ProtonBlog(new window)
An illustration of the Court of Justice for the EU banning indiscriminate metadata collection and retention.

EU courts ban indiscriminate metadata collection and retention

Share this page

Over the past several years, data retention laws have become more and more popular in European countries. These require internet service providers, telecom companies, and online platforms to store metadata about their users, making it much easier for governments to implement mass surveillance.

On Oct. 6, the Court of Justice for the European Union (CJEU) put up a major obstacle to this growing practice. The court ruled that indiscriminate mass data retention schemes are illegal(new window) under EU law. While their interpretation still leaves open some critical loopholes, overall, it is a step toward protecting the right to privacy on a global scale.

The ruling is also a potential watershed moment for another country that is not even subject to the CJEU’s jurisdiction: Switzerland.

As a proudly Swiss company, we benefit from a wide variety of privacy protections, from a legal framework that recognizes personal privacy as a deeply rooted norm to a political neutrality that rejects most foreign influence. However, there is one area where we have expressed grave concerns.

Switzerland is one of those European countries that has a data retention law, a requirement that does not apply to Proton Mail. Still, this is disappointing for a country that otherwise places such an emphasis on human rights, and specifically the right to privacy. This ruling places pressure on Switzerland to do away with indiscriminate data retention — or risk its reputation as a jurisdiction with strong privacy protections.

What this ruling is about

The CJEU’s ruling was actually a collection of three judgments against the British, French, and Belgian intelligence services, saying that, except under specific circumstances, EU law applies every time a national government forces telecommunications providers to process data, including when it is done in the name of national security. 

The UK intelligence services required private corporations to deliver communications metadata to it in bulk, while Belgian and French intelligence services required companies to hold on to massive amounts of data indiscriminately for set periods of time. No matter how it is implemented, bulk data collection and retention always facilitate mass surveillance and open the door for abuses of privacy.

The ruling is not perfect. For example, the court allowed data retention when there is an imminent and serious threat to “national security,” a vague criterion that easily could be abused. Also, the French and Belgian judgments set different standards for some types of metadata, like IP addresses used to access a website and subscriber data. 

Still, the fact that this ruling will severely limit how much metadata intelligence services can indiscriminately collect and retain is something to celebrate.

Switzerland’s data retention laws must keep up with the EU  

Similar to the UK, France, and Belgium, Switzerland requires telecom providers of “significant economic importance” to retain communication metadata for six months. In this case, metadata can include traffic data, subscriber data, who sent the message, and who received the message. Although access to such data is subordinated to the authorization of a court for specific criminal cases, the mere retention of this data is problematic. Proton Mail is not and has never been subject to this obligation, but the fact that it exists in Switzerland is concerning. 

Switzerland is not a member of the EU and is not bound by CJEU rulings. However, a case was brought to the European Court on Human Rights (ECHR) by a Swiss privacy organization(new window) in 2018 (link is in German) to review the legality of Switzerland’s metadata retention legislation. Switzerland is a signatory to the European Convention on Human Rights and must respect the rulings of the ECHR, which is usually in lockstep with the CJEU. Often, CJEU rulings are considered to give insight as to which way the ECHR is leaning on a particular case or subject. 

To be clear, Switzerland is currently an ideal home for Proton because it has many attractive privacy protections, which we explain in detail in our article about Proton and Switzerland(new window). It is not a member of any 5 Eyes or 14 Eyes intelligence-sharing agreements(new window), any data requests from a foreign government must first be approved by Swiss authorities before they can be executed, and there is no legislation that threatens encryption(new window) like in Australia. However, this ruling may represent a turning point for Switzerland, which can remain a standard-bearer for privacy, or start to fall behind. 

How Proton’s privacy model protects your data

As you may know, all messages sent using Proton Mail are protected by zero-access encryption(new window), which means we cannot decipher the contents of your messages no matter how long we retain them. However, because of the way email is designed, it is not possible to encrypt metadata as without it we would not be able to deliver messages. 

Every message that is sent contains metadata, which includes information such as the sender and the recipient, along with the time it was sent and other traffic data.  

This type of information can reveal a lot on its own, which is why we do not retain metadata, and, by default, we do not keep any IP logs that could link you to your account. The only way we could be compelled to share metadata is if we are ordered to by a Swiss court in relation to a criminal investigation under Swiss law. 

Users that have extra concerns about their messages being monitored via metadata can access Proton Mail using a no-logs VPN(new window), like Proton VPN. This way, the IP log on the metadata will be that of the VPN server rather than your device.

This case points to a very important practical issue related to the right to privacy. While encryption and technical safeguards can dramatically improve privacy, there is not yet a technological silver bullet. (And this xkcd cartoon(new window) always applies.) Strong privacy often depends on strong privacy laws, which is why we have gone to great lengths to advocate for better legal protections around the world, from Boston(new window) to Hong Kong(new window).

We welcome this latest ruling from the CJEU, and even though it may not make an immediate difference to the Swiss legislation, it is a step in the right direction. 

We call on Switzerland to live up to its principles and do away with the data retention requirement.

UPDATE April 22, 2021: Yesterday, on April 21, 2021, the French Council of State (the highest French court) refused to apply the CJEU’s judgment(new window) (link in French) in a case and has begun requiring the mandatory retention of metadata by French telecommunication providers. The Council of State’s ruling also made it easier for law enforcement to access this metadata by broadly expanding the definition of “national security” to include crimes like drug trafficking.

We are disappointed that France has undermined this reasonable and forward-looking decision from the CJEU. However, this does not affect Proton Mail. As a Swiss company, we are outside of French jurisdiction.

Today, the Belgian Constitutional Court made the opposite decision. It agreed with the CJEU’s ruling and ended Belgium’s metadata retention program(new window) (link in French). This decision will lead directly to better data privacy protection for everyone in Belgium.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy. Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Share this page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

How to share a PDF
Sharing a PDF with coworkers, friends, or family members can sometimes be trickier than it seems if you’re trying to share a large file or if you want to use secure encryption. In this article, we show you how to share any PDF quickly, easily, and se
Proton Pass for Windows
Proton Pass is launching its new app for Windows, allowing you to access our password manager from your desktop. As one of our community’s most requested features, it’s available to everyone starting today. Proton Pass is the centerpiece of our effo
password policy
Businesses are increasingly dealing with the fallout from cybercrime: The number of attacks is on the rise and the damage done is growing exponentially. One of the most common vulnerabilities for organizations are their passwords. Since they are your
How to free up disk space
If you’ve ever owned an electronic device of any kind, you know the struggle of running out of space. No matter if it’s a smartphone, laptop, or desktop computer, there never seems to be enough room for all your files. Let’s show you some simple ways
What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m