NOTE: On Sept. 14 – 17, activists with the Freedom not Fear movement will stage an international week of action to oppose various forms of surveillance. EFF is spending this week examining surveillance trends and spotlighting movements that have sprung up in opposition.

During the first-ever Freedom not Fear event in 2008, anti-surveillance activists in Berlin staged an action that AK Vorrat, The German Working Group on Data Retention, later described as “the greatest protest march against surveillance in Germany's history.” Peaceful protesters joined a two-kilometer long march supported by more than 100 civil liberties groups and other organizations, carrying signs with messages like, "You are Germany, you are a suspect,” and chanting, "We are here and we are loud because they are stealing our data!"

Protesters were taking to the streets to sound the alarm on a disturbing new trend. Instead of law enforcement policies targeting only individuals suspected of illegal behavior, the European Union adopted a Directive that compels EU countries to adopt laws treating all European citizens as suspect, by requiring mass and untargeted collection and storage of everyone’s communications data for possible use by law enforcement agencies. This data does not include records of what was said in mobile or online exchanges, but reveals equally sensitive information about who communicated with whom via text, phone call, or email. The policy is known as mandatory data retention, and as plans to repeal the Directive move forward, resistance against it will be just as palpable during Freedom Not Fear 2012.

Data retention an anti-democratic threat to privacy

The unsettling shift toward mass collection of communications data got its footing when the highly controversial EU Data Retention Directive won approval in 2006, with the backing of powerful United Kingdom government interests. The directive requires telecoms and Internet service providers (ISPs) to log traffic data for every phone call, text message, and email sent by users – and make it available to government authorities. While it has been implemented into national laws in many EU member states, courts have ruled against its unconstitutionality in many countries and legal fights continue at the European level.

In the UK, in 2008 alone, the UK’s Interception of Communications Commissioner reported that the total number of government requests seeking this communications data came to a whopping 504,073 – the equivalent of a request every minute. As we reported earlier this year, Polish authorities have requested users’ traffic data retained by telcos and ISPs over 1.85 million times—half a million times more than in 2010.

The consequences of this policy are far-reaching, but one particularly troubling outcome is the erosion of journalists’ right to refuse to hand over evidence to law enforcement to protect the confidentiality of their sources. In Poland, the media has already reported two major cases where intelligence agencies used retained traffic and subscriber data to illegally disclose journalistic sources. Such occurrences have severe implications for democracy: The protection of journalistic sources is one of the basic conditions for press freedom.

In another troubling example, Deutsche Telekom illegally used telecom traffic and location data to spy on about 60 individuals – including critical journalists, managers and union leaders – in order to try to find leaks.

And in a particularly egregious case from Ireland, a female law enforcement officer reportedly used retained communications data to spy on her ex-boyfriend’s phone activities.

“Europe is faced with a demonstrably failed, disproportionate and almost certainly illegal Data Retention Directive that, as always with such legislation, was far easier for politicians to adopt than to repeal,” says Joe McNamee, executive director of European Digital Rights (EDRi).  

Across Europe, meanwhile, the implementation of the Data Retention Directive coincides with some other unsettling developments. Governmental databases are being increasingly merged, as exemplified by a European Commission-funded project known as “INDECT,” a system for “monitoring of various people clusters and detection of abnormal behaviour and situations of danger.” Costs for this program are estimated at more than 14 million Euro, and the surveillance initiative was highlighted as an “Orwellian” security measure by Open Europe, a think tank. 

Data retention encounters obstacles

Since it was adopted six years ago, a host of countries have transposed the Directive into national legislation. But in Germany, where AK Vorrat mounted public pressure against it and initiated a lawsuit on behalf of 34,000 citizens, a German constitutional court rejected a national data retention law as being out of sync with fundamental civil liberties guaranteed by the national constitution. In Bulgaria and Romania, meanwhile, similar court decisions found data retention laws to be unconstitutional. In the case of Romania, government lobbyists found a way to  repackage the law despite the court decision, and it was adopted by the Romanian Parliament this past May without any relevant discussion about the grave threats it poses to individuals’ privacy. Given the shaky legal standing, there’s still potential for it to be challenged.

Digital Rights Ireland, meanwhile, mounted a successful legal challenge against Ireland’s national data retention law. In May of 2010, the High Court of Ireland issued a decision clearing the way for the challenge to proceed to the European Court of Justice (ECJ), a body tasked with interpreting EU law to make sure it is applied equally in all EU countries. This case is significant, since the ECJ will consider the legal basis of the entire directive.

At the same time, it now seems the European Commission will not move anytime soon to address outstanding legal questions associated with the existing directive, despite earlier signals that it would initiate an effort to revisit the policy. An evaluation report on the implementation of the directive in EU member states, issued in March of 2011, acknowledged a host of problems and inconsistencies, leaving open questions about whether there are core safeguards in place against abuse of individuals’ data.

The European Commission has failed to demonstrate that the Directive is necessary and proportionate in a democratic society, and therefore, in compliance with the Charter of Fundamental Rights and the European Convention on Human Rights. These requirements are important to ensure that Member States do not adopt severe legislative measures to address a problem that could otherwise be solved in a way that is less harmful to civil liberties. While the European Commission is responsible for evaluating its compliance with EU law based on evidence, it has continued to blindly support the Directive.

The evaluation report prompted Commissioner Cecilia Malmström to call for an “impact assessment” detailing the various policy options, and in September of 2011, European Digital Rights and 37 other NGOs submitted a letter to the European Commission in response to this assessment. In response, Malmström noted that certain aspects of the directive, such as the maximum timeframe for storing communications data, ought to be reevaluated.

Up until recently, it seemed the commission would move forward with a formal process to sort out those questions, but now there are indications that Malmström won't work on the revision of the Data Retention Directive after all.

At the same time, EDRi has pointed out that a key legislative flaw must be addressed before the Data Retention Directive is revised or repealed. Article 15 of the “E-Privacy Directive” leaves the door open to allow member states to pass their own, potentially worse, data retention legislation:

Whatever solution is found also needs to deal realistically with the fact that the “e-privacy Directive” (Article 15) recognizes a right for Member States to introduce data retention with very vague, unclear safeguards. The uncertainty and confusion created by that provision (also a UK initiative) was illustrated in the recent Bonnier Audio case in the European Court of Justice (Case C-461/10). Even a full repeal of the Data Retention Directive would not stop Member States from exploiting that loophole to impose retention measures and maintaining their confused, disproportionate and counterproductive domestic legislation. The repeal of Article 15 of the E-Privacy Directive is therefore the only logical policy.

Given the shaky legal ground that the Directive rests on, there’s ample opportunity for privacy campaigners across Europe to mount a fresh challenge. At Freedom Not Fear, data retention will be a central topic of discussion. Meanwhile, EFF will continue working to repeal the Data Retention Directive and Article 15 of the E-Privacy Directive  -- because in a world where everyone is treated as a suspect, civil liberties stand to be lost.