Over the past several years, data retention laws have become more and more popular in European countries. These require internet service providers, telecom companies, and online platforms to store metadata about their users, making it much easier for governments to implement mass surveillance.
On Oct. 6, the Court of Justice for the European Union (CJEU) put up a major obstacle to this growing practice. The court ruled that indiscriminate mass data retention schemes are illegal under EU law. While their interpretation still leaves open some critical loopholes, overall, it is a step toward protecting the right to privacy on a global scale.
The ruling is also a potential watershed moment for another country that is not even subject to the CJEU’s jurisdiction: Switzerland.
As a proudly Swiss company, we benefit from a wide variety of privacy protections, from a legal framework that recognizes personal privacy as a deeply rooted norm to a political neutrality that rejects most foreign influence. However, there is one area where we have expressed grave concerns.
Switzerland is one of those European countries that has a data retention law, a requirement that does not apply to ProtonMail. Still, this is disappointing for a country that otherwise places such an emphasis on human rights, and specifically the right to privacy. This ruling places pressure on Switzerland to do away with indiscriminate data retention — or risk its reputation as a jurisdiction with strong privacy protections.
What this ruling is about
The CJEU’s ruling was actually a collection of three judgments against the British, French, and Belgian intelligence services, saying that, except under specific circumstances, EU law applies every time a national government forces telecommunications providers to process data, including when it is done in the name of national security.
The UK intelligence services required private corporations to deliver communications metadata to it in bulk, while Belgian and French intelligence services required companies to hold on to massive amounts of data indiscriminately for set periods of time. No matter how it is implemented, bulk data collection and retention always facilitate mass surveillance and open the door for abuses of privacy.
The ruling is not perfect. For example, the court allowed data retention when there is an imminent and serious threat to “national security,” a vague criterion that easily could be abused. Also, the French and Belgian judgments set different standards for some types of metadata, like IP addresses used to access a website and subscriber data.
Still, the fact that this ruling will severely limit how much metadata intelligence services can indiscriminately collect and retain is something to celebrate.
Switzerland’s data retention laws must keep up with the EU
Similar to the UK, France, and Belgium, Switzerland requires telecom providers of “significant economic importance” to retain communication metadata for six months. In this case, metadata can include traffic data, subscriber data, who sent the message, and who received the message. Although access to such data is subordinated to the authorization of a court for specific criminal cases, the mere retention of this data is problematic. ProtonMail is not and has never been subject to this obligation, but the fact that it exists in Switzerland is concerning.
Switzerland is not a member of the EU and is not bound by CJEU rulings. However, a case was brought to the European Court on Human Rights (ECHR) by a Swiss privacy organization in 2018 (link is in German) to review the legality of Switzerland’s metadata retention legislation. Switzerland is a signatory to the European Convention on Human Rights and must respect the rulings of the ECHR, which is usually in lockstep with the CJEU. Often, CJEU rulings are considered to give insight as to which way the ECHR is leaning on a particular case or subject.
To be clear, Switzerland is currently an ideal home for Proton because it has many attractive privacy protections, which we explain in detail in our article about Proton and Switzerland. It is not a member of any 5 Eyes or 14 Eyes intelligence-sharing agreements, any data requests from a foreign government must first be approved by Swiss authorities before they can be executed, and there is no legislation that threatens encryption like in Australia. However, this ruling may represent a turning point for Switzerland, which can remain a standard-bearer for privacy, or start to fall behind.
How Proton’s privacy model protects your data
As you may know, all messages sent using ProtonMail are protected by zero-access encryption, which means we cannot decipher the contents of your messages no matter how long we retain them. However, because of the way email is designed, it is not possible to encrypt metadata as without it we would not be able to deliver messages.
Every message that is sent contains metadata, which includes information such as the sender and the recipient, along with the time it was sent and other traffic data.
This type of information can reveal a lot on its own, which is why we do not retain metadata, and, by default, we do not keep any IP logs that could link you to your account. The only way we could be compelled to share metadata is if we are ordered to by a Swiss court in relation to a criminal investigation under Swiss law.
Users that have extra concerns about their messages being monitored via metadata can access ProtonMail using a no-logs VPN, like ProtonVPN. This way, the IP log on the metadata will be that of the VPN server rather than your device.
This case points to a very important practical issue related to the right to privacy. While encryption and technical safeguards can dramatically improve privacy, there is not yet a technological silver bullet. (And this xkcd cartoon always applies.) Strong privacy often depends on strong privacy laws, which is why we have gone to great lengths to advocate for better legal protections around the world, from Boston to Hong Kong.
We welcome this latest ruling from the CJEU, and even though it may not make an immediate difference to the Swiss legislation, it is a step in the right direction.
We call on Switzerland to live up to its principles and do away with the data retention requirement.
UPDATE April 22, 2021: Yesterday, on April 21, 2021, the French Council of State (the highest French court) refused to apply the CJEU’s judgment (link in French) in a case and has begun requiring the mandatory retention of metadata by French telecommunication providers. The Council of State’s ruling also made it easier for law enforcement to access this metadata by broadly expanding the definition of “national security” to include crimes like drug trafficking.
We are disappointed that France has undermined this reasonable and forward-looking decision from the CJEU. However, this does not affect ProtonMail. As a Swiss company, we are outside of French jurisdiction.
Today, the Belgian Constitutional Court made the opposite decision. It agreed with the CJEU’s ruling and ended Belgium’s metadata retention program (link in French). This decision will lead directly to better data privacy protection for everyone in Belgium.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy. ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.