The global privacy advocacy group Privacy International has found that 21 European Union members continue to retain personal data despite going against both their own and EU legal mandates.
The group's research uncovered that Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom continue hold an illegal level of personal information, which goes against the Court of Justice of the European Union's (CJEU) ruling in the Tele-2/ Watsoncase.
“The Report concludes that all EU member States surveyed are not in compliance with the Tele-2/Watson decision. The report further notes that in many EU member States legislation is not even in conformity with the earlier Digital Rights Ireland decision,” the report stated, adding this is the situation eight months after the Tele-2/Watson ruling.
In Tele-2/Watson the CJEU found that traffic and location data can allow for precise information to be drawn concerning people's lives, including, where they live, work, their daily movements and activities. Having information retained by a group that could be used to discover such intimate personal details should only be done when that organisation is fighting serious crime, the CJEU ruled.
The group also took exception to the fact that most of the changes taking place in these counties that worked to enforce the CJEU rulings did not come from the governments, but from outside organisations.
“Change is being promoted through litigation by human rights NGOs instead of through proactive reform of the laws by Parliament,” it wrote.
Privacy International made several recommendations based on the report:
· All EU member States should review their legislation and, if necessary, amend it to comply with European standards, including the CJEU jurisprudence;
· Telecommunications and other companies subject to data retention obligations should challenge existing data retention legislation which are not compliant with European standards, including the CJEU jurisprudence;
· The European Commission should provide guidance on reviewing national data retention laws to ensure its conformity with fundamental rights, as interpreted by the CJEU