Data retention: Opinion sees violation of EU law

A new expert opinion classifies data retention as partially illegal. To the SWR the paper is available in advance. Accordingly, there must be no surveillance without a concrete threat.

The data retention desired by security authorities and most European countries partially violates EU law. This is the conclusion reached by the longstanding judge at the European Court of Justice (ECJ), Prof. Vilenas Vadapalas. He has just prepared a legal opinion that dem SWR available in advance.

Data retention means, among other things, the area-wide collection of telephone and Internet data, such as location data or IP addresses from users – including from citizens who have never committed a crime.

No surveillance without a concrete threat

According to the report now submitted, two central points of data retention violate EU law. From the point of view of the former ECJ judge Vadapalas, it is not enough for EU states to generally refer to a dangerous situation or threat of terrorism in order to order data retention. Rather, the states would have to provide concrete evidence of an acute danger, such as the threat of terrorist attacks. Only under this condition is data storage compatible with EU laws.

Another point of criticism: data storage is only allowed for a very limited period of time. Namely for the period for which there is a very “concrete threat” to national security. The permanent, continuous collection of data by security authorities therefore also violates EU law.

The European Court of Justice came to a similar conclusion and passed another judgment in which it rejected the nationwide data storage. Under certain conditions, however, exceptions can be allowed, for example if data retention is only carried out in certain “dangerous” locations.

Patrick Breyer has been fighting against data retention for years as a member of the European Parliament for the Pirate Party. From his point of view, the current report confirms his criticism of the data collection by the security authorities. “The EU Commission’s considerations of covering the vast majority of the EU population with comprehensive, geographically targeted data retention do not stand up to legal scrutiny. And a permanent state of emergency cannot be constructed to justify them.”

Data retention as an exception?

On request, the data protection organization Digitalcourage states that they also consider the “data retention without cause” to be incompatible with European laws. One sees the danger that some states will abuse exemptions in order to nevertheless enforce comprehensive data storage. For example, by first collecting personal data in places with a “crime focus” – in order to then gradually expand the system: “These exemptions are also due to the massive pressure that member states have been exerting on the ECJ for years,” says a spokesman for Digitalcourage . “As if with a crowbar, attempts are being made again and again to undermine the ban on mass surveillance without cause, piece by piece.”

But there are also advocates of mass surveillance. At the request of the SWR clearly in favor of data retention. Without the storage of data, even without concrete suspicion, one cannot achieve the required investigative success. “We urgently need a traceable storage of IP addresses,” said BdK spokesman Oliver Huth. Without this data, “the crime areas prioritized by politicians (child abuse, hate crime on the Internet) could not be combated in the long term”.

Every mouse click can be monitored

The Federal Ministry of the Interior shared SWR-Inquiry with the fact that “unreasonable data retention” is considered an “important instrument for effective criminal prosecution”. The Ministry of the Interior does not see a violation of EU law. From the Ministry’s point of view, the European Court of Justice gave the green light for “general and indiscriminate storage of IP addresses (regardless of a specific threat situation)”.

The focus of data retention is the IP address. Put simply, this is the technical address (a number with up to 12 digits) under which a computer is registered on the Internet. Saving this address and tracking it across the internet would in practice be a powerful tool to be able to fully monitor users. In principle, it would be possible to secretly document every mouse click, every Internet search or every website visited – and the information would still be available weeks or months later. It is also possible to monitor mail communication or to create movement profiles via IP data retention.

“IP data retention takes away the protection of anonymity on the Internet, even for innocent citizens,” criticizes MEP Breyer. “The security authorities have never shown that this type of data storage actually significantly increases the clear-up rate for crimes such as child pornography. I therefore strictly reject this mass surveillance.”

Germany’s data retention laws are in place, but “are currently not being enforced due to ongoing court proceedings,” according to the Interior Ministry. Another ruling from the European Court of Justice is expected in a few weeks, which will then deal with the legal situation in Germany in particular.