This decision has immediate consequences for us here in Germany. As our own constitutional court ruled that the law implementing the directive was invalid, we did not have a data retention law for some time now, since lawmakers wanted to wait out this decision.
So data retention is dead here in Germany and will fall in many other European countries. It is still possible that the court will allow for a severely restricted version of data retention and of course the police can access ISP billing logs if they have a court order, but blind mass-surveillance is a thing of the past.
It most certainly can. This was already a contentious issue in Germany, maybe with a slight majority in the government in favor of it or at least people who support it in the right places to implement it, but it was far from an uncontroversial issue, even inside the government (i.e. the coalition parties). Germany was already the last country not to have data retention. (Of course also because the constitutional court ruled against it, but political pressure against it was responsible, too.)
The government could ram it through when there were no court objections quite yet but with them the dissenting voices inside government certainly get amplified. Also, while violating the constitution has been quite a sport for the government in Germany in recent years, court decisions that ruled laws unconstitutional have been respected.
I’m quite optimistic, but there obviously remains a danger of this being implemented some years down the line.
I have no idea what this means on the European level and for other individual countries, though.
When it comes to security, don't live in hope that the bad actors (in this case, governments) won't do what's possible because of something that's fungible (law).
I’m quite willing to believe that there are bad actors within the government, I do not believe that the government as a whole could be characterised as a bad actor regarding security.
Also, while secret services may do all kinds of bullshit hidden in the dark something like the data retention law is out in the open and consequently comparably much easier to contain. It’s possible to have a proper discussion about it. (I think this also quite neatly illustrates the value of having those discussions out in the open, both when it comes to the courts that decide on it and to the political pressures. If it happens in secret it is much, much harder to control and contain. Policy that is decided on in secret – even if by elected representatives or people appointed by elected representatives – is just much more dangerous.)
At least in Germany it wasn't the government collecting the data, they simply forced the ISPs to do so. And when the court ruled the law invalid the ISPs were more than happy to stop the data retention because it cost them a lot of money.
ah so instead of properly security cleared people in one or two security services having access to it every ISP from DBP down to a mom and pop organization may have access.
Will the average ISP pay to put all its staff who have acess to those records with access through TS (DV clearance) clearance its not cheap. And what happens when some of the staff fail vetting - oops your now out of a job.
Oh and this woudl mean that ISP's would have to have judicial oversight.
Of course it can not. But making it illegal is a huge step towards the right direction. Now if the EU members abide to this ruling, it will make it very hard for government officials to get away with alleged privacy breaches.
While I'm not assuming Germany's system is perfect, it is very likely some governments operate more under the consent of the governed than the US government.
Well, lucky you. Here in the Netherlands the politicians have jumped on this law as an excuse to pass domestic laws for data retention. Although this excuse is now gone the laws are already in place and this court ruling might not mean that my government is obliged not to spy on me.
This ruling also doesn't necessarily prevent outsourcing of the spying to the USA.
The .nl law is presumably not permissible for the same reasons that the directive was, so a challenge should have good chances. Assuming that this ruling establishes a precedent valid within .nl, of course.
As far as I know, this does not set a formal precedent for Dutch courts. But it is far from uncommon for courts to take inspiration from other courts, especially from the ECJ, and perhaps even more so in a case like this.
Don't forget the fact that the NSA is everywhere, can intercept and store everything and is above the law (or at least: above the law as it should be (or be interpreted)).
Germany still allows the presence of several huge NSA surveillance sites. Having them inside the country certainly allows for easy tapping of German infrastructure.
I think you are overly optimistic here. Data retention is still perfectly legal and I'm sure it will continue in many European countries. They are just no longer required to have a data retention law. It now depends on the lawmakers and the constitutional courts of the respective countries to take actions.
But I agree with you, in Germany data retention is now very unlikely to happen. For the countries that have implemented it already, it's going to be very hard to reverse, though.
The court found the DRG to be disproportionate, not well circumscribed and prone to abuse. But it also said that a more limited form of data retention is in the public interest.
So I'm pretty sure the debate isn't over. There will be some form of data retention everywhere.
As part of "Mystic" apparently the NSA monitored not only
all communications in Iraq, but also in Austria. The
basis for this was a secret treaty, by which the
government knew about it, writes an Austrian magazine.
[...]
Austria has implemented the data retention law and officially stores "connection"-data for 6 months, apparently NSA stores "everything" and is working together with the Austrian telekom companies and government.
I predict that it will eventually come out that other European nations have similar secret treaties, and that their sovereignty is circumscribed by such treaties. This is why you hear complaints, but see no action. It will be interesting to see if any popular movements against such agreements arise.
Hard to say how the Swedish government will react. One ISP, Bahnhof immeadetly decided to stop collecting any data as specified by the Swedish DRD laws. And erase anything collected.
Are they literally collecting nothing now, not even enough to link IP addresses with subscriber identities? I love privacy as much as everyone else, but real crimes do happen online, and I wonder about the consequences.
Collecting and storing all that data indiscriminately is the wrong approach for preventing online crime. We don't chip and tag everyone 24/7 to prevent RL crime, either.
So how do you know it is effective or cost efficient for that matter.
The implementation of the Data Retention Directive in Sweden pushed the cost onto the ISPs. According to their industry group, the estimates for NRE as well as operational costs as stated by the government was at least a factor 10x to low. We are talking 100MSEK range instead of 10MSEK range. This also worked as a barrier to the market since the initial costs of establishing retention makes it costly to start a new ISP.
I have not seen any analysis on the cost and work done by the govenment to enforce as well as use the data collected. But alternatives such as directed surveillance (not wholesale) should be considerd and not just flatly ignored.
Finally, if NSA when pressed for details can not really come up with more than possibly one case where wholesale surveillance was instrumental, I'm not sure the EU DRD and its implementations are that much more efficient.
Oh, sure. You can implement a curfew and shoot on sight everyone who ventures out on the streets outside government-approved schedule. Then you don't need to chip and tag them.
Or did you mean online crime? Outlaw computers, refer to above technique.
My point is, just because some type of enforcement has a certain level of effectiveness doesn't mean it's right to have it, nor does it mean that any alternative is required to have the same level of effectiveness, in particular given that it gets rid of something far worse.
I run a chat Web site. On multiple occasions, my moderation team has found people raping children live on webcam and reported them. People have been arrested, and children have been saved from abuse. That was only possible because they could be tracked down via their IP address. This isn't a hypothetical "think of the children" argument; it's something that has actually happened, multiple times, in the course of running my site.
As a reminder, we are talking about logging IP addresses only here, not sites you visit, etc. What actual, specific consequences of that logging are "far worse" than making it impossible to catch child rapists?
If you want to seriously discuss this topic and bring child rape into the discussion, then I think it would be best to steer away from hyperbole.
We were talking about EU/government mandated retention of IP + header[0] information at the ISP level, for periods of 6-18 months (depending what country we're looking at).
Refraining from this does NOT make it "impossible to catch child rapists" and if that sort of hyperbole is going to be your argument then I'm pretty much done with the conversation.
[0] it also turns out that you can't tell from "logging IP addresses only" whether someone is a child rapist or not.
EDIT: I see from your profile that you founded Omegle.com. That's cool, I love the concept of that site. I now understand the context of what you say somewhat better (btw didn't know Omegle had webcam support, I thought it was just chat).
However, this is an entirely different situation! Omegle is not an ISP. There are already laws for this! If you're running a chat+webcam website that is going to be used by children, then why yes, your business does have a responsibility for what goes on there. This has nothing to do with EU mandated data retention laws.
Maybe that's the source of the confusion here, Omegle is not situated in the EU, so maybe you weren't aware that there's actually all sorts of mechanisms in place for catching child rapists that do not hinge solely on the indiscriminate ISP-level logging of everybody EU-citizen's usage of the Internet for any purpose, ever. The great thing is that these methods also work against criminals that do not operate on the Internet.
In Norway, politicians have promised that they want to go ahead with data retention regardless of the legality of the EU directive. It has been postponed multiple times due to cost and technical issues, but we'll probably get it eventually :-(
The only two parties in favour are Ap (labour party) and Høyre (conservatives) and in the latter there was substantial dissent. It only went through in the first place because the conservative leadership used the party whip in parliament.
Even though they still have a majority in parliament together, the conservatives are strengthened, and labour weakened, and a large part of the argumentation was that the EU "required" it. With this legal opinion I'd imagine at least some people in the labour party will consider opposing it, and more people in the conservative party - it's quite possible they'll find it hard to muster a majority to defend a challenge against the law.
This ruling just means that the law requiring ISPs to retain data is invalid. It doesn't ban national governments from passing their own laws to the same effect.
There are probably a lot of technical details involved but I don't think you can make such national laws or in case you can you probably can challenge them and get them retracted. The decision is more or less based on universal human rights and they should apply to EU and national law in the same way.
The Data Retention Directive has already been struck down locally in every state where it has reached the highest courts, so especially after this, a similar law will probably not survive.
It might actually be better if a high court deems the national law to be just fine, since you might get a verdict in the European Court of Human Rights.
That's probably pretty unconstitutional in most countries, though. And if the EU court has a problem with ISPs keeping this data for privacy/human rights reasons, I would imagine it would be even more aggressive against governments doing that.
I love EU! US, pay attention. This is how you do civil liberties. It seems EU is becoming the new beacon of democracy and civil liberties in the 21st century (if we ignore UK, which seems more interested in being another US state than an EU one, anyway, but without any rights to vote in the former).
There's a vocal anti-EU minority in the UK, but it's still a minority. It just seems larger than it actually is because it's loud, and to some extent act as swing votes (the Conservatives want to avoid losing too many votes to UKIP, for fear of Labour beating them in the next election).
There's a vocal anti-EU minority in the UK, but it's still a minority.
That statement is true but potentially misleading.
In a poll earlier this month, as reported by the BBC[1], voting intentions if we had an in/out referendum immediately were 35% in, 32% out, 27% undecided, and 6% would not vote.
A different poll from back in December, mentioned in the same article, had a result of 32% in and 45% out, so it looks like the balance of opinion on this issue varies considerably over time, too.
(Both polls came from reputable sources, so I'm assuming that the sampling was done sensibly.)
In short, while it's true that the "anti-EU" group are a minority, the "pro-EU" group appear to be a minority of approximately the same size.
I love EU! US, pay attention. This is how you do civil liberties.
Note that it was the EU that implemented this data retention law in the first place. The US has no such data retention law and attempts to pass one have failed.
US law enforcement and intelligence agencies have done plenty of their own privacy invasion, of course, but there is substantial evidence that their counterparts in EU countries have done the same, sometimes conspiring with the US to do so.
"The US has no such data retention law...":
Well, NSA & colleagues do their very own data retention, outside of any law. That they violate the Constitution in doing so doesn't seem to be enough to have them stop.
By now the ISPs/Telcos had to save the data. When the directive came into action the ISPs/Telcos protested as they had additional costs nobody covered. So loop holes will not help if the data is not stored in the first place.
Unless there's some sort of "full feed copy" wiretap forwarding everything to a spy agency. Isn't this the way it's done in case of NSA and GCHQ, not by stealing archived traffic data off telecom servers?
If the ISPs already complained about extra costs, I wonder if most EU national secret agencies could pull it off on their own. Even if they had direct access, the infrastructure for the storage and querying of all (header) data of all the ISPs.
They don't all have billion dollar budgets like the NSA+GHCQ (which is the main reason I think it's fair to be infuriated with people that are okay with the global privacy breaches as long as it's not US citizens because "the secret agency in my country is doing just the same"--except they're not, they'd love to[0], but they don't have the resources to pull it off on the frankly insane and megalomaniac scale as NSA+GHCQ do).
That's the benefit of decentralizing, I guess.
[0] for the Dutch-reading HNers, in case you thought our AIVD are really basically just nice guys, check Louis Seveke's story http://www.vn.nl/Standaard-Media-Pagina/Louis-Seveke-kwelgee... (and no Seveke was absolutely no saint either, but they went too far and back in those days you had to physically tail someone, so at least it didn't scale very well)
Are there any leaks about European (except UK-GCHQ) governments spying on their citizens? By now they did not have to because it was done by the ISPs anyway.
Nah. The CFREU (Charter of Fundamental Rights of the EU) is binding on EU bodies, and national bodies only when they are implementing EU law. It doesn't directly bind other things national bodies do. That's the job of the ECHR (European Convention on Human Rights), which is not part of the EU.
The CJEU ruling relies on proportionality and the competence of the EU to legislate what it did. We're not about to get a ruling from the ECtHR that keeping telecoms data for two years violates the ECHR.
Same here in Holland. We have an extra tax (called BPM) on all new cars. It is so high (25K on a BMW X5) we are fined by the EU every year. But it is so profitable our government pays the fine smiling.
The four bold points after "Urteil" and before "Gründe" are the legal holding. The rest is just explaining the holding.
Not even the "Leitsätze" on top are binding in any way. But with those, at least, you can argue that the court indicated pretty clearly that it considers those sentences important, making speculation about future verdicts at least a little bit fruitful.
One mildly interesting / infuriating pre-Snowden tidbit: the UK was having a national discussion about this kind of mass surveilance. GCHQ were asked for their response a few times. They replied saying things like "it's useful for some crime prevention; you need checks and balances" and so on. What they did 't say was "this isn't relevant to us, because the law already allows us to do it (also, we already are doing it)".
With hindsight I can see how carefully they crafted all their answers. It is very frustrating to me that journalists did not read the relevant laws (which clearly list exemptions for GCHQ) and did not question the relevant oversight bodies or GCHQ for more information.
I tend to agree that slurping and storing all content data or all metadata is probably the wrong approach.
It does make me wonder if the technology got released in any form, even as university research, back to the public. I can understand keeping bomb design documets secret, but better database and better data mining tech is less sensitive.
Yes, but if we don't already we'll soon have our own national law requiring this data be collected.
This government aren't at all liberal in this regard and would never have been wild about trusting the EU to do this (or anything else) in the first place.
I understand that but that challenge will take years and will potentially still result in nothing happening.
Look at prisoner voting rights in the UK. The UK passed a law in 1983 saying prisoners couldn't vote. In 2001 someone mounted a legal challenge to it which was dismissed and arrived in Strasbourg later that year.
That court ruled in 2004 saying a blanket ban on prisoner voting was illegal, the UK appealed and lost in 2005. The government messed around before bringing a bill before parliament in 2009 to allow some voting rights - this bill was defeated.
And since then.... Nothing. 2014, 13 years after the original case was bought, 5 years after is was won and prisoners have no right to vote and the government have repeatedly stated they aren't going to get the right to vote.
And the UK isn't the only country where this happens - I can't remember which but either France (I think) or Italy are notorious for ignoring EU court rulings where it doesn't suit them.
EU Courts are great where the national governments feel inclined to do what they say or don't feel too strongly about it but if they don't want to do what the court says, quite simply they don't.
I'm actually curious about which effects this ruling in the United Kingdom (Brittain).
Although they are subject to this regulations, considering their censorship the last years, i don't believe they are willing to coöperate on this (like they are not willing to drop the British pound in favor of the €)
hm. This is important, extremely important. I'm very happy as an EU citizen for the direction the EU has been taking lately on technology matters.
I'm not fond of the EU, Brussels or anything, but there's a string of positive decisions in technology related matters that not many people seem to understand. That's good.
My assumption is that a UK individual, backed by an organisation such as Liberty will start the long road to the European Court of Human Rights, but first they need to take this to court in the UK (and lose to qualify).
So data retention is dead here in Germany and will fall in many other European countries. It is still possible that the court will allow for a severely restricted version of data retention and of course the police can access ISP billing logs if they have a court order, but blind mass-surveillance is a thing of the past.
Yay!