Challenging data retention

First published by Linux User & Developer.

I love my mobile and I love what it can do for me. It connects me to instant messenger and IRC, let’s me surf the web and blog from anywhere a phone signal, acts as my diary and alarm clock, and tells the government who I hang out with and where… Hang on a moment, I don’t remember thinking when I bought my mobile “Hey, I really need a phone that’s going to tell the authorities where I am, who I’m calling and how long we talk for”.

But when the Data Retention Directive was frogmarched through the European Parliament in December 2005, my neat little mobile phone became a neat little tracking device, telling the authorities everything about my phone calls, except what I actually say.

And it’s not just phones. ISPs will have to do the same for all the traffic that travels over their network, and  this huge pile of ‘traffic data’ will have to be stored by the ISPs and phone companies, and made available to the police and authorities whenever they ask.

This is mass surveillance on a scale never seen before. Last year, European Digital Rights (EDRi, and other digital rights activists from across Europe, including the Open Rights Group, lobbied hard against this directive. That lobbying included a huge petition of 58,000 signatures handed to the Chairman of LIBE, the Committee on Civil Liberties, Justice and Home Affairs, which was tasked with overseeing the progress of the legislation through the Parliament. The directive passed in record time.

Now, however, a group of activists in Dublin are challenging data retention. Digital Rights Ireland (DRI) has started a High Court action against the Irish government on the grounds that Directive is a breach of fundamental rights. According to TJ McIntyre, DRI Chairman and a lawyer himself, it is “contrary to the Irish Constitution as well as Irish and European Data Protection laws.”

He continues, “We also challenge the claim that the European Commission and Parliament had the power to enact the Data Retention Directive. We say that this kind of mass surveillance is a breach of Human Rights, as recognised in the European Convention on Human Rights and the EU Charter on Fundamental Rights which all EU member states have endorsed.”

McGarr Solicitors, acting on behalf of DRI, wrote to the Irish Minister for Justice, the Minister for Communications, Marine and Natural Resources, and to the Garda Commissioner giving them seven days to stop collecting, storing and accessing personal private telephone traffic data. When the Government and the Garda failed to do so, DRI filed their papers with the High Court, asking them to refer the Directive to the European Court of Justice in Luxembourg for a decision on whether it is valid.

This action is not just about local, Irish laws, but could also make data retention illegal across the EU, protecting the fundamental right to privacy for 450 million Europeans.

“If we are successful,” says McIntyre, “the effect will be to undermine Data Retention laws in all EU states, not just Ireland, and to overturn the Data Retention Directive. A ruling from the European Court of Justice that Data Retention is contrary to Human Rights will be binding on all member states, their courts and the EU institutions.”

Ireland is a good place to take such an action. They have a Constitution which guarantees fundamental rights, and recently incorporated the European Convention on Human Rights into Irish Law. But most importantly they have a strong tradition of judicial review of legislation which allows them to challenge laws after they have been passed.

In Germany, meanwhile, there are also doubts about the legality of data retention. The Scientific Services of the German Bundestag (the lower chamber of Germany’s federal parliament), have said that the directive may not be compatible with the German constitution. They have also questioned the legality of the directive itself, which wove a controversial path through the European Parliament. However, there is no sign yet of a legal challenge from Germany.

The significance of DRI’s actions may spread even further than Europe. In the US, Attorney General Alberto Gonzales has been recommending a move from a preservation (or ‘quick freeze’) regime to full retention for ISP traffic data. Under a quick freeze regime, the authorities identify a suspect and request that all data held on that suspect is preserved whilst investigations proceed. The UK and Europe have always used quick freeze for both telecommunications and internet data, and it has proven effective. Indeed, in June 2005 the Dutch Erasmus University examined 65 police investigations and concluded that “in virtually all cases” the police needed no more than 3 months worth of data, indicating that for law enforcement purposes, data retention is unnecessary.

Moreover, according to sources, in 2002 a secret questionnaire was circulated to all EU member governments. In it, the Irish government was asked if they had ever received a report from their law enforcement agencies that lack of data retention had obstructed their work.

Their considered response: “No”.

Yet despite a lack of evidence in favour of retention, the lure of huge repositories of data that can be mined – however ineffectively – is just too strong for governments to resist.