Many people wonder what will happen to their data when European governments begin to pass laws implementing the Data Retention Directive. Google's recent victory in a US court opposing a request to obtain data by the US Department of Justice (DOJ) may shed some light on the challenges raised by the new Directive.
Under the new Directive, every EU country must pass laws requiring phone and Internet companies to retain vast amounts of their users' data (both subscriber data, and so-called traffic and location data), for periods ranging from 6 months to two years. The goal of data retention is to make the data available to law enforcement for the investigation and prosecution of serious crime. At the same time, every European has a human right to have his/her personal data protected from unauthorized disclosure, and companies have both ethical and commercial reasons to protect the privacy of their users' data. It’s noteworthy, however, that government agencies in the EU (such as law enforcement bodies) are not legally required to comply with the same data protection laws that companies like Google must follow.
The experience in the US, and Google’s case, demonstrate that government and other law enforcement agencies are seeking access to stored data on a massive scale. The US DOJ originally sent a subpoena to Google for billions of URLs and two months' worth of users' search queries. The DOJ wanted this data not to further any particular pending investigation, but to test its theories about the effectiveness of software filters to protection children from harmful content, as part of a lawsuit to defend the constitutionality of the 1998 US Children's Online Protection Act. Google chose to go to court to resist this massive government demand for data, which we felt was disproportionate to the uses to which the data were to be put. Thankfully, the Judge agreed and drastically reduced the scope to 50,000 URLs and zero search queries. The Judge agreed with Google that the government's request for this data had to be weighed against our users' legitimate expectations of privacy.
Data retention laws will be passed in the months ahead across Europe to implement the new EU Directive, and telecom and Internet companies will comply with them by retaining vast amounts of data. Law enforcement will then start demanding this information, but they are not currently bound by data protection laws (the EU is considering the extension of data protection laws to law enforcement, but the outcome of this effort is uncertain). Thus, while the US court upheld Google’s objections, law enforcement might have prevailed in a European court, despite the existence of data protection laws.
In Europe we need to have a much broader and open public discussion about how to make sure that our laws incorporate safeguards to ensure that law enforcement is provided with data that is relevant and proportionate, but not provided with unlimited access to data that most Europeans expect to be kept private. Not every company will go to court to ask a judge to get the balance right the way Google did. Google is certainly willing to fulfill its legal obligations both to respond to legitimate law enforcement requests for data, and to protect the data protection rights of its users. But the combination of the new Data Retention Directive that will mandate the creation of massive databases, and the failure of the EU to so far extend data protection law to law enforcement entities, creates a situation in which personal data may lack appropriate legal protection. I hope that national legislators pass data retention laws that are narrow in scope, and that the EU extends data protection law to law enforcement activities.