New Privacy International report shows that 21 European countries are unlawfully retaining personal data

Europe (PI)

Key points

  1. Privacy International surveyed 21 EU member states’ legislation on data retention and examined their compliance with fundamental human rights standards
  2. 0 out of the 21 States examined by PI are currently in compliance with these standards (as interpreted in two landmark judgements by the Court of Justice of the European Union: Tele-2/Watson and Digital Rights Ireland)
  3. Privacy International is calling for:
    • EU member states to review their legislation on data retention and, if necessary, amend it to comply with European standards, including the CJEU jurisprudence;
    • Telecommunications and other companies subject to data retention obligations to challenge existing data retention legislation which are not compliant with European standards, including the CJEU jurisprudence;
    • The European Commission to provide guidance on reviewing national data retention laws to ensure its conformity with fundamental rights, as interpreted by the CJEU.

Privacy International have today released a report detailing the current data retention regimes across 21 European Union member states and the state of their (lack of) compliance with two landmark judgements by the CJEU which determined that EU law prohibits general and indiscriminate retention of communications data and requires that all data retention regimes comply with the principles of legality, necessity, and proportionality.

The report shows that, out of the 21 states Privacy International examined, zero are in compliance with current data retention standards (notably the e-privacy directive and the EU Charter of Fundamental Rights), including: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

Privacy International Head of Policy and Advocacy Tomaso Falchetta said:


“Blanket and indiscriminate retention of our digital histories—who we interact with, when and how and where—can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep. Our communications data is no less sensitive than the content of our communications. It is clear that current data retention regimes in Europe violate the right to privacy and other fundamental human rights. In particular the European Court has made clear that general, indiscriminate retention of communications data is disproportionate and cannot be justified, not even on the grounds of fighting crime.  While some states have recognised the need to reform, there is little evidence that they are moving to change their laws to bring them into line with their obligations under existing human rights law.”

This report prepared by Privacy International