Wednesday, April 09, 2014

A victory for privacy in the EU

Since 2006, EU member states have been required to store their citizen's telecommunications and internet metadata - the source and destination of every email, phone call and text message sent or received - for up to two years under the Data Retention Directive. The direction, an explicit version of the NSA/GCHQ spying programs, exists to provide access to police and security agencies to fight crime and terrorism. And now, the European Court of Justice has overturned it:

The EU's top court has declared "invalid" an EU law requiring telecoms firms to store citizens' communications data for up to two years.

The EU Data Retention Directive was adopted in 2006. The European Court of Justice says it violates two basic rights - respect for private life and protection of personal data.


The ECJ ruling says the 2006 directive allows storage of data on a person's identity, the time of that person's communication, the place from which the communication took place and the frequency of that person's communications.

"By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the court in Luxembourg ruled.

The full ruling is here. The core problem is one of proportionality - while law enforcement access to this data is justified in some cases, capturing and storing everyone's metadata is utterly disproportionate. The court also raised questions about access safeguards and the period of storage. But key to the case was a greater appreciation for the privacy impacts of metadata analysis and how much can be learned from it. And we have Edward Snowden to thank for that.