EU Member States are still working to adopt their position on the ePrivacy Regulation proposed by the European Commission in January 2017. A number of draft compromise texts have been published by the Council Presidency before discussions in the Working Party on Telecommunications and Information Society (WP TELE).

Unfortunately, the Council transparency in publishing those documents does not extend to the part of the ePrivacy Regulation that concerns data retention. This means mainly Article 11, which allows Member States to restrict the rights to data protection and confidentiality of electronic communication under certain conditions, in a similar way to Article 15(1) of the current ePrivacy Directive. This part of the ePrivacy Regulation is being discussed jointly by WP TELE and the Working Party on Information Exchange and Data Protection – Friends of the Presidency on Data Retention (DAPIX FoP), which is also tasked with analysing the implications of the Tele2 judgment (joined cases C-203/15 and C-698/15) from the Court of Justice of the European Union (CJEU).

Documents from these discussions are marked “LIMITE” and therefore not generally available to the public. An incomplete picture of the work is available through a combination of Freedom of Information (FOI) requests and leaked documents. It is known that DAPIX FoP has developed the concept of ”restricted data retention” which is a deliberately crafted attempt to circumvent the Tele2 ruling of the highest court of the European Union (the CJEU) with a data retention scheme that is, in reality, general and undifferentiated (and therefore illegal) while officially claiming not to be.

Recently, the working document WK 11127/2017 of 10 October 2017 was released in full through a FOI request by Corporate Europe Observatory. This document provides another piece of the puzzle regarding the secret data retention discussions in Council working groups by outlining two different strategies for storage of electronic communications metadata for law enforcement purposes.

The first strategy is based on data retained by providers of Electronic Communication Services (ECS) for business purposes. Article 6(2)(b) of the Commission proposal for the ePrivacy Regulation allows ECS providers to process electronic communications metadata for purposes of billing, calculating interconnection payments as well as stopping fraudulent or abusive use of ECS. The working document proposes to expand Article 6(2)(b) to include ”illicit use” of ECS, which would allow processing for a broader purpose than abuse or fraudulent use of the communications service itself. Potentially, ”illicit use” could include any crime or illegal behaviour committed by the subscriber with the assistance of the electronic communications service, even if the ECS provider is not the victim of the offence (such as through fraudulent use of the service). The working document further proposes a minimum six month retention period for electronic communications data processed under the broadened purposes of Article 6(2)(b).

In effect, this is mandatory blanket data retention disguised as storage of communications data processed for voluntary business purposes, like billing. When ECS providers process communications data for business purposes, the processing, and in particular any storage of personal data, should be limited to the duration necessary for this purpose. Setting a minimum mandatory retention period for communications data processed under Article 6(2)(b) will mean weakening the level of protection guaranteed under the General Data Protection Regulation (GDPR), which is not only unacceptable but also contradictory to the ePrivacy Regulation being lex specialis to the GDPR. If Member States want to “ensure” the availability of electronic communications data for law enforcement, this should be done by appropriately restricting the rights to data protection and confidentiality of communications in accordance with Article 11 of the ePrivacy Regulation and, in particular, in accordance with the CJEU case law which prescribes targeted data retention rather than blanket data retention.

The second consideration in working document WK 11127/2017 is to exclude processing for law enforcement purposes from the scope of the ePrivacy Regulation in Article 2(2). Under the current ePrivacy Directive, both the retention of electronic communications data and access to retained data by competent authorities is within the scope of the Directive. The working document suggests that excluding processing for law enforcement purposes from the scope of the ePrivacy Regulation could ”bring more clarity to the legal context of data retention”. This would put national legislation for mandatory data retention outside the scope of the ePrivacy Regulation and possibly even outside the scope of EU law, which would be very dangerous for fundamental rights. It could also be considered that it does not put this activity outside the scope of EU law (or at least not fully), as data retention could be considered an exception to the GDPR. So much for “clarity”.

The current ePrivacy Directive provides legal clarity for the retention of electronic communications data and access to the retained data since both types of processing are covered by Article 15(1) of the Directive. Furthermore, CJEU case law provides specific conditions for retention and access to electronic communications data, which ensure appropriate safeguards for fundamental rights. Excluding processing for law enforcement purposes from the scope of the ePrivacy Regulation would bring less legal clarity, not more. In addition, a Regulation aimed at protecting personal data and confidentiality of electronic communications would be deprived of its purpose if certain types of processing (such as “processing for law enforcement purposes”) are completely excluded from its scope. This was also noted by the CJEU in paragraph 73 of the Tele2 judgment.

On 25 April 2018, EDRi member Statewatch published a recent document from the Bulgarian Council Presidency on data retention. Working document WK 3974/2018 looks at the “renewable retention warrant” (RRW). The intention is that competent authorities can issue data retention orders (warrants) to ECS providers under certain conditions. The legal basis for issuing RRWs will have to be national law as no EU legal basis currently exists. It is suggested by the Presidency that ECS providers could appeal the warrant, which would give private companies the job of safeguarding citizens’ fundamental rights. Even though the data retention requirements for RRWs could differ among ECS providers, the Presidency notes that the RRW would be rendered ineffective for law enforcement purposes if not all providers are covered. This will make the RRW approach identical to blanket data retention for all practical purposes and, therefore, a clear circumvention of CJEU rulings.

The patchwork of Council documents (only some of which are available) from DAPIX FoP on data retention shows that some Member States governments are exploring every possible option to uphold their current data retention requirements, despite two very clear CJEU rulings in 2014 and 2016 that blanket data retention is illegal under EU law. These efforts often take place behind closed doors in Council working groups, and the discussions only receive input from Member States’ governments and EU institutions in the law enforcement area, such as Europol and the EU Counter-Terrorism Coordinator. The European public, civil society organisations and data protection authorities are excluded from most of the critical discussions around data retention. In the past, this approach has repeatedly produced legislation such as the Data Retention Directive which was later overturned by the CJEU.

After working document WK 11127/2017 was published in full, European Digital Rights and EDRi members Access Now, Privacy International and IT-Pol Denmark, sent an open letter to EU Member States on the ePrivacy reform. The letter calls upon EU Member States to ensure privacy and reject data retention.

ePrivacy: Civil society letter calls to ensure privacy and reject data retention (24.04.2018)

https://edri.org/eprivacy-civil-society-letter-calls-to-ensure-privacy-and-reject-data-retention/

Freedom of Information request by CEO for WP TELE ePrivacy documents (17.04.2018)

https://www.asktheeu.org/en/request/updated_discussions_in_telecommu#incoming-16851

“Renewable retention warrants”: a new concept in the data retention debate, Statewatch (25.04.2018)

http://www.statewatch.org/news/2018/apr/eu-data-retention-renewable.htm

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)

https://edri.org/eu-member-states-plan-to-ignore-eu-court-data-retention-rulings/

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)