An illustration of the Court of Justice for the EU banning indiscriminate metadata collection and retention.

EU courts ban indiscriminate metadata collection and retention

Over the past several years, data retention laws have become more and more popular in European countries. These require internet service providers, telecom companies, and online platforms to store metadata about their users, making it much easier for governments to implement mass surveillance.

On Oct. 6, the Court of Justice for the European Union (CJEU) put up a major obstacle to this growing practice. The court ruled that indiscriminate mass data retention schemes are illegal(new window) under EU law. While their interpretation still leaves open some critical loopholes, overall, it is a step toward protecting the right to privacy on a global scale.

The ruling is also a potential watershed moment for another country that is not even subject to the CJEU’s jurisdiction: Switzerland.

As a proudly Swiss company, we benefit from a wide variety of privacy protections, from a legal framework that recognizes personal privacy as a deeply rooted norm to a political neutrality that rejects most foreign influence. However, there is one area where we have expressed grave concerns.

Switzerland is one of those European countries that has a data retention law, a requirement that does not apply to Proton Mail. Still, this is disappointing for a country that otherwise places such an emphasis on human rights, and specifically the right to privacy. This ruling places pressure on Switzerland to do away with indiscriminate data retention — or risk its reputation as a jurisdiction with strong privacy protections.

What this ruling is about

The CJEU’s ruling was actually a collection of three judgments against the British, French, and Belgian intelligence services, saying that, except under specific circumstances, EU law applies every time a national government forces telecommunications providers to process data, including when it is done in the name of national security. 

The UK intelligence services required private corporations to deliver communications metadata to it in bulk, while Belgian and French intelligence services required companies to hold on to massive amounts of data indiscriminately for set periods of time. No matter how it is implemented, bulk data collection and retention always facilitate mass surveillance and open the door for abuses of privacy.

The ruling is not perfect. For example, the court allowed data retention when there is an imminent and serious threat to “national security,” a vague criterion that easily could be abused. Also, the French and Belgian judgments set different standards for some types of metadata, like IP addresses used to access a website and subscriber data. 

Still, the fact that this ruling will severely limit how much metadata intelligence services can indiscriminately collect and retain is something to celebrate.

Switzerland’s data retention laws must keep up with the EU  

Similar to the UK, France, and Belgium, Switzerland requires telecom providers of “significant economic importance” to retain communication metadata for six months. In this case, metadata can include traffic data, subscriber data, who sent the message, and who received the message. Although access to such data is subordinated to the authorization of a court for specific criminal cases, the mere retention of this data is problematic. Proton Mail is not and has never been subject to this obligation, but the fact that it exists in Switzerland is concerning. 

Switzerland is not a member of the EU and is not bound by CJEU rulings. However, a case was brought to the European Court on Human Rights (ECHR) by a Swiss privacy organization(new window) in 2018 (link is in German) to review the legality of Switzerland’s metadata retention legislation. Switzerland is a signatory to the European Convention on Human Rights and must respect the rulings of the ECHR, which is usually in lockstep with the CJEU. Often, CJEU rulings are considered to give insight as to which way the ECHR is leaning on a particular case or subject. 

To be clear, Switzerland is currently an ideal home for Proton because it has many attractive privacy protections, which we explain in detail in our article about Proton and Switzerland(new window). It is not a member of any 5 Eyes or 14 Eyes intelligence-sharing agreements(new window), any data requests from a foreign government must first be approved by Swiss authorities before they can be executed, and there is no legislation that threatens encryption(new window) like in Australia. However, this ruling may represent a turning point for Switzerland, which can remain a standard-bearer for privacy, or start to fall behind. 

How Proton’s privacy model protects your data

As you may know, all messages sent using Proton Mail are protected by zero-access encryption(new window), which means we cannot decipher the contents of your messages no matter how long we retain them. However, because of the way email is designed, it is not possible to encrypt metadata as without it we would not be able to deliver messages. 

Every message that is sent contains metadata, which includes information such as the sender and the recipient, along with the time it was sent and other traffic data.  

This type of information can reveal a lot on its own, which is why we do not retain metadata, and, by default, we do not keep any IP logs that could link you to your account. The only way we could be compelled to share metadata is if we are ordered to by a Swiss court in relation to a criminal investigation under Swiss law. 

Users that have extra concerns about their messages being monitored via metadata can access Proton Mail using a no-logs VPN(new window), like Proton VPN. This way, the IP log on the metadata will be that of the VPN server rather than your device.

This case points to a very important practical issue related to the right to privacy. While encryption and technical safeguards can dramatically improve privacy, there is not yet a technological silver bullet. (And this xkcd cartoon(new window) always applies.) Strong privacy often depends on strong privacy laws, which is why we have gone to great lengths to advocate for better legal protections around the world, from Boston(new window) to Hong Kong(new window).

We welcome this latest ruling from the CJEU, and even though it may not make an immediate difference to the Swiss legislation, it is a step in the right direction. 

We call on Switzerland to live up to its principles and do away with the data retention requirement.

UPDATE April 22, 2021: Yesterday, on April 21, 2021, the French Council of State (the highest French court) refused to apply the CJEU’s judgment(new window) (link in French) in a case and has begun requiring the mandatory retention of metadata by French telecommunication providers. The Council of State’s ruling also made it easier for law enforcement to access this metadata by broadly expanding the definition of “national security” to include crimes like drug trafficking.

We are disappointed that France has undermined this reasonable and forward-looking decision from the CJEU. However, this does not affect Proton Mail. As a Swiss company, we are outside of French jurisdiction.

Today, the Belgian Constitutional Court made the opposite decision. It agreed with the CJEU’s ruling and ended Belgium’s metadata retention program(new window) (link in French). This decision will lead directly to better data privacy protection for everyone in Belgium.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy. Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Related articles

proton scribe
Most of us send emails every day. Finding the right words and tone, however, can take up a lot of time. Today we’re introducing Proton Scribe, a smart, privacy-first writing assistant built right into Proton Mail that helps you compose and improve yo
People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subjec
Your online data is no longer just used for ads but also for training AI. Google uses publicly available information to train its AI models, raising concerns over whether AI is even compatible with data protection laws. People are worried companies
iPhone stores passwords in iCloud Keychain, Apple’s built-in password manager. It’s convenient but has some drawbacks. A major issue is that it doesn’t work well with other platforms, making it hard for Apple users to use their passwords and passkeys
There are many reasons you may need to share passwords, bank details, and other highly sensitive information. But we noticed that many people do this via messaging apps or other methods that put your data at risk. In response to the needs of our com
Large language models (LLMs) trained on public datasets can serve a wide range of purposes, from composing blog posts to programming. However, their true potential lies in contextualization, achieved by either fine-tuning the model or enriching its p