Today, Mexico’s newest data retention law entered into force. The law compels Mexican telecom providers to retain, for two years, the details of who communicates with whom, for how long, and from where. It also allows the authorities access to these details without a court order, exposing geolocation information that reveals the physical whereabouts of Mexicans. Across the Pacific, the Australian government plans to introduce a data retention mandate for Australian Internet Service Providers. These developments come on the heels of widespread opposition, and skepticism about whether blanket data retention mandates can ever be consistent with human rights law.
On April 8, the Grand Chamber of the Court of Justice of the European Union declared the EU's Data Retention Directive invalid. The top court held that, although the retention of communications data under the Directive was for the legitimate aim of combating "serious crime," the blanket nature of the obligation entailed "an interference with the fundamental rights of practically the entire European population." Essentially, the court criticized the Directive for treating every person as a criminal suspect. The decision was a huge victory for European human rights activists who doggedly fought these draconian rules. The activists waged awe-inspiring advocacy campaigns, pursued effective litigation strategies, and organized what proved to be the largest-ever street protests against excessive surveillance. In Germany, the battle against the implementation of data retention gathered steam immediately after the law’s passage. The German coalition, AK Vorrat, brought public pressure against it and initiated a lawsuit on behalf of 34,000 citizens. The coalition was successful, as the German constitutional court rejected the data retention law as contrary to fundamental civil liberties guaranteed by the German constitution.
The consequences of data retention mandates are far-reaching, but one particularly troubling outcome is the erosion of journalists’ right to refuse to hand over evidence to law enforcement to protect the confidentiality of their sources. In Poland, the media reported on two major cases where intelligence agencies used retained traffic and subscriber data to illegally disclose journalistic sources. In Germany, Deutsche Telekom illegally used telecom traffic and location data to spy on about 60 individuals—including critical journalists, managers and union leaders—in order to try to find leaks. And in a particularly egregious case from Ireland, a law enforcement officer reportedly used retained communications data to spy on her ex-boyfriend’s phone activities.
Meanwhile, Latin America saw a judicial rejection of a data retention mandate as early as 2005. An Argentine regulation there had compelled all telcos and ISPs to record, index, and store traffic data for a 10-year period. Argentine civil rights organization, Fundacion Via Libre, fought back with a media campaign, and, in combination with a litigation strategy led by a private sector organization, the regulation was thrown out by the Argentine Supreme Court.
More recently, strong criticisms of data retention mandates have been issued in international policy venues. On March 27, the UN Human Rights Committee (the body of independent experts that monitors implementation of the International Covenant on Civil and Political Rights by its State parties) issued its first-ever official report on privacy in the digital age, calling upon the United States to “refrain from imposing mandatory retention of data by third parties.”
Mandatory third party data retention, a recurring feature of surveillance regimes in many States, where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access appears neither necessary nor proportionate.
For any surveillance measure to be legal under international human rights law, it must be prescribed by law. It must be “necessary” to achieve a legitimate aim and “proportionate” to the desired aim. This requirement is important to ensure that the government does not adopt surveillance measures that threaten the foundations of a democratic society.
The 13 Necessary and Proportionate Principles in particular, and international human rights law generally, are premised on the assumption that interferences with fundamental rights must be dealt with on a case-by-case basis. In this context, data retention mandates of innocent individuals, by its very nature, eradicates any consideration of proportionality and due process in favor of the indiscriminate interference with the right to privacy—and could never be compatible with States’ human rights obligations. Australia and Mexico must turn back from the dead-end path of data retention mandates, and uphold their international human rights obligations.