Phone companies in Europe retain vast amounts of data on the “who,” “what,” “when,” and “where” we communicate. At once, someone with access to this information can know an individuals’ location, age, gender, racial profile, sexual orientation, financial situation, health condition, and belief system.
This amount of data is illegal for the state to demand and for companies to keep, according to a report by Privacy International (PI). The report suggests that 21 EU member states unlawfully retain citizens’ personal data, violating the e-privacy directive and the EU Charter of Fundamental Rights.
These states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The remaining seven member states were not reviewed, which could mean that no EU member state data retention regime in the EU respects individual privacy.
The vast amount of individual data retained by companies has increased with the use of smart phones, which allow for multilayered connectivity that ranges from online shopping and banking to daily planners and personal health.
Across Europe, telecommunications companies are legally obliged to retain vast amounts of personal data for later access by the government, for a variety of reasons. However, although this data is massively valuable both for the state and for criminals, most governments fail to place sufficient safeguards against possible abuse of individual privacy and security.
According to the head of international policy and advocacy of Privacy International, Tomaso Falchetta, “it is clear that current data retention regimes in Europe violate the right to privacy and other fundamental human rights.”
The standard of privacy and security European citizens are entitled is set by two Court of Justice of the European Union (CJEU) decisions dating back to 2016 and 2014. In the Digital Rights Ireland case (2014) and the Tele-2/ Watson decision (2016) the CJEU ruled that data retention regimes must adhere to the principles of legality, necessity, and proportionality.
“The European Court has made clear that general, indiscriminate retention of communications data is disproportionate and cannot be justified, not even on the grounds of fighting crime,” Falcetta said.
None of the 21 EU member state data retention regimes reviewed by PI uphold these principles. According to PI, this means that EU member states must review and amend their data retention legislation. Moreover, telecommunications must challenge existing legislation that is no compliant with European standards.
“Blanket and indiscriminate retention of our digital histories—who we interact with, when and how and where—can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep. Our communications data is no less sensitive than the content of our communications,” Falcetta notes.