26 November 2024

Eyes Everywhere

The Proliferation of Public and Private Surveillance under the EU Charter

Ten years after its groundbreaking judgment declaring the Data Retention Directive incompatible with Articles 7 and 8 of the EU Charter of Fundamental Rights, the Full Court significantly eased its previous strict requirements. On 30 April 2024, it issued La Quadrature Du Net II and declared for the first time the general and indiscriminate retention of IP addresses permissible for the purpose of fighting general crime. The Court assumed the need for such retention measures to prevent systemic impunity for crimes committed online. However, the more data is collected online, the more detailed the virtual profiles of individuals become. This raises fundamental questions about online privacy: Are citizens becoming transparent to government agencies in an age of massive private data collection? Must the surveillance enterprise be understood as a public-private partnership, encompassing all areas of human life, and does the EU Charter provide sufficient safeguards to protect the people?

Given the CJEU’s fundamental change of heart, we have brought together a range of scholars and practitioners from Europe and beyond with different disciplinary backgrounds to contextualise the said judgment and to situate it within a broader debate on mass data retention, online surveillance, and anonymity, highlighting the interaction between private and public actors. Moreover, the present symposium discusses the impact of the judgment on fundamental rights under the EU Charter, while also highlighting the state of online surveillance facilitated by the mass storage of private data.

The contributions offer varying perspectives on data retention measures and normative assessments of the Court’s ruling. Some authors emphasize the need for enhanced online law enforcement tools, while others critically highlight how the unprecedented amounts of data, collected by private corporations for commercial purposes, serve as a source of information in criminal proceedings.

The politics of mass data retention

The symposium starts with an exchange between Joachim Herrmann, the Bavarian Minister of the Interior, and me, Erik Tuchtfeld, on the politics of mass data retention. Herrmann calls for the introduction of mass data retention of IP addresses in Germany to effectively protect victims of hate speech and violence. He highlights that the Internet has become a stage for serious crimes – from the exchange of child sexual abuse material to the widespread dissemination of hate speech – which has been recognized by the European Court of Justice, eventually reducing the intensity of its judicial review. In Herrmann’s view, this is a welcoming development, as it is primarily the task of the democratic legislator to balance conflicting fundamental rights and decide on the proportionality of legislative measures.

In my replica, I emphasize that it is a main feature of the rule of law that such a balancing can only take place within the framework defined by constitutions. It is the core task of constitutional courts to assess the proportionality of a measure in question. Since the amount of personal data generated by individuals and stored by private and public institutions has never been larger, I challenge Herrmann’s finding that the storage of citizens’ data must be increased. Instead, targeted measures against suspects should be deployed, which would be sufficient to enhance law enforcement online.

La Quadrature du Net II – revolution or evolution?

The second cluster of contributions analyzes the judgement La Quadrature Du Net II in details. Lukas Martin Landerer reads the Decision through the lens of the CJEU’s role as motor of integration. While the more recent judgements on data retention have been criticized as weakening the fundamental rights protection of European citizen, Landerer points out that this was the only chance for the Court – already facing threats of ultra vires proceedings – to avoid an escalation of the tensions with Member States. In this context, particularly France and Belgium stand out as two Member States relying heavily on data retention, so that the exceptional permission to store data was effectively turned into the rule.

It is the lack of clarity in Union law as well as in the ECJ’s jurisprudence which causes a constant struggle between the Member States and the Court, Aqilah Sandhu argues. She reads the never-ending data retention saga as a failure of the EU legislator, as it did not manage to re-draft a clear and unambiguous legal basis for data retention in the EU.

Ana Bobic also reflects on the judgement’s significance for European integration. She argues that the Court increases the Member States’ margins for national solutions, and, as a consequence, reduces the protection of individuals and their rights. In her opinion, this constitutes a general normative shift in European Union law, also shown in budgetary, asylum, and migration policy.

Marcin Rojszczak reconstructs the ten-year-old history of the CJEU’s jurisprudence on mass data retention and concludes that this year’s Decision complements the existing line of jurisprudence. However, he laments the lack of depth in the Court’s explanation of the relationship between the collection and processing of low-sensitivity data and their subsequent use by state authorities. This gap, he predicts, will lead to more rulings on the matter in the future.

A more critical approach is taken by Elif Mendos Kuşkonmaz. In her opinion, the Court’s findings cement intrusive practices stemming from the fight against counterterrorism as regular state practice for all kinds of crime. In her analysis of the proportionality of general data retention schemes, she highlights the zero-risk imperative which drives current approaches. In consequence, everyone is treated like a suspect and must be monitored. With regard to data transfers in third countries outside the EU, she argues that the increasingly lower level of protection of fundamental rights in the Union must also be taken into consideration when evaluating the adequacy of foreign data protection regimes, such as the UK’s.

Giulia Formici describes the Italian data retention regime, which for a long time remained unimpressed by the CJEU’s judgements. Most recently, however, also the Italian legislation, in particular with its broad interpretation of “serious crimes” justifying data retention, came under the scrutiny of the CJEU. In her opinion, the increasing tension between Member States and the CJEU in its attempt to constitutionalize mass surveillance practices should be resolved by the European legislator. While this doesn’t necessarily mean that all national data retention regimes must be harmonized, a concrete set of shared basic principles and safeguards could help Member States to navigate through the complex requirements set out in the Court’s caselaw.

Chiara Graziani analyses the different legal regimes in Europe and the United States and warns that a lowering of privacy standards might be dictated by sheer economic power. In particular, she emphasizes the possibilities of the US government to access the private data pools of US-based Big Tech companies, even when they store their data on European soil, and the lack of judicial control mechanisms to limit such data access.

Privacy in times of surveillance capitalism

The third cluster deals with collection of personal data by private corporations, often prominently dubbed as “surveillance capitalism” (Zuboff), and the access that law enforcement authorities enjoy to these data pools. André Bartsch, Johanna Fink, Jakob Mutter, Marc Bovermann, and Isabelle Weiss jointly call for more attention to these private data collections when assessing the extent of government surveillance. To this end, they propose a “general surveillance account” (Überwachungsgesamtrechnung) covering the access of law enforcement agencies to private data pools. Such a “general surveillance account” must not only include a normative analysis of the surveillance measures but needs to be based on a solid empirical foundation. Thus, more reporting obligations for law enforcement agencies are needed.

This process of a weaponization of surveillance is also emphasized by Thomas Christian Bächle, who describes how techniques of datafication, profiling, targeting and recommending, which were developed by social media platforms to display ads to potential customers, are used by private-public cyberintelligence services to identify combatants and terrorists. Furthermore, he describes how the object of surveillance has expanded in recent times, shifting away from the mere description of what people do to the prediction of what they will do based on probabilities linked to their profiles. To this end, modern technologies analyse voices, gestures, and facial expressions to understand the inside of an individual’s mind. If such technologies were to be implemented on a large scale, Bächle concludes, the criminal law of the future might punish the mere thought of committing an illegal act as a violation of the law.

Anonymity in the digital world

To diminish the effects of constant surveillance in the digital realm, many people disguise their civil identity. Sarah Stummer underlines the importance of anonymity for many internet users according to recent surveys and explains its relative character. While an individual might be anonymous in relation to other internet users, it can still be identifiable for law enforcement authorities. A right to anonymity, independent of its concrete legal construction, is not absolute, but only granted within certain limits. In her opinion, the ECJ’s latest Decision considers this, allowing law enforcement to identify internet users and effectively protect victims of online crime.

In this week’s editorial, we will converse with Sabine Leutheusser-Schnarrenberger, who was, inter alia, Federal Minister of Justice and member of the Bavarian Constitutional Court. We shed some light on the relationship of means and ends, and how they relate over time, when it comes to surveillance.

No conclusion, but some thoughts on an ongoing debate

The debate on data retention has remained as lively as ever over the past 20 years. In this symposium, we move beyond the technical details of the ECJ’s La Quadrature du Net II Decision to situate it within a broader discussion on anonymity and surveillance, European unity and the EU’s boundaries, and the public obligation to store data in an era of constant commercial tracking.

The question of how and when the retention of personal data without any concrete suspicion is legitimate remains at the core of current domestic security policy. This year alone, the ECJ issued the La Quadrature du Net II Decision on the retention of communication metadata, the ECtHR ruled in Podchasov on access to the content of communications, and the German parliament voted in favor of biometric surveillance of the Internet. The latter is a measure that requires the creation of large databases containing all personal images available online.

This highlights how the current debate extends from IP address retention to biometric databases, gaining new momentum with the rise of AI applications. These technologies promise to sift through vast data collections, analyzing and systematizing data points to capture and interpret the often unpredictable and erratic nature of human behavior.

In times when the legislators’ judgment is clouded by fears of potential dangers, it is up to the courts – most notably the ECJ – to keep an eye on the bigger picture and protect the civil and political freedoms enshrined in the Union’s Charter.