If one wants to compare the dispute over data retention with a film, then the following characterization comes to mind: Political thriller with excess length, at the beginning with a clear division of roles for good and bad, but then increasingly morally complex. Towards the end, it’s easy to lose track and miss the moment when it gets exciting.
It could be that this moment has just come: This Monday and Tuesday, the European Court of Justice (ECJ) is dealing with the tiresome storage requirement for telephone and Internet connection data in an oral hearing. One case comes from Ireland, another from France, and two of the cases come from Germany. The Internet provider SpaceNet and Telekom had sued. And on Monday it became apparent that the fronts had hardened. One participant reported that the member states demanded on Monday that the ECJ corrected its liberal case law on data protection and paved the way for a return to comprehensive storage requirements.
This is remarkable insofar as the ECJ has already relaxed its initially much stricter line. The beginning was first in 2014 and then in 2016, when the ECJ overturned the EU data retention directive and stipulated that any form of “general and indiscriminate” data retention was incompatible with EU fundamental rights. It was a brilliant move by a court that had chosen data protection as one of its prime issues; the EU Charter of Fundamental Rights was still young and the ECJ wanted to demonstrate that it is a serious guardian of fundamental rights. It even went beyond the Federal Constitutional Court’s data retention ruling. In 2010, Karlsruhe had considered a six-month storage obligation to be permissible in principle – provided that it was provided with strict legal safeguards when accessing the data.
The ECJ, on the other hand, sounded like zero tolerance for data protection. The now much more moderate storage requirement in Germany had to be suspended as a result, and this is still the case today. The German providers had storage obligations of ten (for connection data) and four weeks (for location data), which is far less than the previous six-month period. But the short storage obligation also applied indiscriminately to everyone – without any reason. And that was forbidden by the ECJ.
But in recent years it has become clear that this strict line will be difficult to maintain. Two years ago the ECJ had negotiated several cases, and even then a united front of member states had formed, calling for more leeway in saving. The EU Commission also began to campaign for the preservation of data retention. In October last year, the ECJ announced its ruling. He listed when a storage obligation could be justified. For example, in a specific terrorist situation, to pursue so-called threats or to monitor hotspots with high levels of crime. But always strictly limited to what is absolutely necessary.
Basically, however, the no to the unjustified storage obligation remained. With one small exception: the ECJ indicated more leeway for IP addresses that were necessary to investigate the criminal business with child pornography. That was obviously a concession to the needs of the investigators.
A verdict is likely to be expected in the spring
Will the ECJ continue to accommodate its critics? A case from Ireland was also negotiated on Monday, which is likely to further emotionalize the criticism of the ECJ. It is about a horrific sex murder in 2012 against a teacher in Dublin. The suspect denied the fact that data from a cell phone played an important role in his conviction – obtained from data retention that the ECJ later declared to be unlawful. Data protection versus murder investigation, there is little to gain as a court.
A ruling by the ECJ is likely to be expected in the spring. Further clarifications are to be expected. But he will hardly be able to move away from his basic line, according to which there must be no “unprompted” storage, without losing face.
In any case, the Council of the EU already discussed a way out of the dilemma in a working paper from June. A new, uniform EU approach is then conceivable; It would also be possible, however, to leave the storage obligation to the states. “Quick freeze” is also being considered, an event-related rapid freezing of connection data. But foregoing storage does not seem to be an option anywhere in Europe at the moment.