France and Germany breach EU data retention rules • The Register

On Tuesday, the European Court of Justice (ECJ) issued judgments restricting arbitrary data retention in France and Germany.

The French case involves two suspects, VD and SR, accused of insider trading, corruption and money laundering, who challenged the legal basis cited by the French Financial Markets Authority (Autorité des marchés financiers) to obtain personal data from phone calls made for a year stored in case the information could be useful to criminal investigators.

The ECJ based in Luxembourg, found [PDF] that the EU Market Abuse Directive and Market Abuse Regulation cannot ignore the EU Data Protection and Electronic Communications Directive.

These rules, according to the CJEU, “do not allow operators offering electronic communications services to keep traffic data in a general and indiscriminate manner for one year from the date of their recording for the purpose of combating market abuse offences, including insider dealing.”

Separately, German telecom companies SpaceNet and Telekom Deutschland questioned the German legal requirement for companies to retain traffic and location data for all customer communications.

The ECJ definitely [PDF] that EU law prohibits national laws that require arbitrary storage of telecommunications traffic and location data to fight crime and protect public safety.

“Union law precludes national legislation that provides for the general and indiscriminate storage of traffic and location data as a preventative measure to combat serious crime and to avert serious threats to public security.”

The legal requirement that telecommunications companies store traffic data for ten weeks and location data for four weeks “can allow very precise conclusions to be drawn about the private life of the stored persons,” says the judgment.

The ECJ ruling states that mandatory data retention to protect national security is permissible where there is a “serious threat to national security which is proven to be real and present or foreseeable”. According to the court, such arrangements must be subject to judicial review and be of limited duration in the context of a specific threat.

Federal Minister of Justice Marco Buschmann spoke out in favor of the decision of the ECJ via twitterand called it “a good day for civil rights.”

Matthias Pfau, co-founder of the data protection-oriented e-mail service Tutanota, also welcomed the ECJ’s decision on German data retention.

“German governments have already tried twice to enact data retention laws,” said Pfau in a blog entry. “Each time, the law has been successfully won in court and declared unconstitutional. In a free democracy, data retention can never be a proportionate method of prosecuting criminals, as it puts the entire population under general suspicion.”

Pfau argues that while law-abiding citizens tend to be indifferent to data retention because they believe they have nothing to hide, this sentiment ignores the possibility of oppressive regimes coming to power and using data storage to attack political enemies.

Widespread surveillance of everyone and violating their fundamental right to privacy is simply not proportionate to the need to fight crime. And that is the position of the ECJ. ®