Brussels, 19 October 2018 WK 12538/2018 INIT LIMITE COPEN CYBER DAPIX ENFOPOL JAI WORKING PAPER This is a paper intended for a specific community of recipients. Handling and further distribution are under the sole responsibility of community members. WORKING DOCUMENT From:                 Presidency To:                   Delegations Subject:              Data retention Delegations will find in Annex the text of the State of play on the discussions in the DAPIX Friends of Presidency - Data retention as amended after the working party meeting of 8 October 2018. Changes to document WK 11315/2018 INIT are indicated in italics underlined or italics strikethrough . WK 12538/2018 INIT                            JAI.2     VH/np LIMITE                                                                                               EN

ANNEX I. Introduction A common reflection process on data retention for the purposes of prevention and prosecution of crime in the light of ECJ judgements Digital Rights Ireland and Tele 2 was launched under the MT Presidency and was continued by the EE and the BG Presidency. The December 2017 Justice and Home Affair Council decided to focus on three main elements for the future work: ensuring availability of data (coherence with the draft e-Privacy Regulation); setting access safeguards and restricting the scope of the data retention framework 1 in view of the recent jurisprudence . As far as coherence with the draft e-Privacy Regulation is concerned, the reform of the e-Privacy framework is relevant in the context of the data retention debate. To this end, DAPIX FoP Data retention held joint sessions with the Telecom working party on 12 February and 17 May 2018. In this regard, the need to maintain flexibility within the new E-privacy Regulation has been recognized as a crucial element in order to allow future developments either through the case- law of the ECJ, or through legislative reforms at national or European level. To further substantiate the concept of restricted data retention (first level of interference) certain issues such as limiting the data categories, limiting the data retention periods, storage in the territory of the Union and storage in an encrypted fashion/pseudonymisation were specified in the report to the Council for further exploration. Concerning the concept of targeted access to retained data (second level of interference), various suggestions for substantive and procedural legal requirements were made. As a preliminary observation, it is the common understanding of the Member States that the findings of the ECJ in Digital Rights and Tele 2 do not apply to subscriber data, but only to traffic and location data. 1 14480/1/17. 1

The BG Presidency started discussions in the DAPIX FoP Data retention working group on interference level 1 (restricted data retention). On 18 April Europol debriefed about the findings from the data matrix workshop and delegations discussed the possible follow-up. They also explored the concept of renewable retention warrants. On 17 May discussions on the data retentions periods were started, which were continued under AT Presidency on 10 July. With this the examination of the elements on interference level 1 were completed. On 11 September, the working group examined the substantive and procedural legal requirements with which completed the discussions on interference level 2 (targeted access to retained data). In this document, the AT Presidency provides a state of pay of the discussions in DAPIX FoP Data retention, including the written contributions, on interference levels 1 and 2, alongside the most relevant passages from the jurisprudence of the ECJ in Digital Rights and Tele 2. II. Level 1 interference: restricted data retention In Tele 2 the ECJ states: “(…) Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. ” 2 The following paragraphs look at different options for restricted data retention (interference level 1): 2 Tele 2, para 108. 2

1. Limiting data categories – works on a “data matrix” coordinated by Europol The concept of limiting data categories seeks to explore whether data, which is not strictly or objectively necessary for the purposes of the prevention and prosecution of crime and safeguarding public security, can a priori be excluded from a data retention framework. As a means to limit data categories, works on a “data matrix” were undertaken. To this end, Europol was encouraged by the Council to facilitate preparatory works for such data matrix at technical level in close cooperation with experts from the Member States, with a view to further 3 examination in DAPIX-FoP . Two workshops with national cybercrime experts and investigators took place at Europol headquarters in The Hague in March and May 2018. An important finding of the workshops was that the relevant ETSI-standards, which serve as a basis for the discussions, have already “filtered” the data sets that are technically available. This means that data categories, which are not deemed necessary for the investigation and prosecution of crime, have already been excluded from the list beforehand. As a result the experts considered that only very few additional data categories could be excluded from the list as not being necessary for the investigation and prosecution of crime. This is also due to the fact that different crime investigations and investigative techniques require different data categories to be used across Member States. These findings were, among others, summed up by 4 Europol in two documents and presented to the DAPIX FoP Data retention group . Therefore, as far as the issue of limiting data categories is concerned, it can be concluded that it would be very difficult, if not impossible, to further exclude a notable number of data categories from storage in advance. The reason for this is that the relevant ETSI standards have already “filtered” the broader data sets that are technically available, because they have been specifically developed for law enforcement purposesand. A further reduction of categories of retained data would therefore be detrimental for the effectiveness of law enforcement investigations. Furthermore, different crime investigations and investigative techniques in the Member States require different data categories. As those data categories which are not necessary for law enforcement purposes are already excluded, there is no general and indiscriminate retention of data as referred to in the Tele 2 judgment of the ECJ. 3 14480/1/17 REV 1. 4 For further details see documents: WK 4507/2018 INIT (Outcome 1. Workshop), WK 5900/2018 INIT (Outcome 2. Workshop). 3

2. Renewable retention warrants (RRW) In working paper WK 3974/2018 INIT the BG Presidency presented the concept of renewable retention warrants (RRW). Although the ECJ had not raised this issue in its rulings, it was considered worthwhile to explore this concept. For the purpose of the discussion a RRW was defined as a “warrant issued by a competent national authority addressed to (an) electronic service provider(s) (ESPs) operating in the territory of a Member State requesting the provider to retain (certain categories of) data which is valid for a specific period of time during which it can be renewed if it fulfils the specific conditions prescribed by national law for its renewal, including that its proportionality and necessity are justified by a prior and confirmed by a subsequent threat assessment.”      5 Hence, a RRW would limit the amount of data retained because of its fixed time period of validity, its limitation to certain ESPs (e.g. by not including minor ESPs) and the possibility to limit the scope of the RRW to certain data categories only. Moreover, the need for renewal of the RRW after the expiry of the time period and other procedural safeguards would ensure a regular review of the measure. However, in the discussion in the DAPIX FoP Data retention meeting on 18 April 2018, the vast majority of Member States expressed reluctance about accepting the idea of RRWs to limit 6 the amount of data retained . Only one Member State, which uses a similar system, expressed support for the idea. The main arguments of the Member States opposing the RRWs were that the concept was deemed to be too complex and inefficient and that it would not at all fit into their national criminal law systems, in particular their laws on criminal procedure. their national criminal law systems, in particular their laws on criminal procedure. Given the reluctant view of most Member States towards RRWs and the fact that the concept was not brought up by the ECJ anyway, further exploration does not seem appropriate. 5 WK 3974/2018 INIT, page 1. 6 Reluctance towards the concept had also already been expressed in the meeting on 6 November 2017, when the concept of RRW was, alongside many other suggestions for future work, brought up by the EE Presidency in doc. 13845/17. 4

3. Limited storage periods 3.1 Length of the retention period At the meeting on 17 May 2018, the BG Presidency asked delegations to give information about the length of the retention periods in their Member States. While the periods proved to go from a few weeks to three years, in the majority of Member States (where there is a data retention regime in place) the retention period is either six or 12 months. In the meeting on 10 July 2018, the AT Presidency asked those Member States, where the national data retention regime had been challenged before the Constitutional Court or another court of last instance, to give information about the rulings with special regard to the retention periods. It was found that in all but one Member State that commented on this issue, and no matter whether the data retention regime was upheld or declared invalid by the relevant national court, the length of the retention periods was not a central issue in the courts’ considerations or even an issue at all. Only in one Member State, following the proceedings before the national Constitutional Court, the retention period was reduced from 12 to six months, while in another Member State the retention period was reduced following a suggestion of its national constitutional committee. Considerations of the ECJ in Tele 2 concerning the length of the retention periods are scarce too, as they are limited to the statement that the retention period adopted has to be limited to 7 what is strictly necessary . Several Member States emphasized that in their view a retention period of at least 12 months would be absolutely necessary for the purpose of effective law enforcement. Therefore, it can be concluded that the length of the retention period seems to be a less critical issue in the context of the jurisprudence of the ECJ, although it is of key importance that data are available for law enforcement purposes for an appropriate period of time. 7 Tele 2, para 108. 5

3.2. Differentiation between data categories on retention level In the meeting on 10 July 2018, the AT Presidency asked delegations whether in their national system different retention periods would apply to different data categories. In response, the majority of Member States indicated not to apply a differentiation between different data categories at the retention level, while only a few Member States answered that their national legislation provides for a differentiation, or will provide for a differentiation in the future. The ECJ does not provide an explicit statement about different retention periods for different kinds of data categories, but only mentions the possibility to differentiate between different categories 8 of data . It does not necessarily follow, therefore, that the differentiation has to relate to a different length of time periods for different data categories. Another option than differentiating between data categories at the retention level would be to have different periods at the access level (see below). 3.3. Erasure of data at the end of the retention period In Digital Rights the ECJ criticizes that “Directive 2006/24 [data retention directive, declared invalid with Digital Rights judgement] does not ensure the irreversible destruction of the data 9 at the end of the data retention period.” Therefore, a concrete rule on the erasure of data at the end of the retention period seems to be necessary in a data retention regime. In the meeting on 10 July 2018 all Member States participating in the discussion outlined that they do have specific rules for the erasure (or in some case pseudonymisation) of data at the end of the retention period. In addition, a number of Member States reported that storage of the data after the expiry of the obligatory retention period in their national legislation is lawful if it is necessary for the providers’ business purposes. Law enforcement authorities can access such data as long as the respective rules of criminal procedure are complied with. 8 See footnote 2 (Tele 2, para 108). 9 See also Tele 2, para 122. 6

4. Requirements for data security – storage in the territory of the Union and storage in encrypted fashion/pseudonymisation 4.1. Data storage in the territory of the European Union In Tele 2 the ECJ states that “[g]iven the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the providers of electronic communications services must, in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high level of protection and security by means of appropriate technical and organisational measures. In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period. 10 ” In the meeting on 10 July 2018 (Working paper WK 7875/2018 INIT) the AT Presidency asked the Member States whether their national data retention systems provided for mandatory data storage in the territory of the European Union. Of those Member States who contributed to the discussion, a slight majority of delegations reported that storage within the EU (or EEA in one case) was compulsory. In half of these cases, data even has to be stored within the Member State itself. Among the Member States without a legal obligation to store data within the EU, some expressed their concerns about such an obligation, as it might lead to a different treatment of domestic and foreign providers. Hence, Member States' positions and national data retention systems concerning the mandatory storage of retained data within the EU vary. 4.2. Data storage in encrypted fashion/pseudonymisation The suggestion to store retained data in encrypted fashion or to protect them through pseudonymisation does not stem from Digital Rights or Tele 2 directly, but was one of the suggestions for discussion by the EE Presidency, to fulfil the ECJ's requirement to provide 11 minimum security safeguards . 10 Tele 2, para 122. 11 See WK 13845/17, page 6. 7

In the discussions on 10 July 2018 only a very small number of Member States stated that they had experience with data security measures such as storage in an encrypted fashion or pseudonymisation. The majority of Member States contributing to the discussion expressed that their national legislation does not provide for detailed or descriptive security measures. Some of them added they had a critical view of them, while others mentioned they have already evaluated measures such as encryption or pseudonymisation of stored data or are currently in the process of evaluation. Furthermore, when answering a more general question about technical measures to protect data, most Member States stated that their national laws on data retention do not contain specific rules about the safe storage of data, but that general rules are applied, in some Member States leaving it to the discretion of providers to put adequate data security measures in place. Only a small number of Member States indicated that there are specific requirements in their laws and/or technical regulations concerning the safe storage of data in their national data retention system. Taking into consideration the critical view of many Member States, the fact that the ECJ does not explicitly mention data storage in an encrypted fashion or pseudonymisation           12 (as well as the fact that the issue of data security is, in general, a current and important topic for Member States, data storage in encrypted fashion/pseudonymisation does not seem to be an issue of first priority when exploring specific requirements for a data retention regime. 4.3. Review of safeguards against misuse of the data by an independent authority The need for review of compliance with data protection safeguards by an independent authority is explicitly mentioned by the ECJ in Tele 2 . 13 In the discussion on 10 July 2018 all participating Member States stated that a national authority has the power to review the safeguards of the providers in relation to data retention. Some Member States explicitly supported the statement that such a review of safeguards by an independent authority could be used as an argument to defend national legislation on data retention. A data retention regime in accordance with Union law should therefore contain a provision for review of compliance with safeguards by a national independent authority. 12 The ECJ only refers to security measures in general terms as an indispensable requirement for a future data retention regime, Tele 2, para 122. 13 Tele 2, para 123. 8

III. Level II Interference: Access Level In Digital Rights, the ECJ states as follows: „.. not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.“    14 However, specific answers to the question whether any distinction has to be made between the different categories of data, were not given by the ECJ. 1. Differentiation between data categories at access level Opinions about the technical feasibility of a differentiation at the access level and its value to fulfil the requirements of the ECJ for a data retention regime were manifold. Some Member States were in favour of different access periods and deemed them to be technically feasible, while other Member States opposed this idea for a variety of reasons. In particular, a distinction between the different categories at the access level was considered to be too costly and technically complex. 2. Substantive legal requirements for access to retained data The discussion looked at different aspects, elements and options concerning the substantive legal requirements for access to and use of retained data. One of the main issues raised by the ECJ in the Digital Rights and Tele2 judgements was the lack of objective rules and criteria, determining the crimes in respect of which data can be accessed and subsequently used for the 15 purpose of prevention, investigation, detection or prosecution of crimes. In the course of the general discussion, Member States clearly emphasised the distinction between crime types as well as their seriousness as major aspects. 14 Digital Rights, para 60. 15 See above, Digital Rights, para 60. 9