There was jubilation among data privacy campaigners on 2 March after the German Constitutional Court in Karlsruhe overturned the EU Data Retention Directive of 2006 (obliging member states to store citizens’ telecommunications data for six months to two years). However the ruling had a major catch, which was overlooked: the EU directive remains in force after the ruling. This means that the digital civil rights movement now has to Europeanize. After all, it was the EU that introduced data retention – and that is where it must also be abolished.
Nevertheless, the judgement of the German Constitutional Court means a resounding slap in the face for the parties of the previous “grand” coalition, who enacted the Data Retention Directive in November 2007. The Constitutional Court declared that blanket surveillance, without occasion, of the communications and movement profiles of the entire population is irreconcilable with the German constitution. This judgement goes a considerable way, since the judges forbid both the use of previously stored data in criminal trials, and also rule out a transition period for the law – in other words they insist on the immediate deletion of the data. This clear judgement is indeed a victory for the over 34 000 complainants of the biggest constitutional appeal in Federal German history.
Essentially, the court finds fault in the lack of well-defined provisions on data security; in the insufficient legal conditions for the retrieval and use of data; and in the inadequate requirements regarding information about those affected and the protection of confidentiality, for example in telephone counselling services.
No right to surveillance without occasion
In their justification for the judgement, the German judges go into detail about their previous ruling in which they already outlaw the collection of data for indefinite purposes. That also means that in cases where the purpose is definite (for example possible use in criminal prosecution), they do not automatically exclude comprehensive surveillance of communications.
The constitutional judges nevertheless emphasize that “such storage constitutes a particularly serious encroachment with an effect broader than anything in the legal system to date”. They share data privacy campaigners’ concern that the “the storage of telecommunications traffic data without occasion is capable of creating a diffusely threatening feeling of being watched which can impair a free exercise of fundamental rights in many areas”. For that reason, the judges make clear that the precautionary storage of data without occasion “must remain an exception to the rule”.
Hence, given the seriousness of the encroachment into fundamental rights, “a retrieval of the telecommunications traffic data stored by way of precaution may only be permitted if there is a sufficiently evidenced concrete danger to the life, limb or freedom of a person, to the existence or the security of the Federal Government or of a Land (state) or to ward off a common danger”. The hurdle for the use of data is therefore set so high that the financial and political expenditure required to operate a surveillance infrastructure is hardly likely to be worthwhile.
This does not mean that Germany will now, as the hectic to hysterical reactions from conservative security policy circles have suggested, fall into a security vacuum or that it is at the mercy of cyber criminals. According to police criminal statistics, the rate of successful criminal investigations has not changed since the introduction of the data retention law in Germany in January 2008: it remains at around 55 per cent. Until now, stored data has been retrieved in only 8316 cases, meaning that such data has been used in only 0.001 per cent of the 6.39 million crimes registered during this period. (On top of this comes the fact that before the data retention law was introduced, 80 per cent of Internet crimes were investigated successfully.)
The Brussels perspective
The initial euphoria over the judgement of the Constitutional Court has meanwhile turned into sobriety. The EU Data Retention Directive from 2006, which the relevant paragraphs of the German telecommunications law and criminal procedure are based on, continue to apply in Germany. The judges did not, as the complainants had asked for, submit them to the European Court of Justice for legal examination. There were two main reasons for this. On the one hand, there was no majority in the First Senate of the Constitutional Court for a more extensive judgement. On the issue of the immediate suspension of data retention with any period of transition, voting led to a stalemate. Two of the four conservative judges even used a minority vote to distance themselves from the judgement, which they said was too limiting of the freedom of the legislator.
The second reason is the German Constitutional Court’s complex and partially undisclosed relationship with the European Court of Justice. After the much-publicized judgement on the Lisbon Treaty in June 2009, in which the Constitutional Court observed that all it is able to do is oversee the “constitutional identity” of the German Federal Republic, it would have been extremely difficult for the judges in Karlsruhe to justify a submission to the European Court of Justice.
Overall, from a European perspective one can very well talk of a judgement of Salomon. Especially in the “small print” of the justification, the constitutional judges not only found clear words of criticism for the laws on security policy, but also sent a clear message to Brussels. Although the judges have consciously avoided seeking conflict with the European Court of Justice, their justification indirectly showed the EU the limits of its acquisitiveness. “Precautionary storage of telecommunications traffic data also considerably reduces the latitude for further data collections without occasion, including collections by way of European Union law.” In other words: the EU should not expect to get away with it so easily a second time.
This shows the political cleverness of the judges in Karlsruhe. There is no doubt that the court was aware of the attention being paid to its judgement throughout Europe. At the same time, the court did not want to rule on behalf of the whole of Europe in a single sleight of hand. Instead, it has played the ball back into the half of the field that belongs to European politics.
Can it really be assumed, however, that it is possible to organize successful majorities at the European level that can return the proverbial horse to its stable? In concrete terms, this would mean convincing the Commission, the Parliament and the Council simultaneously to suspend a directive that has already been passed, or at least to limit it massively. At first glance, an impossible task.
Yet civil rights campaigners can derive hope from the personnel of the EU Commission as well as the newfound confidence of the European Parliament. The “Barroso II” Commission has appointed Viviane Reding, not someone to shy from a dispute, to the newly created post of Commissioner for Justice, Fundamental Rights and Citizenship. Having previously been Commissioner for Information Society and Media, Reding is very well acquainted with issues relating to digital communications. In her hearing before the European Parliament in January she made clear that she would not have enacted the Data Retention Directive.
The new Commissioner for Home Affairs, Cecilia Malmström, is also considered to be a convinced liberal. She has already announced a thorough re-evaluation of the Directive. Commissioner Malmström will need to pay close attention to the question of whether such an encroachment into the private sphere can be reconciled with article 8 of the new Charter of Fundamental Rights of the European Union, which since the entry into force of the Lisbon Treaty in December 2009 is binding for all EU legislation.
Reason for hope is also offered by the fact that the European Parliament will almost certainly be willing to flex its political muscles. The clear rejection of the EU’s interim agreement on banking data transfers to the USA (SWIFT agreement) in February this year shows that a new power factor is forming for civil rights. As the celebrating in the Strasburg plenum after the SWIFT ballot revealed, the parliamentarians are pleased with their new role as privacy protectors close to citizens.
A European civil rights movement?
Despite these hopeful signs, the abolition of the EU directive remains a major challenge. In the upcoming debate, much will depend on the agreement of the European Social Democrats. Until the end of 2005, they had agreed to data retention (then as now under the leadership of Martin Schulz). The change of direction towards subjects close to the Internet generation will gradually take place among the Social Democrats, both in Brussels and in Berlin, and could even develop somewhat faster at the European level.
However the biggest stumbling block is likely to be the EU Council. Until now, the only open resistance to data retention has come from the Romanian government, after the Constitutional Court in Bucharest blocked the EU directive in 2009. Parts of the Austrian and German governments are also in favour of overturning the directive, however must first impose their will on their conservative coalition partners. The Swedish government will attempt to avoid the discussion until the parliamentary elections in September, above all because it wants to avoid lending ammunition to the reinvigorated Pirate Party. It is still impossible to predict whether other European countries will join the opposition to blanket surveillance. The challenges for the new civil rights movement – in some countries like Germany and Sweden already very agile, however in Europe as a whole still nascent – consists first of all in creating greater public awareness of the problem in specific EU countries.
The debate on the SWIFT agreement shows, however, how fast the media and political echo about the civil rights rebellion of the European Parliament can fade. The reason for this is obvious: the European public sphere suffers from the fact that in mass media terms it consists of national publics – and national governments react only to these.
On top of this, data retention has already been introduced in numerous European countries and for that reason is no longer good for media campaigns. A major challenge will therefore be to find thematic overlaps with other, more controversial topics in the national context. This also means that data privacy campaigners must concentrate not on Brussels, but on Madrid, Paris, Prague, Warsaw, Athens, Rome and Copenhagen.
The new European civil rights movement faces an enormously complex task. However in the past it has been equal to its challenges; today it disposes over more knowledge and experience, and more durable networks, publicity and infrastructure, than it did even a few years ago. Especially the German activists, for example the Arbeitskreis Vorratsdatenspeicherung (the German Working Group on Data Retention) or the Chaos Computer Club, have reputations abroad as successful actors in the campaign for civil rights and data privacy. It is possible to build on this. The first reactions from the Internet community point in precisely this direction. Europe here we come!