Data Retention in a Cross-Border Perspective

As widely known, the retention of metadata constitutes an essential tool in the context of the fight against terrorism and, more broadly, serious crime. This analysis focuses on a comparison between two “giants” under the perspective of metadata retention for security purposes, i.e. Europe and the United States, and highlights some challenges that arise therefrom.

To look at recent developments, on 30 April 2024, the European Court of Justice (ECJ) has ruled again on metadata retention. The Court determined that, although metadata retention cannot be set aside as it is pivotal to ensure well-working preventative strategies against transnational crime, further guarantees need to be ensured, e.g. keeping IP addresses separated from civil identity data. Hence, it appears that the European Union (EU) is increasingly affirming itself as the main actor in the tricky balance between public security, on the one hand, and human rights – such as privacy and data protection – on the other.

However, metadata retention is useful and effective only insofar as similar measures and standards are adopted throughout as many countries as possible. Specifically, it is essential that at least the “two sides” of the Western world, namely Europe and the United States, ensure well-working cooperation and similar levels of protection in this concern. Hence, a comparison between the two is very useful in order to make some considerations on this point.

The European scenario: an endless fight between the ECJ and national lawmakers

In the EU context, the ECJ has repeatedly ruled on metadata retention, not only with the landmark Digital Rights decision (2014) and subsequent judgments, such as Tele2 Sverige (2016), but also with the more recent La Quadrature du Net II judgment (2024), mentioned above. In these rulings, like in other ones addressing other aspects of the balance between security and privacy rights (e.g., Opinion A-1/15, issued in 2017 and concerning the collection and retention of Passenger Name Record data), the Luxembourg Court has taken a progressively more realistic and pragmatic stance, as remarked by scholars. As a matter of fact, through the time the Court has validated mass surveillance and accepted it as a conditio sine qua non to be introduced in any public security strategy. Yet, the judges have not renounced to reaffirm safeguards that, particularly if one looks at the recent decision, are framed in a more and more technical and precise way, taking into account even refined technicalities, as remarked by Formici’s analysis in this Symposium.

Against this background, domestic lawmakers seem not to be convinced that a balanced attitude in the security vs. privacy conundrum is the way to go: many of them – Italy, with its 72 months retention period, is a patent example – rely on metadata retention regimes that are at least dubious – to use an euphemism – from the perspective of the principles enshrined in the ECJ’s case law concerning surveillance.

This holds true not only for EU Member States. In fact, even if one looks at countries that are formally outside the EU, but play a relevant role in the European scenario, the situation is worrying. Let us just consider the United Kingdom (UK) – no longer an EU Member State, after Brexit, but surely an essential actor in the keeping of security in. The UK, in spite of several supranational decisions sanctioning or condemning some aspects of its surveillance schemes (see, e.g., the Big Brother Watch judgment by the European Court of Human Rights and the Privacy International judgment by the ECJ), keeps quite worrisome bulk of interception provisions under the Investigatory Powers Act 2016. For instance, rules on court authorizations are poor and the provisions on foreign surveillance and drafted very widely, so as to leave discretion to governmental authorities as to their scope (for the potential effects of the recent ECJ jurisprudence on data transfers to the UK, see Kuşkonmaz in this symposium).

In sum, a quite divisive situation exists in Europe.  Courts, especially the supranational ones, try to guarantee a well-thought-out attitude. Lawmakers, instead, give crucial importance to the security side of the binomial, and consequently they do not renounce to bulk and indiscriminate surveillance, included but not only through the use of communication metadata. Nevertheless, the very existence of such a dialogue (or maybe it would better be defined as a tug-of-war) between courts and lawmakers is a sign of sound “counter-limits” to the action of political bodies that, by their very nature, tend to be inclined towards security when it comes to the protection of their citizens and institutions.

The US scenario: a driver for the lowering of standards?

In the United States, the starting point in the field of the relationship between security and rights as privacy and data protection is very different from the European one. This is due to several factors that are inherent in the US legal system, the pertinent legal framework, as well as legal culture.

First, the Fourth Amendment – from which privacy rights are inferred – is deemed to be recessive when other needs are at stake, among them is security. If one considers the interpretation given by courts, the circumstances where warrants can be excluded or reduced are almost more than the ones where they are considered essential.

Second, and related to the above-mentioned aspect, the well-known third-party doctrine, according to which a person has no reasonable expectation of privacy when he/she voluntarily shares information with others. This doctrine allows an almost full “liberalization” of data that individuals give to a variety of entities, and the jurisprudential stance on this doctrine is still quite consolidated, with few to no exceptions.

Third, when the tech industry is involved – like in the case of metadata surveillance, since cooperation of communication service providers with public authorities is central – the United States tend to embrace a very “libertarian” stance, more oriented towards the market than towards the protection of users’ rights. This is manifest, among others, in the scarce regulation of the technology market in general, which then results in self-regulation by the industry.

All these features are clearly visible in the context of metadata retention. Not only were the United States among the pioneers of this practice, with the controversial Section 215 of the 2001 USA Patriot Act, extended several times and then incorporated into the USA Freedom Act in 2015; they also passed the Cloud Act in 2018, according to which US federal authorities can access the data stored by any US company, among others for the purpose of crime prevention. In effect, the Cloud Act applies extra-territorially, since there is no need that the company’s servers are based in the United States.

At the same time, US courts have not taken firm stances against indiscriminate metadata retention carried out without strong guarantees. Indeed, the federal Supreme Court, when called to rule on access to communication metadata, remanded the case back to the lower court to be dismissed (see the 2018 Microsoft Corp. v. United States judgment, referred to a case originated before the enactment of the Cloud Act but settled shortly after the Act had been published).

Thus, in contrast to the European scenario, the US context does not see a strong role of courts trying to contain the drifts of the lawmakers, which, as a consequence, become significantly more worrying than on the European side. Additionally, recent electoral results in the United States might bring to an even more concerning situation.

Moreover, given the extra-territorial effects of metadata retention, but also of the fight against terrorism, which is a transnational crime, the implications of the US legal regime on cross-border standards of privacy protection are noteworthy. While the European system is more protective, there is indeed little to do when US law enforcement authorities request access to metadata on European servers based on the more intrusive US laws. It is true that also EU standards apply extra-territorially and the Brussels effect has its own weight. The Brussels effect can be defined as the influence of EU law even outside of the EU borders, implying that also non-EU countries may end up having to comply with EU norms due to the necessity to keep relationships with EU countries. Nevertheless, given the significance of the United States on the technology market, the prevalence of its (legal) standards based on its market position is not to be excluded and would need to be opposed, e.g. through strong courts’ stances in favor of privacy, in order to restore a well-balanced global context.

Some concluding considerations

The presented background is not intended to give a totally pessimistic vision, arguing that human rights standards will necessarily be reduced due to the economic predominance of the United States. Rather, the analysis warns against the risk of a sort of “reverse Brussels effect”, and claims that efforts should be made to avoid that the economic power of the United States brings to a lowering of privacy standards when it comes to metadata surveillance. In order to do so, European authorities should engage in careful and in-depth review of the standards adopted in the United States – and in any other third country with which the EU exchanges data. The recent review by the EU Commission on the implementation of the US Data Privacy Framework (DPB) seems to go in this direction.

On a more institutional note, this comment shed light on how essential the role of courts is in the striking and keeping of a balance between security, undeniable to ensure the survival of our societies, and human rights, essential if such societies are willing to be considered as “democratic”.