Jack Murphy* was suspicious. His ex-girlfriend, Eve Doherty, seemed to know a lot about who he was calling.
His suspicions were merited. Doherty had been using her job in the Irish police force to access his phone records, an investigation by the local judiciary revealed. Doherty was disciplined and transferred in 2011.
Three years later, in 2014, the European Court of Justice (CJEU) ruled that the Irish law that forced telcos and internet service providers to hang on to traffic and location data was contrary to EU law, and so was the EU directive it was based on. The data retention regime allowed government agencies to access citizens' data in ways that violated their privacy — like what Doherty was doing when she accessed those phone records of her ex-boyfriend.
And yet, the risk of similar cases — of police officers overstepping their powers to access phone records — still lingers today.
The landmark 2014 ruling was followed by a bevy of subsequent judgments from the EU's highest court that reinforced its message to stop blanket data retention. But it didn't stop Ireland from keeping its mass surveillance of phone and internet data, including who you call and where you are, largely intact.
“In Ireland, we've been in a period of lawlessness, at least since 2001,” said TJ McIntyre, chair of Digital Rights Ireland, the non-profit organization whose legal complaint brought down the EU Data Retention Directive in the landmark 2014 case.
The pattern in Ireland is unsettling. Dublin sets up a data retention regime, the court then kills it after years of slow legal proceedings that go up to the European level, only to see the government reboot a similar regime, with some tweaks, that risks violating the same rights and principles that brought down the earlier one.
Just last month, the Irish justice ministry presented its latest iteration of a data retention bill after the EU’s top court’s latest ruling against the Irish regime in April 2022. But McIntyre argued Dublin’s latest attempt is just as harmful to privacy. It allows data retained for national security reasons to be accessed for criminal investigations, for instance, which he argues runs counter to the court's decision in April.
Decision after decision, the European Court of Justice's 27 top judges have fine-tuned their belief that mass retention of phone and internet traffic and location data violates fundamental EU privacy rights.
But many European law enforcement and government officials don't seem to want to listen. They argue that such data retention regimes are vital for crime fighting.
In a series of judgments from 2014 onwards, including most recently in late 2021 and early 2022, the CJEU has mostly sided with privacy groups, arguing that blanket data retention isn’t legal — except in some circumstances, with proper safeguards and if there’s a serious threat to national security.
It’s a fight that at times has gotten dirty. The French government at first tried to pressure its court not to follow EU case law, arguing it went against the country’s “constitutional identity.” Paris even mulled seeking changes to the EU’s founding treaties or the Charter of Fundamental Rights, known as the bloc’s primary law, to dodge the EU's top court rulings.
In Denmark, government ministers openly criticized the EU court. “I think that the fundamental problem here is that the Court of Justice of the European Union creates law without democratic legitimacy,” Danish Justice Minister Nick Hækkerup said following a ruling in late 2021. “After all, they are just judges.”
Passions run equally high in the opposing camp.
“Data retention is really what politicized me,” said German Pirate Party MEP Patrick Breyer. “I still think it's really the most privacy-intrusive legislation that the EU has ever enacted because it's about collecting information about the entire population.”
Even when they haven’t been openly hostile to the bloc’s top court, EU capitals have been ruthless in exploiting loopholes in its rulings.
Belgium and Denmark, for instance, are devising schemes that technically collect data in a targeted way rather than in a general way, which is what the court allows. But it’s arguably targeted in name only.
The Belgian proposal for targeting areas where there’s lots of crime sets the bar so low that it covers the whole country. Denmark isn’t much better, its crime level threshold means that close to 70 percent of the country’s population will be covered by its framework.
Governments are also looking to extend these regimes' reach: Belgium's proposal aims to cover messaging apps like WhatsApp and Signal, as well as the traditional telco operators. The plan risks effectively banning privacy-preserving platforms like Signal or Threema by forcing them to store data on users they don't currently collect.
France has tried another way to keep its blanket surveillance intact. Its top administrative court approved the government’s argument that the country is effectively under a constant terrorist threat, meaning that blanket data retention is OK. However there are already questions over whether this is legal, with one former EU judge arguing that the risk of terrorism doesn’t constitute a threat.
This game of cat and mouse has at times become a farce. Denmark’s tweaked data retention regime was in place for a mere six days this year before a fresh ruling from the CJEU rendered it illegal.
“The EU is really having a rule of law problem here, because governments knowingly ignore the case law because they don't like it. And the Commission refuses to enforce it,” said Breyer, the MEP.