EU should stop data retention by members
BlueLink signed an open letter by digital rights' defenders to the EU's Commission, calling for action to protect fundamental rights enshrined in Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union, as interpreted by the Grand Chamber of the European Court of Justice. We call for the application of sanctions for non-compliant Member States by referring to the Court of Justice, which should logically strike down all current data retention national frameworks.
Fulls text of the letter signed:
Subject: Application of the Tele2 Sverige jurisprudence throughout Europe
Dear Sir or Madam,
We are organisations that, in different ways, defend digital rights.
We are NGOs and litigation groups doing daily legal watch and supporting digital literacy and data sovereignty through workshops and other educational activities.
We are community networks, organizations that operate on local communication infrastructures managed as commons good, for the people by the people.
We are academics, analysing and teaching law in compliance with democratic values, the hierarchy of norms without which there is no rule of law.
We are citizens and representatives, voicing a common concern for the preservation of rights and freedoms, including privacy and personal data protection.
On several occasions in the past, we have already pointed out existing hurdles in our legal framework.
<http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf> ; <https://www.laquadrature.net/en/call_suspension_privacy_shield> ; <https://netcommons.eu/?q=news/open-letter-eu-policy-makers-community-networks>
Together, we would like to address to the European Commission our concerns about the observance of data retention law by various Member States. In particular, we would like to draw your attention on the fact that certain EU Member States do not apply CJEU’s decisions about blanket data retention.
Indeed, Directive 2006/24 that allowed collect and retention of personal data significantly infringed privacy and data protection of people. Although it expressly excluded the content of telephonic or electronic communications and the communicated informations from it scopes, it obliged Member States to ensure the conservation of personally identifiable data and allowed investigatory authorities to trace back a person's communication patterns and online activities".
Four years ago, the CJEU judged that Directive 2006/24/EC was invalid (CJEU April, 8th 2014, Digital Rights Irland) and, more than a year ago, the Court reiterated the same points, straightly and without ambiguity, in a preliminary ruling requested by courts in Sweden and in the United Kingdom (CJEU, December 21st 2016, Tele2 Sverige). In this judgement, the Court stated that:
"Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime (...). National legislation such as that at issue in the main proceedings therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society".
European law prevails over national laws. Therefore, the Court's aforementioned judgements must apply to all similar legislations across the European Union. Yet, we have found that at least 21 EU Member States[^retentionpi] still implement national measures setting out general and non-targeted bulk data retention, thus straightly infringing the CJEU's interpretation of data retention law and interfering indiscriminately in each individual's rights to the respect for private and family life, the protection of personal data, and freedom of expression. These countries are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. On the issue of data retention, these countries' legal framework do not comply with the case law of the Court of Justice.
Today, organisations, academics, and members of the European Parliament in EU State members are filing complaints to the European Commission, to demand action, and to stand for the protection of fundamental rights enshrined in Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union, as interpreted by the Grand Chamber of the European Court of Justice. We call for the application of sanctions for non-compliant Member States by referring to the Court of Justice, which should logically strike down all current data retention national frameworks.
Thank you in advance for acting and upholding the rights of EU citizens and residents.