In breaking news with major implications for the VPN industry, the European Court of Justice (ECJ), the highest court in the EU, this morning declared the EU-wide Data Retention Directive invalid on the grounds that,
‘By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.’
Yay! It is not often that we hear good news when it comes to government surveillance, but this ruling is great. The DRD was a sinister and draconian EU-wide piece of legislation pushed through by powerful US and UK government interests in the wake of 9/11 and the 7/7 London bombings, and outside of extremely restrictive countries controlled by militaristic regimes (such as China and Iran), it was by the most intrusion by governments into the personal lives of citizens to date.
It required that all ISPs and communications providers to keep data for at least 12 months, including enough information to:
- trace and identify the source of a communication
- trace and identify the destination of a communication
- identify the date, time and duration of a communication
- identify the type of communication
- identify the communication device
- identify the location of mobile communication equipment
In practice this has meant that logs are kept of all telephone calls, SMS messages and emails made and received, and all websites visited, and all that EU citizens are subject to this massive invasion of privacy regardless of whether or not they are suspected of any crime.
The details of who can access this information varies by country (for example in the UK a large number of organisations have been granted access with very little judicial oversight), but in general it must be available to ‘competent’ national authorities in specific cases, ‘for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law’.
Some countries, such as Belgium, Germany and the Czech Republic put up a spirited resistance to the Directive and have never got around, despite intense pressure from the EU, to implementing it.
Whether VPN providers were bound by the DRD was something of a grey area not fully covered by the original wording of the legislation, so it fell to individual governments to decide whether to explicitly include them when they transposed the Directive into national legislation. Most countries did, although some (notably Sweden, the Netherlands, and Romania) excluded VPN providers from implementation of the Directive. VPN providers throughout Europe may now be in a much stronger position to offer truly ‘no logs’ services.
Today’s ruling followed a 2006 challenge to the directive by the Digital Rights Ireland organisation, and, if allowed to stand, represents a landmark judgement which will protect EU citizens from intrusive government spying,
‘The Court finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data.
Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.’
TJ McIntyre, chairman of Digital Rights Ireland, welcomed the decision,
‘This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The ECJ’s judgement finds that untargeted monitoring of the entire population is unacceptable in a democratic society.’
Although the EJC is the highest court in the EU, we very much doubt this is the last we will hear of the Data Retention Directive, so will be following events with great interest.