ATTILA KISBENEDEK/AFP/Getty Images
The European Parliament’s Legal Services department has issued a report on the status of data retention in Europe, which reveals mixed results within the E.U. The report examines in particular what has been happening with practices and policies since the invalidation of the Data Retention Directive in April 2014 by the Court of Justice of the European Union.
Before that date, E.U. member states were required to have data retention programs according to which telecommunications and internet service providers had to maintain records of their customers’ communications via mobiles, landline phones, fax, and email. Under the law, information including phone call records and other communication data were stored indiscriminately in archives for six months and up to two years. But the CJEU’s ruling last year determined that the Directive — established in 2006 — violated privacy and personal data protection ethics.
The recent investigation conducted by the Legal Services department looked at the status of data retention across Europe in the wake of the CJEU’s decision, particularly in regards to data retention programs such as the Passenger Name Records agreements (PNR) and the Terrorist Finance Tracking Programme (TFTP). The former allows for the transfer of airline passenger flight data between states; the TFTP is an agreement between Europe and the U.S. that allows for access to the SWIFT database of financial information located in Belgium. Access, which published the report, noted that such programs are now under even greater scrutiny as they are only valid thanks to the presumption of legality, which could endanger them: “That said, the ‘presumption’ of legality of EU acts can also be rebutted and so it cannot be excluded, at this stage, that any other EU act could suffer the same fate as the data retention Directive.” Indeed, both of these programs have been called out by civil rights groups as violating the same principles that the Directive did.
While some countries scrapped their data retention programs after the Directive was declared invalid, others have only reinforced theirs. GigaOm notes that Austria, Slovenia, and Romania are three countries that eliminated their programs even as the U.K.’s broadened. The report points out that many data retention programs may be called into court as a result of the CJEU’s decision. This year will be one to watch for the impact on existing systems of data collection in Europe.
