The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.
The law requires telecommunications and Internet companies to retain their customer’s location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.
However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU’s Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.
After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it “is indispensable for the investigation and prosecution of serious criminal offenses.” Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.
By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.
The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.
Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.
In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.
However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.
Meanwhile, the European Parliament’s Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.
As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said.
“And perhaps, most importantly, the report then adds that all the criteria set out by the Court in its ruling on the need for safeguards, proportionality and the ‘existence of clear and precise rules’ must be included in these national laws,” Access Now said, adding that, as a result, all existing national acts on data retention should be examined on a case-by-case basis to check their compliance with those criteria.
“It is already clear that laws in place in several EU countries—such as France or the U.K., which recently expanded its surveillance powers—would have difficulty passing that test,” Access Now said.