Testing the Waters of Private Data Pools

Nowadays, data is mostly collected not by state actors but by businesses. To make use of the data amassed by these companies, law enforcement authorities often oblige them to hand over their records. To ensure that the companies actually collect (and do not delete) the most useful data for these authorities, legislators have put retention obligations into place. However, only very specific data is subject to such retention, while most data is stored by companies due to their own economic interest. For the purposes of a general surveillance account, this begs the question if data collected by state actors (such as airline passenger name records [PNR]) should be treated differently. While many are concerned with the latter, the potential threats these private data pools pose for the exercise of fundamental rights are often overlooked. In any case, a general surveillance account requires more empirical data on the exercise of surveillance powers in order to provide a complete picture of the level of surveillance in a society.

Preventing total surveillance

The recent CJEU decision (“La Quadrature Du Net II”) on data retention has brought back the dream of data retention obligations for telecommunications traffic data – at least for some. The German history of data retention goes back more than 14 years: In its 2010 data retention judgement, the German federal constitutional court held traffic data retention to be generally permissible – the caveat being very strict thresholds for the laws governing the retention. One of the requirements that follows from the judgement is what is dubbed an “Überwachungsgesamtrechnung” (hereafter “general surveillance account”). According to the judgement, such an account entails that the German parliament needs to consider already existing data collection procedures before enacting new mass data collection measures. The court deemed this necessary to prevent an Orwellian dystopia where the government is able to capture all the activities of citizens. In the aforementioned 2010 data retention judgement, the German constitutional court considers this prohibition of total surveillance to be part of the constitutional identity which not even EU legislation can supersede. Thus, the general surveillance account is necessary to ensure the persistence of Germany’s constitutional identity. In a time where private actors have amassed some of the largest data pools, this begs the question what it takes for the general surveillance account to adequately consider private data pools.

Since 2010, the general surveillance account has emancipated from this specific context to be a tool to assess surveillance measures conducted by German security authorities more generally. A general surveillance account should feature a normative evaluation of the relevant surveillance measures alongside an empirical survey. The normative dimension allows for an assessment of the possible intensity of a measure, while the empirical evaluation aims at assessing their intensity in practice, i. e. how often the relevant measures were conducted. Both are essential to account for the general level of state surveillance in a society.

Whether the data was collected because of a retention obligation could be an important factor for determining the possible intensity of a measure, i. e. the normative evaluation. This question explicitly extends to all kinds of data pools, even though the public discussion is often focused on telecommunications traffic data retention alone (as already observed here). Especially with the rise of social media, data collected by online platforms has grown to be more and more important to law enforcement authorities.

In order to examine how a general surveillance account can account for private data pools, we will first examine the types of data the concept of “data retention” encompasses. Next, we take a critical look at whether it is justified not to treat private data pools as data retention. Lastly, we analyse what needs to be done to enable an effective general surveillance account, accounting for private data pools.

It’s not just telecommunications data

In the German context, the term “data retention” or “Vorratsdatenspeicherung” refers to the precautionary storage of personal data concerning telecommunications traffic without a specific indication. If necessary, the stored data might be used at a later date for purposes not yet foreseen. This is due to the fact that the German constitutional court developed its jurisprudence on the matter in its 2010 judgement mainly against the backdrop of telecommunications traffic data retained by service providers as required by the law transposing the Data Retention directive 2006/24/EC. However, even in this judgement, the court held that telecommunications traffic data retention could pave the way for further pre-emptive data collection (para. 218), thus recognising that data retention in other fields is conceivable. Bearing this in mind, it is not surprising that also the CJEU often refers to its own decisions on PNR data in its rulings on data retention (see e.g. CJEU, jugement of 6 October 2020, C 511/18 – La Quadrature du Net, para. 115 seq., 130 seq.).

Indeed, in practice, data is also retained in other fields and by other means. Examples include customer and usage data stored by digital and postal services providers for operational purposes, which can be requested by law enforcement authorities under certain circumstances (e. g. Sec. 40 para. 2 and Sec. 50 para. 2 of the German Federal Criminal Office Act), as well as PNR data and financial data, which are collected by airlines or banks respectively and transmitted to the designated national data processing authority (e.g. Sec. 2 of the German Passenger Data Act and Sec. 24c of the Banking Act). Therefore, a general surveillance account must also consider those other kinds of privately gathered data.

Public and private data retention

The pivotal point of the debate around data retention is the obligation of private actors to store certain data.  The mere storage already constitutes an interference with fundamental rights, such as Art. 7 and 8 CFR, Art. 8 ECHR as well as Art. 2 sec. 1 and Art. 1 sec. 1 German Basic Law. Additionally, the fundamental rights of a person are also affected when data is retrieved by law enforcement authorities.

Data retention obligations could therefore indeed increase the intensity of surveillance on an individual. As a result, the laws governing the retrieval of data from telecommunications service providers (where there is a retention obligation, cf. Sec. 172 (1), 176 German Telecommunications Act) were more intense than those governing the retrieval of data from services where there is not retention obligation, e.g. digital services providers, which only store data for their own purposes.

When data retention obligations exist, the state can assume that the relevant data is stored, and it can reliably access the data at any time. This differs from an – from the state’s point of view – “arbitrary” retention of data by digital services providers for commercial purposes.

However, taking big social media platforms and search engines into account draws a different picture. Most of these services store customer data in their own economic interest. In some cases, the data might be necessary to operate the company. For example, Netflix stores user data for billing purposes and Facebook stores it to display it to other users and run advertisements. In others, the data has an economic value, as it can be sold. After all, data dominance also means market power.

In these cases, the state authorities can rely on the fact that the providers store data on a large scale. Digital services providers are also likely to store more data than telecommunications providers and instead of a few months, as provided for in the time limits of Sec. 172 of the German Telecommunications Act, the data is often stored for several years.

This means that even when digital services store data only for their own interest, law enforcement authorities can still access this data at virtually any time. In the end, the retention of data by digital services is just as intense for the individual as the retention of data by telecommunications providers.

However, other digital services have made privacy their business model (like Signal) and only store data which is absolutely necessary for the service. In these cases, law enforcement authorities can only access little to no data without retention obligations. Consequently, only when data retention obligations are in place can law enforcement authorities expect a minimum amount of data.

Assessing surveillance requires empirical data

Common to the different kinds of data retention is that access to stored data by law enforcement authorities touches upon the fundamental rights of the data subjects. Be it as a retrieval of privately stored data or as a change of purpose when accessing data stored by state authorities, the access to data constitutes a new interference. Data retention in itself does not create additional knowledge for law enforcement authorities, but data access does. It is therefore essential that a general account of surveillance focuses on data access. However, the (generally) increased quantity and quality of data can be accounted for with a higher intensity scoring of the relevant measures when performing the legal analysis of surveillance powers.

Next to the normative analysis, the general surveillance account still requires – as explained above – empirical data on the frequency of data access in order to provide a full understanding of the total amount of surveillance in society. Quantitative data on surveillance powers is quite scarce, however. While there are reporting obligations for certain forms of surveillance, e. g. Section 101b of the German Code of Criminal Procedure requires reporting on telecommunication monitoring, there are significant gaps in the reporting requirements for many other measures. Constitutional jurisprudence by the German Federal Constitutional Court explicitly requires reporting obligations only for specific measures that interfere with fundamental rights in a particularly intense manner.

A call for more empirical data about surveillance measures

This line of jurisprudence requires some revision in light of the general surveillance account. Without sufficient empirical data it is impossible to create a meaningful image of the total amount of surveillance within a society. The concept of measuring the extent of surveillance is derived from the constitutional imperative of preventing the total monitoring of society. In a series of rulings, the Federal Constitutional Court has held that surveillance powers must be coordinated in a way that prevents one person from becoming the subject of complete surveillance through the exercise of powers by different law enforcement and intelligence authorities. This concept can be extended to the broader context of the general surveillance account, which is also based on the idea of preventing total surveillance. It is the responsibility of the state to coordinate all surveillance powers in order not to exceed the permittable level of surveillance in a society. As previously stated, this requires not only a normative analysis but also a quantitative analysis of the exercise of surveillance powers. Currently, this coordinative duty cannot be fulfilled with the available empirical data.

It is the shared responsibility of the legislator and law enforcement authorities to ensure compliance with constitutional requirements. Consequently, the legislator should introduce more reporting obligations for the exercise of surveillance powers and security authorities should – proactively – improve their internal monitoring of the exercise of competencies. Based on such a solid empirical foundation, a complete general surveillance account becomes possible.