Early this year the European Court of Justice declared the 2006 EU Date Retention Directive invalid. This is a very important turning point in the ongoing tug-of-war between privacy rights and security concerns, possibly a reversal of the tide that has been mounting since the beginning of the century. The directive was born in the post 9/11 world, when fear of terrorism peaked on both sides of the Atlantic. The balance of priorities at the time was all in favor of security and limiting privacy was seen as a small price to pay.
The ruling is the subject of a scientific paper and a presentation, delivered at the ISSE 2014 conference, in Brussels, on 14 October 2014, and published in the conference proceedings.
The directive mandated a period between six months and two years for the networks operators to conserve (“retain”) data about digital communications and users. The rationale being that mining this information is important for criminal investigations: networks of individuals involved in criminal activities can be reconstructed, leveraging the data, and evidence is preserved for a long time.
The European Court of Justice however, in its ruling, found the provisions for unlimited data retention clashed with European citizens’ fundamental rights to privacy and data protection, as enshrined in the Fundamental Charter of the European Union.
The paper tries to map the consequences of the repealing at various levels and for different actors. At the policy level this marks a growing concern about civil rights and privacy and a more rational view of the security necessity and the terrorist threat. Both the EU legislators will have to take this into account. On the other hand the national legislations that implemented the invalid directive were not touched by the Court ruling and it was up to the single states to reform them (in part they did).
Repercussions will probably influence the so-called data protection package -voted by the European Parliament in first reading right at the end of the last legislature- and the Trade and Investment Partnership (TTIP), for which negotiations are ongoing and that should regulate, among other things, the transfer of data (data flows) between EU and the USA. As the major reason for the retention was criminal investigations, the field of digital forensics will be influenced too, seen that the big datasets on communications were a key enabler in many respect.
The position paper puts forward some proposals on what can be done now to rebalance correctly the security and investigation necessities with fundamental liberties, recognizing that the directive was in fact unbalanced but also that some level of retention is probably needed. On the backdrop obviously loom the metadata NSA revelations of 2013, from which the public learned that also from “anonymized” metadata is very easy to identify the individual users.