New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case

Amsterdam Law School Research Paper No. 2015-41

Institute for Information Law Research Paper No. 2015-03

40 Pages Posted: 23 Oct 2015

See all articles by Frederik Zuiderveen Borgesius

Frederik Zuiderveen Borgesius

University of Amsterdam - IViR Institute for Information Law (IViR)

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR); Harvard University - Berkman Klein Center for Internet & Society

Date Written: October 23, 2015

Abstract

This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance – and claim that mass surveillance is lawful, even if it affects millions of innocent people.

Keywords: surveillance, privacy, GCHQ, NSA, Snowden, data retention, data protection, traffic data, metadata, security

JEL Classification: K00, K4, K12, K14, K33, K42, D10, D11, D20, D30, D40, D60, D70, L00, L11, L20, L51

Suggested Citation

Zuiderveen Borgesius, Frederik and Arnbak, Axel, New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case (October 23, 2015). Amsterdam Law School Research Paper No. 2015-41. Available at SSRN: https://ssrn.com/abstract=2678860 or http://dx.doi.org/10.2139/ssrn.2678860

Frederik Zuiderveen Borgesius (Contact Author)

University of Amsterdam - IViR Institute for Information Law (IViR) ( email )

Amsterdam
Netherlands

HOME PAGE: http://www.ivir.nl/employee/zuiderveen-borgesius/

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR) ( email )

Kloveniersburgwal 48
Amsterdam, 1012 CX
Netherlands

HOME PAGE: http://www.ivir.nl/staff/arnbak.html

Harvard University - Berkman Klein Center for Internet & Society ( email )

23 Everett Street
Cambridge, MA 012138
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
252
rank
114,197
Abstract Views
2,183
PlumX Metrics