When Europe's highest court struck down the EU's Data Retention Directive, it didn't invalidate EU countries' national metadata snooping laws -- but it did set a handy precedent.
On Wednesday, a court in the Hague suspended the Dutch data retention law, which forced telcos in the Netherlands to retain their customers' communications metadata for perusal by the authorities, because it infringes on people's rights to privacy and data protection.
This followed a challenge to the law by civil rights groups such as Privacy First, the Dutch journalists' and lawyers' associations, and telcos such as BIT and Voys Telecom.
The coalition of complainants used as its back-up the April 2014 ruling by the Court of Justice of the European Union that struck down the EU Data Retention Directive – a law that forced countries across the union to implement data retention laws in the wake of the London and Madrid bombings.
Such laws don't oblige ISPs and telecoms providers to store the contents of people's communications, but they do force them to store data about who called whom and when, for how long, from which connection, and so on. In the case of the Dutch Wet bewaarplicht telecommunicatiegegevens (WBT), the law mandated that telephony metadata be held for 12 months, and internet communications data for six months.
Although the ECJ ruling didn't automatically invalidate EU member states' individual data retention laws, the European Parliament's legal advisors said back in January that the arguments stated against the Data Retention Directive would often apply to national laws as well, as long as they are still based in EU law.
That was very much the case here. The Dutch court noted that the country's data retention law fell under the EU's 2002 ePrivacy Directive and the Charter of Fundamental Rights of the European Union. That means the law had to conform with Article 7 and 8 of the Charter, covering privacy and data protection respectively.
Privacy First argued that the mere retention of people's personal telecommunications data was an infringement with those rights. The court disagreed, saying the retention could be legal if it was justified and proportionate – much as the European court argued.
However, again echoing the ECJ judgement, the court noted that there were insufficient safeguards in the Dutch data retention law. For one thing, it didn't require that the retained data must be kept in the EU – an "essential component" for protecting data protection rights, as the ECJ said. There was also nothing to stop the authorities retrieving the data for non-serious crimes, despite the fact that the WBT is only supposed to be about serious crimes carrying a sentence of at least four years.
On top of all that, there was no serious oversight for the retrieval of the data – it could be pulled without a court order or checking by an independent authority. The court said it was aware that suspending the Dutch data retention law would hinder some investigations and prosecutions, but it had to be suspended nonetheless for violating people's rights.
Voys hailed the decision as a victory for privacy. It quoted lawyer Otto Volgenant, who worked on the case, as saying the verdict was unsurprising given that the Dutch law was contrary to European law.
Dutch journalists also expressed delight at the prospect of no longer being so easily spied upon by the authorities there:
This case ran very much along the lines predicted by the European Parliament's advisers, with the ECJ ruling acting as a template for national challenges. It will be very interesting to see how this plays out in other European countries that are desperately clinging onto their data retention laws, such as Sweden and the UK.
The Swedish ISP Bahnhof rather entertainingly started offering its customers a free VPN service in order to bypass that country's data retention law – the authorities can demand that the metadata be kept, but it won't be very useful to them.
The UK has some of Europe's strictest surveillance laws, and the authorities there have a rich history of exploiting them to snoop on lawyers, journalists and others. Following the ECJ ruling, the authorities there actually stepped up their data retention drive by fast-tracking a new "emergency" law called the Data Retention and Investigatory Powers (DRIP) Act, which actually expanded rather than restricted such powers.
The DRIP Act is up for judicial review, following a challenge by members of Parliament Tom Watson and David Davis, along with Privacy International, Liberty and the Open Rights Group. Given that the British challenge is also citing Articles 7 and 8 of the Charter, we may well see yet another replay of the ECJ decision, in line with today's. Looks like the European Parliament's advisors were right.
Featured image credit: xtock / Shutterstock