Data retention puts the entire population of a country under general suspicion. Law-abiding citizens often believe that data retention is not a problem for them because they have nothing to hide. The problem, however, is that they are living in a free and open democracy.
Let me explain this with what we in Germany call the Corona-paradox: Because measures to curtail the virus in Germany have been very successful, many people believe that masks are not necessary anymore.
It is the same with data retention: Because we live in a free and open democracy, we believe that no harm will come to us even if the government was able to get access to our entire online communication, to every website we visit, to our location profile, and more.
Both assumptions are fundamentally wrong. While the first one is rather obvious - curtailing the virus was so successful because most people in Germany are wearing a mask - the second one has multiple facets:
First, you never know if the country remains a democracy and you can never know if the data collected today might harm you tomorrow. The dangers of an overly knowing government were demonstrated twice in German history with the Gestapo in World War II and the Stasi in the GDR.
Second, putting the entire population under general suscpicion and neglecting their fundamental right to privacy can never be declared a proportionate measure to combat crime. That's also the position of the Federal Constitutional Court and the European Court of Justice.
Third, a general surveillance like data retention is not necessary to help the police increase the number of crimes solved. Other measures, like specialized IT task forces, more and better educated officers, and more is needed.
What is data retention
Data retention is a criminal policy instrument that obliges providers of publicly available electronic communications services or of a public communications network to make available certain data collected by them for the purpose of establishing, structuring the content of, modifying or terminating a contractual relationship for telecommunications services for the purpose of investigating, detecting and prosecuting criminal offenses. In doing so, the desired storage period goes well beyond the duration permitted for purely contractual purposes and is not prompted by contractual purposes such as the billing of fees or the creation of an itemized bill at the request of the customer or by a specific suspicion of a crime. Therefore, the data of all contractual partners of the provider are stored "on reserve" without any reason. (Source wikipedia)
Why authorities want data retention
Most of the times, the authorities argue that they need data retention to fight against crimes such as terrorism and to protect children as this cartoon illustrates:
They say data retention is necessary due to the drastic increase of online usage and online communication. This would make the work of the authorities to fight terrorism and organized crime much more complicated.
History of data retention in Germany
German governments have tried to pass a data retention law multiple times. But each time, lawmakers failed because the Federal Constitutional Court declared general data retention without probable cause as unconstitutional. The court argued that the right to privacy is protected by the German constitution. Thus, it is not allowed to store personal communications' data of all citizens.
Similarly, the European Court of Justice declared the European Directive 2006/24/EC for data retention as invalid. At that time the court argued that a general surveillance of the public would violate fundamental rights.
Despite having failed multiple times, the German government is now once again thinking about passing a data retention law.
The civil rights organization Digitalcourage has already started to fight this move: "In democracies and constitutional states, there are no legitimate arguments for monitoring the entire population without cause," the organization writes. Exceptions for secret services which, according to the logic of the government's plea, are not bound by fundamental rights are downright dangerous.
Criticism of data retention
Data retention won't increase security
The most obvious reason why data retention is not necessary is actually a study done by the German Federal Office of Criminal Investigation, the very organization in Germany that wants data retention the most. According to the study, the clarification rate with data retention was only 0.006% higher than without data retention.
This low percentage of additionally solved cases does not justify the surveillance of more than 80 million innocent people.
In addition, we must also keep in mind that data retention of IP addresses, for example, becomes pointless when criminals cover their tracks by hiding their IP addresses or by using the darknet.
Protect the children
The recent debate about a new data retention law was sparked by some high profile cases against pedophiles in Germany. Everyone wants these criminals to be prosecuted.
However, the assumption that data retention would limit the presence of network pedophile data is simply naive due to the existence of technical circumvention possibilities as well as the fact that most of the perpetrators operate in far-away countries.
In contrast, the loss of the digital civil liberty caused by data retention - which the Federal Constitutional Court and the European Court of Justice have already declared unconstitutional - would mean the total surveillance of all online communication without exception, including messaging services, calls, and video calls as well as the creation of motion profiles and website visits.
In addition to prosecutors, the collected data needs to be stored at the communication service providers. This also leaves the data vulnerable to abusive access by malicious attackers or corrupted employees.
This is a risk no government should force its citizens to take.
Eight myths about data retention
Thomas Stadler, lawyer, specializing in IT legislation, has summarized eight myths about data retention. The whole blog post is a must-read for anyone whether you are in favor of or in opposition to data retention. Here is the most important myth about data retention in Germany:
A constitutionally compliant new regulation of data retention would be easily possible.
While officials argue that it would be considerably easy to pass a data retention law that is in line with the German constitution, the ruling by the Federal Constitutional Court is requiring a lot for a data retention law to be acceptable:
The law must include ambitious and clear regulations with regard to data security, data use, transparency and legal protection. The European Constitutional Court (ECJ) goes even further by explaining why the European data retention directive is disproportionate. Since the ECJ does not explain the requirements for a regulation in conformity with fundamental rights, it seems impossible to pass a data retention law in a legally secure manner.
So while most European countries do have data retention laws, Germany at the moment is the only country that complies with European law by not having a data retention law.
Another recent ruling by the European Court of Justice shows the significance of the right to privacy. Consequently, it must be expected that a new data retention law will have very little chances of being accepted by the European court.
Call for freedom laws
The civil rights organization Digitalcourage also summarizes everything that is wrong with data retention:
"For decades, the pressure to monitor has been increasing against the population living in compliance with the law. For people, it makes no difference whether it is state or private surveillance or a mixture. The surveillance pressure is already too high. Freedom laws are necessary."
Any form of data collection - whether initiated by private companies or required by the government - puts people at risk. Their data, easily available to prosecutors, can make them a suspect as this article explains: Using Google's location tracking can put innocents in jail.
This reverses the logic of law enforcement: Prosecutors do not have to prove that you have done a crime; but when your smartphone has been detected near a crime scene, you have to prove that you are innocent.