After numerous lawsuits in various European countries, the decision has finally been made: in a break-through ruling, the European Court of Justice has decided this week that a general requirement to retain telecommunications data (data retention) is unlawful because it is in violation of the right to privacy. This ruling has far-reaching consequences for surveillance legislation in all EU member States, including the Netherlands.
Previous data retention in the Netherlands
Under the 2009 Dutch Data Retention Act, the telecommunications data (telephony and internet traffic) of everyone in the Netherlands used to be retained for 12 months and 6 months, respectively, for criminal investigation purposes. This legislation stemmed from the 2006 European Data Retention Directive. However, in April 2014 the European Court of Justice declared this European Directive invalid because it violates the right to privacy. Subsequently, former Dutch minister of Security and Justice Ivo Opstelten refused to withdraw the Dutch Data Retention Act, after which a broad coalition of Dutch organizations and companies demanded in interim injunction proceedings that the Act would be rendered inoperative. The claimant organizations were the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Netherlands Committee of Jurists for Human Rights (NJCM), Internet provider BIT and telecommunications providers VOYS and SpeakUp. Boekx Attorneys in Amsterdam took care of the proceedings, and successfully so: rather uniquely (laws are seldomly rendered inoperative by a judge, let alone in interim injunction proceedings), on 11 March, 2015, the Dutch district court in The Hague repealed the entire Act at once. The Dutch government decided not to appeal the ruling, which has been final since then. Consequently, all telecom operators concerned have deleted the relevant data. In relation to criminal investigations and prosecutions, so far this does not seem to have led to any problems.
European Court makes short shrift of mass storage once and for all
Unfortunately, the April 2014 decision of the European Court left some margin for interpretation under which broad, general retention of everyone’s telecommunications data could still be allowed, for example through close judicial supervision before access and use of those data. In a Swedish and a British case about data retention, the European Court has now ensured full clarity in favour of the right to privacy of every innocent person on European territory:
"The Charter of Fundamental Rights of the European Union must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’’, the Court judges.
In other words: mass storage of everyone’s data for criminal investigation purposes is unlawful. After all, according to the Court this ‘‘exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society’’.
In conventional language, the Court basically says that such legislation doesn’t belong in a free democracy under the rule of law, but in a totalitatrian dictatorship instead. And this is exactly the raison d'être of the Charter of Fundamental Rights of the European Union (which was inspired by universal human rights), on which the verdict of the Court is based.
Consequences for the Netherlands
Recently the current Dutch minister of Security and Justice, Ard van der Steur, has again presented to the Dutch House of Representatives a legislative proposal to reintroduce a broad, general telecommunications retention Act. Moreover, a similar legislative proposal pending in the Dutch Senate concerns the recognition and retention of number plate codes of all cars in the Netherlands (i.e. everyone’s travel movements and location data). Following the EU Court ruling, both legislative proposals are unlawful in advance on account of violation of the right to privacy. The same goes for planned mass storage of data that flow in and out of the Netherlands through large internet cables under the new Dutch Intelligence and Security Services Act (and the international exchange thereof), the possible future reintroduction of central databases with everyone’s fingerprints, national DNA databases, national records which include everyone’s financial transactions, etc. etc.
Following the EU Court ruling, the Dutch government can draw one conclusion only: both the legislative proposal that regards the new telecommunications retention Act as well as the legislative proposal that relates to the registration on a massive scale of number plate codes, are to be withdrawn this instant. Otherwise Privacy First will again enforce this in court and will do likewise with every other legislative proposal that threathens to violate the right to privacy of innocent citizens on a large scale.
Privacy First wishes you happy holidays and a privacy-friendly 2017!