secret services and governments will ignore all other facts as well.
 
The study does not ask about threats: For the identification of national data retention practices, the study is to elicit which data are stored for which period of time, and what procedures for accessing the data are in force. (p. 6f). The contract lists 13 detailed questions, none of which deals with the threats of data retention, data leaks or misuse, even though there is ample reason to do so, for example after the case in Denmark (see article on heise.de).
 
Singular focus on benefits, risks ignored: While the identification of benefits of data retention is formulated as a separate study task under point 4.3 in the contract, the contract does not contain an explicit requirement to assess the risks of data retention. For example, the study asks, Are the communications metadata non-content data used for the purpose of preventing crime? The follow-up question is, What is the benefit of such use of data? No questions are asked about the risks of preventive mass surveillance – this is biased. 

Unsere Arbeit lebt von Ihrer Unterstützung

Wir freuen uns über Spenden und neue Mitglieder.

Über uns

Digitalcourage e.V. engagiert sich seit 1987 für Grundrechte, Datenschutz und eine lebenswerte Welt im digitalen Zeitalter. Wir sind technikaffin, doch wir wehren uns dagegen, dass unsere Demokratie „verdatet und verkauft“ wird. Seit 2000 verleihen wir die BigBrotherAwards. Digitalcourage ist gemeinnützig, finanziert sich durch Spenden und lebt von viel freiwilliger Arbeit. Mehr zu unserer Arbeit.

Veröffentlicht am 18.03.2020

Marktstraße 18
33602 Bielefeld

Spendenkonto
IBAN: DE66 4805 0161 0002 1297 99
BIC: SPBIDE3BXXX
Sparkasse Bielefeld