• Home /
• News /
• 2021 /
• March /
• EU: Blanket telecoms surveillance: data retention back on the agenda in the Council

EU: Blanket telecoms surveillance: data retention back on the agenda in the Council

Topic

Country/Region

01 March 2021

The Portuguese Presidency of the Council of the EU is continuing long-standing discussions on the retention of telecommunications data for the purposes of law enforcement, with the focus currently on "selective/targeted retention" and "retention of source IP addresses and civil identity data".

After the Court of Justice of the EU struck down the 2006 Data Retention Directive in April 2014, member states have been keen to find a way to bring back EU-wide rules mandating the retention of telecommunications metadata: the who, why, when and where, but not the what, of phone calls, web and internet usage.

In the interim, a number of further rulings have clarified the situations in which Europe's top judges deem such surveillance measures might be permissible - and it is these situations that the Council will be discussing, according to a Portuguese Presidency paper obtained by Statewatch.

See: Examination of the ECJ rulings of 6 October 2020 (case C-623/17 and joint cases C 511/18, C-512/18 and C-520/18) - presentation by the Presidency and exchange of views (6231/21, LIMITE, 19 February 2021, pdf, emphasis added)

a) Regarding selective/targeted retention, we invite Member States to comment on the following:

1. Considering the recent jurisprudence of the Court of Justice, what are the Member States' views on the categories of data that should be retained based on law enforcement operational needs? How can the categories be limited e.g. volume, sensitivity, retention period etc.?
2. What are Member States views on the means of communication that should be covered? What are their views on the types of providers, including OTTs [over-the-top services]? Can these be limited based on size, geographical coverage, number of subscribers, cross-border presence?
3. Do Member States consider the reference to categories of person in the recent Court of Justice case-law problematic? How could such concept be developed and applied having in mind nondiscriminatory concerns? What kind of objective criteria can be applied to defining such a category of persons?
4. What would Member States consider an appropriate retention period? Which objective criteria can be applied to determine such a period, e.g. sensitivity of the data?

b) Regarding the retention of IP addresses and civil identity data, we would like to invite the Member States to comment on the following:

1. Do Member States interpret the possibility of retention of source IPs addresses, established in the recent case law of the Court, as including both static and dynamic IPs? Would or should this include source-port numbers? What are the views on only retaining source but not destination IP addresses?
2. Do Member States consider it to be in line with the jurisprudence of the ECJ that Internet Protocol addresses, strictly needed to identify a subscriber, should include first login IP, last login IP or the login IP used at a specific moment in time? Should this be considered as 'subscriber' or 'traffic' data if the IP address is used solely to identify a person?
3. Considering the ECJ jurisprudence, do Member States agree that IP addresses for the purpose of identifying a subscriber should be accessed by Criminal Justice Authorities below the threshold of “serious crime”, in line with the ECtHR jurisprudence (K.U. v. FINLAND, Application no. 2872/02) that considers that "Limiting access to or disclosure of subscriber information to investigations of serious crime would prevent governments from meeting their obligations to protect individuals and their rights against crime"? Which crimes would fall below the serious crime threshold under national laws?"