Adviser to EU’s top court suggests German bulk data retention law isn’t legal

The battle between the appetites of European Union Member States’ governments to retain their citizens’ data — for fuzzy, catch-all “security” purposes — and the region’s top court, the CJEU, which continues to defend fundamental rights by reiterating that indiscriminate mass surveillance is incompatible with general principles of EU law (such as proportionality and respect for privacy) — has led to another pointed legal critique of national law on bulk data retention.

This time it’s a German data retention law that’s earned the slap-down — via a CJEU referral which joins a couple of cases, involving ISPs SpaceNet and Telekom Deutschland, which are challenging the obligation to store their customers’ telecommunications traffic data.

The court’s judgement is still pending, but an influential opinion put out today by an adviser to the CJEU takes the view that general and indiscriminate retention of traffic and location data can only be permitted exceptionally — in relation to a threat to national security — and nor can data be retained permanently.

In a press release announcing the opinion of advocate general Manuel Campos Sánchez-Bordona, the court writes that the AG “considers that the answers to all the questions referred are already in the Court’s case-law or can be inferred from them without difficulty”; going on to set out his view that the German law’s “general and indiscriminate storage obligation” — which covers “a very wide range of traffic and location data” — cannot be reconciled with EU law by a time limit imposed on storage as data is being sucked up in bulk, not in a targeted fashion (i.e. for a specific national security purpose).

The AG notes that indiscriminate bulk collection generates a “serious risk” — such as the people’s data might leak or be improperly accessed. And reiterates that it also entails a “serious interference” with citizens’ fundamental rights to private and family life and the protection of personal data.

While the opinion is not legally binding, CJEU rulings tend to align with its advisers. But it will be months more before a final ruling on this particular challenge is issued.

The CJEU ruled on a similar case over a year ago — involving legal challenges brought by a couple of digital rights groups to national bulk data collection and retention regimes operating under U.K. and French law — when the court ruled that only limited data collection and temporary retention was permissible.

(Although France has since been seeking to circumvent the judgement, per Politico — which reported back in March that the government had asked its highest administrative court not to follow the ruling.)

In a landmark ruling back in 2014 the CJEU struck down a 2006 EU directive that had been intended to harmonize data retention rules across the bloc — finding the regime had constituted a disproportionate interference with citizens’ rights. So you’d think Member States would have got the message by now.

However it seems unlikely this legal clash will be put to bed any time soon — not least because there are fresh moves afoot by national governments to revive a pan-EU data retention law, per a leaked discussion paper that Netzpolitik obtained and reported on this summer.