The ECJ just declared German data retention law illegal. Why this is a good thing and why the fight is not over.
What is data retention? Data retention is the collection of your data without cause. This is the very reason why we must fight it.
The European Court of Justice (ECJ) has just issued an amazing ruling on data retention: Your telephone and online communication data must not be stored without cause, which makes data retention illegal in Europe. The ruling comes after a lawsuit issued by German telecommunication providers Deutsche Telekom and SpaceNet. Now we must keep fighting data retention laws worldwide!
With the ruling, the ECJ confirmed its previous decisions. According to the court "the general and indiscriminate retention of traffic and location data as a preventive measure to combat serious crime and to prevent serious threats to public security" contradicts European law.
Reaction of German politicians
Konstantin von Notz, Deputy Chairman of the Green Party, and Helge Limburg, Spokesman for Legal Policy, announced: "Data retention belongs in the dustbin of history. In their coalition agreement, after intensive debates, all parties have jointly agreed in crystal-clear terms to no longer monitor the population without any further reason, but instead to ward off dangers in a targeted manner and to pursue an overall security policy that is oriented toward fundamental rights and based on the rule of law. We stand by this. We see no legal or political scope for a new version of data retention of any kind."
German Justice Minister Marco Buschmann (FDP) tweeted: "A good day for civil rights! The ECJ has confirmed in a historic ruling: The data retention without cause in Germany is unlawful. We will now swiftly and finally remove the data retention without cause from the law."
Why general surveillance is dangerous
German governments have tried to pass data retention laws twice already. Each time, the law has been successfully fought in court and declared unconstitutional. In a free democracy, data retention can never be a proportionate method to prosecute criminals as it puts the entire population under general suspicion. While everyone understands how data retention could help to solve crimes, it is much harder to explain why data retention is dangerous for every citizen.
Data retention puts the entire population of a country under general suspicion. Law-abiding citizens often believe that data retention is not a problem for them because they have nothing to hide. The problem, however, is that they are living in a free and open democracy.
Let me explain this with what we in Germany call the Corona-paradox: Because measures to curtail the virus in Germany have been very successful, many people believe that any form of precaution is not necessary anymore.
It is the same with laws to retain data: Because we live in a free and open democracy, we believe that no harm will come to us even if the government was able to get access to our entire online communication, to every website we visit, to our location profile, and more.
Both assumptions are fundamentally wrong. While the first one is rather obvious - curtailing the virus was so successful because most people in Germany were taking precautions - the second one has multiple facets:
First, you never know if the country remains a democracy and you can never know if the data collected today might harm you tomorrow. The dangers of an overly knowing government were demonstrated twice in German history with the Gestapo in World War II and the StaSi in the GDR.
Second, putting the entire population under general suspicion by introducing data retention laws and neglecting their fundamental right to privacy can never be declared a proportionate measure to combat crime. That's also the position of the European Court of Justice.
Third, a general surveillance like data retention is not necessary to help the police increase the number of crimes solved. Other measures, like specialized IT task forces, more and better educated officers, and more is needed.
What is data retention
Data retention is the collection of everybody's data without cause.
Or in longer words: Data retention is a criminal policy instrument that obliges providers of electronic communications services to make available certain data collected by them for the purpose of prosecuting criminal offenses.
In doing so, the storage period usually goes well beyond the duration permitted for purely contractual purposes such as the billing of fees. The storage also does not take place because of a specific suspicion of a crime, but is applied to everybody's data - in case a crime is noticed at some point in the future.
Therefore, the data of all contractual partners of the provider are stored "on reserve" without any reason.
The question what is data retention can be easily answered. But why do authorities want it at all?
Why authorities want it
Most of the times, the authorities argue that they need data retention to fight crimes such as terrorism and to protect children as this cartoon illustrates:
They say data retention is necessary due to the drastic increase of online usage and online communication. This would make the work of the authorities to combat terrorism and organized crime much more complicated.
History of data retention in Germany
German governments have tried to pass a data retention law multiple times. But each time, lawmakers failed because the Federal Constitutional Court declared general data retention without probable cause as unconstitutional. The court argued that the right to privacy is protected by the German constitution. Thus, it is not allowed to store personal communications' data of all citizens.
Similarly, the European Court of Justice declared the European Directive 2006/24/EC for data retention as invalid. At that time the court argued that a general surveillance of the public would violate fundamental rights.
Criticism of data retention
Data retention won't increase security
The most obvious reason why the retention of telephone and telecommunication data is not necessary is actually a study done by the German Federal Office of Criminal Investigation on what is data retention and how it affects the solve rate of crimes. This is the very organization in Germany that wants data retention the most.
According to the study, the clarification rate with data retention was only 0.006% higher than without data retention.
This low percentage of additionally solved cases does not justify the surveillance of more than 80 million innocent people.
In addition, we must also keep in mind that data retention of IP addresses, for example, becomes pointless when criminals cover their tracks by hiding their IP addresses or by using the darknet.
Protect the children
The recent debate about a new data retention law was sparked by some high profile cases against pedophiles in Germany. Everyone wants these criminals to be prosecuted.
However, the assumption that data retention would limit the presence of network pedophile data is simply naive due to the existence of technical circumvention possibilities as well as the fact that most of the perpetrators operate in far-away countries.
In contrast, the loss of the digital civil liberty caused by data retention - which the Federal Constitutional Court and the European Court of Justice have already declared unconstitutional - would mean the total surveillance of all online communication without exception, including messaging services, calls, and video calls as well as the creation of motion profiles and website visits.
In addition to prosecutors, the collected data needs to be stored at the communication service providers. This also leaves the data vulnerable to abusive access by malicious attackers or corrupted employees.
This is a risk no any government should force its citizens to take.
Eight myths about data retention
Thomas Stadler, lawyer, specializing in IT legislation, has summarized eight myths about data retention and what it is. The whole blog post is a must-read for anyone whether you are in favor of or in opposition to data retention. Here is the most important myth about data retention in Germany:
A constitutionally compliant new regulation of data retention would be easily possible.
While officials argue that it would be considerably easy to pass a data retention law that is in line with the German constitution, the ruling by the Federal Constitutional Court is requiring a lot for a data retention law to be acceptable:
The law must include ambitious and clear regulations with regard to data security, data use, transparency and legal protection. The European Constitutional Court (ECJ) goes even further by explaining why the European data retention directive is disproportionate. Since the ECJ does not explain the requirements for a regulation in conformity with fundamental rights, it seems impossible to pass a data retention law in a legally secure manner.
So while most European countries do have data retention laws, Germany at the moment is the only country that complies with European law by not having a data retention law.
Another recent ruling by the European Court of Justice shows the significance of the right to privacy. Consequently, it must be expected that a new data retention law will have very little chances of being accepted by the European court.
Call for freedom laws
The civil rights organization Digitalcourage also summarizes everything that is wrong with data retention:
"For decades, the pressure to monitor has been increasing against the population living in compliance with the law. For people, it makes no difference whether it is state or private surveillance or a mixture. The surveillance pressure is already too high. Freedom laws are necessary."
With data accumulation by corporations, such as Google, Clearview AI, and others, people's privacy is constantly being threatened. We must not add to this by implementing data retention laws.
Any form of data collection - whether initiated by private companies or required by the government - puts people at risk. Their data, easily available to prosecutors, can make them a suspect as this article explains: Using Google's location tracking can put innocents in jail.
This reverses the logic of law enforcement: Prosecutors do not have to prove that you have done a crime; but when your smartphone has been detected near a crime scene, you have to prove that you are innocent.
Instead of data retention, we need freedom laws.
Data retention illegal in Europe?
The ruling by the ECJ - again - declares data retention without cause illegal in Europe.
While this is great news for privacy fans, it does not mean that the fight is over. There are still a lot of countries that do have data retention laws, even in Europe.
The question that must be asked is: How come some European countries still have data retention laws (though most inactive due to court decision)? Is it just because no one has issued a lawsuit against these laws? The list of countries that still have such laws shows that the fight is not over. We must make sure that our data is kept secure from prying eyes, everywhere, not just in Germany.
Countries with data retention laws
- Australia
- Belgium
- Denmark
- France
- Italy
- Norway
- Russia
- Serbia
- Slovakia
- Switzerland
- United Kingdom
Countries with no data retention laws
- Argentina
- Brazil
- Czech Republic*
- British Virgin Islands
- Germany*
- Japan
- Panama
- Romania*
- Sweden*
- Taiwan
- USA (but lots of companies voluntarily share data with the authorities)
- These countries do have a data retention law, but it has been declared illegal and is inactive.
Data retention is still a very popular method for politicians to seemingly fight crime quickly. This is why we as citizens must remain vigilant and hold politicians to account if they plan to pass new surveillance laws.
Our right to privacy is a basic human right and must be defended.
Matthias is co-founder and developer of Tutanota. I write code to fight for our human right to privacy. I want to create a cloud service which is so easy to use and so secure that it locks out all the spies. We really deserve better.