Data retention has long been a blind spot of Europe's otherwise strict data protection regime. But a possible practical solution might be in sight.

The European Union has a long history of asking the same question several times until the answer is the desired one. For example, in the 2000s, Ireland rejected the treaties of Nice and Lisbon before a second referendum approved them.

For some, the same is happening in the data protection sphere. In a recent interview, privacy activist and Austrian lawyer Max Schrems compared activity surrounding the EU-U.S. trans-Atlantic agreement with the situation on data retention across several EU countries.

"Member states, again and again, try to pass some data retention law, knowing that the Court of Justice (of the European Union) is going to overturn it. But, because it just takes a couple of years for a verdict, politicians get away with it," Schrems said.

Data retention is the practice of collecting all sorts of metadata available online. When connecting to a website or an application, the information is sent to a server that collects information like IP addresses and localization data.

Although not as sensitive as communications' content, metadata can reveal critical personal details of people's lives. Moreover, it poses severe challenges for specific categories where confidentiality is essential, such as journalists, doctors and lawyers.

The German case

The legal issues around data retention are exemplified by cases in Germany, where, as in several other European countries, there has been a long history of trying to pass data retention laws that were consequently struck down in court.

The first attempt in Germany was ruled illegal in 2010 by the Federal Constitutional Court, a judgment that the Court of Justice of the European Union seconded. A second legislation was reintroduced in 2015, which, among other changes, included shorter deadlines for the erasure of the retained data after four weeks.

However, the law's legal soundness was put in question by rulings of the European court on similar legislative projects from Sweden and the United Kingdom in 2016, followed by further verdicts in Belgium, France and again the U.K. in 2020.

Thus, several national courts in Germany, like the Münster Higher Administrative Court and the Cologne Administrative Court, called the measure's legality into question. As a result, the Federal Network Agency put the legal provisions on hold while waiting for a ruling on the compatibility with EU law. Last September, the Court of Justice of the European Union also deemed the second German data retention law unlawful.

"For many years now, the government departments responsible for internal security in various EU member states in particular have been trying to introduce data retention, but have so far been biting their teeth at the (CJEU's) strict requirements," reuschlaw Associate Christoph Callewaert said.

The European court has consistently overruled attempts to retain metadata indiscriminately, meaning without a proper purpose, as this technique is considered to disproportionately harm people's fundamental rights. Only when defending national security, the European court left EU countries some leeway.

Targeted retention

The court rulings go against blanket data retention without a specific cause that might be used at a later stage for prosecuting significant criminal offences. That leaves space for targeted retention related to a specific incident, but the EU court did not provide further guidance on operationalization.

In Germany, the question has become political. In the coalition agreement signed up by governing political parties last year, there was a mention that there should be no more data retention laws. However, the political discussions on the matter are far from settled.

Following the latest debacle in court, Federal Minister of Justice, liberal Marco Buschmann, proposed a "quick freeze" procedure. This approach would enable law enforcement authorities to request internet providers store data of individuals for a certain period if there is an initial suspicion. The data could be “unfrozen” if the suspicion were substantiated later.

"We see this proposal as a chance to stop the deadlocked debate about data retention that has been going on for decades in Germany," said Konstantin Macher, a spokesperson at Digitalcourage, an NGO that filed a complaint — co-signed by over 37,000 — against data retention before the German Constitutional Court.

However, the proposal is still far from a done deal. Leading the charge against it is the Social Democratic Party, the major shareholder of the coalition government, embodied by Federal Minister of the Interior and Community Nancy Faeser. Faeser is pushing for certain forms of data retention, notably storing IP addresses to identify the perpetrators of hideous crimes such as child pornography.

By contrast, the German Child Protection Association has publicly stated that online child abuse could be fought without data retention, instead supporting the “quick freeze” approach as a viable way of balancing data protection and child protection.

The most vocal opponents of data retention argue that child protection is merely an instrument to make the debate more emotional. In practice, child pornography perpetrators can obfuscate their IP addresses, and the general population would be left to bear the cost of mass surveillance.

Within the three-party coalition, the Green party is throwing its weight to support the liberals' “quick freeze” proposal. By contrast, the social democrats have the support of the Christian Democratic Union, the leading opposition party that was previously in power with the SPD under the leadership of Angela Merkel.

The coalition members might agree on the matter as early as next month.

ePrivacy Regulation

The EU Charter of Fundamental Rights has been the legal basis for European judges to dismiss data retention attempts at the national level. However, at the EU level, member states have been trying to push data retention provisions in the context of the ePrivacy Regulation.

This legislative proposal aims to regulate the privacy of electronic communication, and it was intended to come into force with the EU General Data Protection Regulation. Nevertheless, the negotiations on the file have been stalling due to significant differences between the European Parliament and Council, the EU's co-legislators.

One of the most vital differences relates precisely to data retention. The Council, the institution that represents EU governments, has been trying to pass a provision that would allow European or national legislation to require communications services to retain metadata for the prosecution of criminal offences.

By contrast, MEPs want the service providers to only process that data insofar as it is necessary to provide the service and erase it immediately after. In a recent non-paper on the ePrivacy Regulation, the thorny issue was parked for future discussions.