The EU has tighter restrictions than the United States does on the collection, use, and sale of data by online companies, but also requires Internet service providers to store personal data in case the government ever wants to investigate an individual user. The European Parliament is currently considering passing a law called "Smile29" that would require the Google search engine – which processes billions of searches a month on the Continent – to retain data on users as well.
The EU effort is just the latest of government's around the globe seeking to glean more about their citizens from their online behavior. To critics, the EU laws amount to a surveillance land-grab that has prompted a groundswell of opposition across Europe. Now a group in Ireland is challenging the new regime – seeking permission from the Irish courts to sue the European Court of Justice (ECJ) to strike down new Irish laws designed to bring the country into line with broader European standards. If Digital Rights Ireland, which argues that the laws violate the European Convention on Human Rights, wins, it would set the stage for successful challenges to the rules across Europe. "The main thing we want to see is our data retention laws repealed," says T.J. McIntyre, a law lecturer at University College Dublin and head of the organisation. Mr. McIntyre says the laws criminalize ordinary citizens.
Online privacy has become a key civil liberty battleground. Facebook and Google are amassing colossal amounts of data about users' thoughts, desires, and impulses, which businesses covet and pay handsomely for. And across Europe, a backlash against the storage of private data is growing. Civil society groups like the European Federation of Journalists have criticized the practice, and in Germany almost 35,000 people, including Justice Minister Sabine Leutheusser-Schnarrenberger, sued their own government over the issue. "There is a real problem in Europe today. It is a breach of the European Convention on Human Rights, which says that everyone has the right to a private life. That fundamental right has to extend into digital life," says Christian Engström, a member of the European Parliament for Sweden's controversial Pirate Party, elected on a platform of digital rights.
In Ireland at present, telephone data must be retained for three years, but there are currently no provisions requiring Internet service providers to retain data, something both the EU and the Irish government want to change. McIntyre says the government already has the upper hand. "In 2002 the Irish government secretly introduced data retention. They did it by ministerial order, and to this day the department of justice has not confirmed it." McIntyre expects the case to be decided by the ECJ.
The EU itself seems to be of two minds when it comes to Internet privacy. While monitoring and surveillance powers have been greatly expanded, the EU body overseeing the effort to expand data retention to search engines under Smile29 complained in a report that EU members are already collecting more information on citizens than they should and "have scarcely provided statistics on the use of data retained under the Directive, which limits the possibilities to verify the usefulness of data retention."
The group advocates major changes to the law, including a reduction of the maximum retention period, reconsideration of the overall security of traffic data by the European Commission, clarification of the concept of "serious crime" at member state level, and "disclosure to all the relevant stakeholders of the list of the entities authorized to access the data." According to Mr. Engström of the Pirate Party, the problem with the EU is a democracy deficit: "Most of the power is with commissioners and [other] unelected officials."
Engström also points to the EU's various bureaucracies, often at loggerheads with one another, as a problem. "It's important to recognize that this is not 'evil'; there is no dark lord pulling the strings, but the EU has become very close to various interests and this in conjunction with an unelected executive is very worrying." Engström contends that law enforcement agencies are seeking access to data simply because it exists: "These things don't have anything to do with real police work. The measures might catch really stupid criminals bumbling about, but real criminals will know how to get around them." He also points to the danger of false accusations, complaining that data mining amounts to little more than pattern recognition: "The human brain is fantastic at seeing patterns – even when they don't exist."
Back in Ireland, McIntyre says his fight will go on for just this reason: "You can't have automated crime detection. For some reason that idea is beloved of law enforcement. The related idea is one of stopping people in advance. Data mining creates too many false positives. From a commercial perspective it doesn't matter – who cares if you get an irrelevant ad on your Facebook page? But with, say, terrorism, a vanishingly small number of people are engaged so you simply don't have the evidence base from which to profile people."