Posted on Apr 17, 2017 by Rick Falkvinge

What Australia can learn from Europe’s failure with Data Retention

Last week, Australia’s law mandating telecommunications data retention went into effect. It is clear that Australia learned absolutely nothing from Europe’s abysmal 10-year failure with this exact law before it was finally struck down by courts as utterly incompatible with human rights at the core of its idea. Here’s how Australia can fail a little faster on this horrendous concept by realizing it’s just not inexcusable, it doesn’t even work.




In the wake of the 2004 Madrid bombings, a handful of hawks saw their opportunity to pass unprecedented mass surveillance legislation, where people could be retroactively wiretapped – something that was only possible if everybody was continuous wiretapped, all the time, so it could be retroactively reviewed. Now, actual wiretapping would not have flown, so they went with the politically-new word “metadata”, which didn’t sound nearly as bad but was conceivably much worse because it was machine-sortable: Everybody’s communications metadata would be stored for a long time with the sole objective of using it against them.

It was just four people – as little as four people out of five hundred million – who were ultimately driving this disaster into being in Europe, much through deception and Potemkin façades. In Sweden, the concept was driven pretty much only by the then-minister-of-Justice Thomas Bodström, and skilled activists at the time traced how he couldn’t get the Swedish Parliament to approve anything like it (for good reason), so he went for the infamous legislative “Brussels Boomerang” instead: make it a federal law at the EU level, and tie the hands of the Swedish Parliament to do it regardless of their opinion. There were three other like-minded people from other states, and that was all it took for the proposal to gain momentum at the Brussels level.

On December 14, 2005, the European Parliament approved a mandate for all states to implement “telecommunications data retention”, or as it would be more accurately described, “preemptive ongoing wiretapping of everybody in case we decide we want it later”. The purpose is to combat “terrorism and other crimes”. That little “and other crimes” turned out to include basically everything, up to and including jaywalking – and in practice, it would be almost exclusively used to hunt ordinary people sharing music and movies outside of the monopolized copyright channels.

So all of a sudden, everybody’s activity was recorded – along with timestamps and their precise geographical position – whenever they did the most minute form of communication. It was a mass tracker.

The problem is that surveillance of innocents in case they should become suspects later is fundamentally incompatible with a democracy.

However, this one didn’t go over well in Europe, even with a decision from the federal European parliament. A full one-third of European states – nine out of 27 – refused to implement the preemptive surveillance of innocents, seeing it for what it was. In other states like Germany, it was implemented and immediately struck down by their constitutional court, for good reasons.

In pushing for acceptance, there was no shortage of Potemkin façades and misdirection from politicians. An example of the talking points used:

“Telecom companies have always recorded this”: No, they haven’t. In fact, they have been absolutely, positively banned from recording any of this, except – except for what was absolutely needed for billing purposes. Data retention switched bulk collection of everything from “absolutely forbidden” to “mandatory”, and that’s not the small change they wanted to pretend it was.

“It’s not government surveillance, it’s the telecoms recording your activity”: As if conscripting a corporation into a most unwilling agent of the government made it not the government’s action any more. This is a particularly disgusting way to deflect responsibility for your actions.

“It’s necessary to prevent terrorism”: Except it was absolutely useless for this, and used in practice only to punish ordinary file-sharing people.

On the other side of the fence, you had a few diligent politicians like Malte Spitz in Germany, who used his own data to show people just how horrible the tracking was – he made a YouTube video showing that he could essentially be followed block by block as he was going about his daily business, and also held a TED Talk about it.

Activists also kept pushing, relentlessly, providing actual data that politicians didn’t want to exist. The German AK Vorrat – loosely translated as “working group, data retention” – was one of the more visible ones, and who pointed out that the collected data had only hade a difference in 0.006 percent of criminal cases.

Zero point zero zero six per cent.

In most countries, that’s the equivalent of hiring two or three extra investigative police officers, but at the cost of ordinary police pay instead of the data retention’s cost of about a billion dollars per year (or much more). In other words, the data retention is not even effective in the best of cases – neither for police operations nor for cost-efficiency. You could have solved something like 1,000 times more additional crimes for the same amount of money, just by hiring regular investigating police officers doing ordinary honest police work instead of treating everybody as a suspect.

Now, fortunately, it wasn’t just activists pushing back. Since the governments had audaciously told the telecoms operators to foot the entire bill for this, they were not happy and had a real financial interest in scuttling this construct. That, in the end, is what caused the data retention’s undoing.

It was billions of dollars of cost for the telcos that was the ultimate driver to end data retention. It was the human rights principles that gave those telcos the right of way in court.

Because the telcos challenged the mandate to retain data – the most customer-focused ones flat out refused to comply, saying “take us to court”. The government didn’t, but took them to their own authorities instead (the US FCC equivalent), at which point the telcos took those authorities to court.

And won.

Once the courts had ruled that telcos were no longer required to store all metadata, and importantly, absorb all the cost for doing so, data retention was dead in practice. But it would take another couple of years to really drive the point home.

The legal escalation went all the way to the European Court of Justice (ECJ), which is the European equivalent of a Supreme Court. This escalation took a decade in total, but on April 8, 2014, the European Court of Justice ruled that the Data Retention Directive – the EU “federal law” – so utterly incompatible with human rights, that the court didn’t just declare it not in effect from that date; the ECJ ruled that it had never been in effect, annulling it retroactively and effectively erasing it from existence as a mark of shame. The court couldn’t have put its foot down any harder.

Most politicians in European states at the time noted that while they were now not mandated to preemptively violate every citizen’s privacy, there was not yet any ruling banning them at a federal level from doing so, and they sought to tweak details in their “safeguards” to keep the constructs. This missed the point of the ECJ entirely:

The problem isn’t that the data isn’t properly secured, or who has access to it and when. The problem is that surveillance of innocents in case they should become suspects later is fundamentally incompatible with a democracy. It is the core idea that is broken and unacceptable, not the details of implementation.

This disconnect baffled the courts entirely, as their key point had been made perfectly clear in the 2014 ruling: such a construct is incompatible with a democracy. Why did politicians persist in pretending it was a matter of implementation details, and not the core idea? More importantly, why was this still happening in individual states, even though there was no more federal directive mandating it?

Hawk politicians in those individual states were arguing that while the European states were no longer required to have data retention at the federal level, they were also not forbidden from having it as a state initiative, and continued it on the state level that had been initiated by the federal law now shredded by the ECJ. This position at the state level could only have come from somebody who didn’t read the fuming verdict from the European Court of Justice in 2014, as it tore up the Data Retention Directive by its roots and lit it ritually ablaze expressed in the strongest anger that judicial language is capable of expressing.

So in the judicial equivalent of “didn’t you morons hear us the first time”, the ECJ finally ruled in December of 2016 that all European states are utterly forbidden from mandating data retention from its telecommunications providers. This gave the telcos who had been objecting all along wind in their sails, and most of them deleted all the collected data on the same day to trumpet fanfares and advertising. Meanwhile, the politicians who had been advocating these violations of human rights muttered increasingly incoherently, and have not been heard from again so far, six months later.

In conclusion, while Europe had its turn with the hated Data Retention, it would take the courts twelve years to undo it. Let us at least hope that others can learn from this mistake and not have to do all of it all over again.

Privacy remains your own responsibility, as always.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.


VPN Service

Leave a Reply

Your email address will not be published. Required fields are marked *