Douglas Crawford

Douglas Crawford

May 7, 2013

Update 06 November 2014: In April this year the European Court of Justice (ECJ), the highest court in the EU, declared the EU-wide Data Retention Directive invalid on the grounds that,

By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and  to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

However, not one country has repealed local implementation of the DRD, and the UK has even gone so far as to defy the ECJ and pass new mandatory data retention legislation.

—————

The European Union is well known for its extensive and highly controversial mass surveillance legislation, the mandatory Data Retention Directive (DRD), adopted in March 2006. This requires all ISPs and communications providers to keep data for at least 12 months, and which must include enough information to:

  • trace and identify the source of a communication
  • trace and identify the destination of a communication
  • identify the date, time and duration of a communication
  • identify the type of communication
  • identify the communication device
  • identify the location of mobile communication equipment

In practice this means that logs are kept of all telephone calls, SMS messages and emails made and received, and all websites visited, and all EU citizens are subject to this massive invasion of privacy, regardless of whether or not they are suspected of any crime.

The details of who can access this information varies by country (for example in the UK a large number of organisations have been granted access with very little judicial oversight), but in general it must be available to ‘competent’ national authorities in specific cases, ‘for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law’.

The position of VPN providers depends on how each country has transposed the directive into national legislation (where they have). While many countries do include VPN providers in the legislation and require them to keep logs (see list), a number of counties (discussed below) either do not require VPN providers to keep logs, or have rejected the legislation outright.

See our No log VPN guide for more information.

Counties in full compliance with the EU DRD (including VPN services in the legislation) include:

Denmark, Estonia, Finland, Greece, Hungary, Ireland, Latvia, Lichtenstein, Lithuania, Malta, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Switzerland and the UK.

Opposition to the Data Retention Directive

As noted at the beginning, the DRD represents a massive invasion of every EU citizen’s civil liberties (on a par with the likes of China and Iran). It consequently remains highly controversial and has faced intense criticism, with many legal fights against its incorporation into national law remaining on-going (although many countries which initially put up a fight have now given and accepted the legislation) .

In April 2011 the European Commission published a report evaluating the directive, concluding that it was valuable tool for ensuring criminal justice and public protection, but that it suffered from inconsistences in how different member countries implemented it. This report was promptly attacked by the European Data Protection Supervisor (EDPS), who stated that the directive ‘does not meet the requirements imposed by the fundamental rights to privacy and data protection’. The EDPS also criticised the Commission’s report on the grounds that it had failed to demonstrate that the DRD was necessary or proportionate, both of which are required to make it lawful under the EU Charter of Fundamental Rights. Anadditional criticism was that there was far too much leeway in how individual countries chose to implement the DRD, and who was allowed access to the data.

Currently opponents such as the European Digital Rights (EDRIi), the Electronic Frontier Foundation (EFF) and AK Vorrat are campaigning for the European Commission to prove that the DRD is necessary to the investigation of serious crime, for a system to allow citizens to monitor the impact of the directive on their privacy, and for the complete repeal of the DRD in favour of a targeted system of data collection r(ather than blanket coverage of the EU’s 500 million innocent citizens).

Countries which have not implemented the DRD

Belgium – the DRD remains highly contentious, and has not been implemented (yet). However, Belgium does have strict laws (especially targeted at copyright infringement) and some internet censorship.

Cyprus – in February 2011 the Cyprus High Court ruled the DRD unconstitutional. There is however some very limited implementation of it, but with only a 6 months data retention period, in which data can only be accessed ‘in cases of convicted and unconvicted prisoners and business correspondence and communication of bankrupts during the bankruptcy administration’.

Czech Republic – in July 2012 the DRD was rejected by the High Court on the basis that it was unconstitutional and that it infringed on people’s right to privacy. However, a new data retention law was passed in July 2012, and only awaits the President’s signature before becoming law.

Germany – constitutional challenges have stalled implementation of the directive, although it has been ruled by the courts that the DRD could be acceptable if amended. In April 2012 the EU Commission warned against this however, and threatened to fine Germany if the DRD is not fully brought into law. It should be noted that although the DRD has not yet been implemented, internet surveillance and server raids are common in Germany.

Countries where the DRD does not apply to VPN

Most of the following countries resisted the DRD, often faced putting up stiff opposition on constitutional grounds. Although they have now brought into alignment with the directive, implementation is generally less than enthusiastic, and VPN providers are excluded from the legislation:

Bulgaria, Luxemburg, Netherlands, Romania and Sweden.

The DRD is also not applicable VPN providers in France and Italy, but these countries have other internet surveillance issues and strongly enforced copyright enforcement laws.

Non EU European Countries

Iceland and Serbia are not subject to the DRD but have adopted their own data retention policies. However (as far as we understand it), these do not apply to VPN services.

Other data logging, internet surveillance and copyright laws in Europe

In addition to the European Union’s Data Retention Directive, most counties have their own legislation regarding logging, on-line spying and anti-piracy, exploration of which is far beyond the scope of this article.  To give an idea just how complex the picture is, and to what extent law-abiding citizens civil liberties are under attack, you may wish to look at our in depth article on Data Retention in the UK, which paints a truly chilling picture.

Good European countries for VPN

To summarise the above information, good countries for European VPN providers to be based in are:

  • Bulgaria
  • Cyprus
  • Czech Republic (for now)
  • Iceland
  • Luxembourg
  • Netherlands
  • Romania
  • Serbia
  • Sweden

To take a look at a list of our favorite VPN providers.

Conclusion

The EU wide Data Retention Directive is an incredibly sinister and draconian piece of legislation pushed through by powerful US and UK government interests in the wake of 9/11 and the 7/7 London bombings. Outside of extremely restrictive countries controlled by militaristic regimes (such as China and Iran), it is the most far ranging intrusion into the personal lives of law abiding citizens to date (although numerous international and national pieces of legislation such as ACTA and the recently abandoned CISPA (US) and CCDP (UK) have come close).

The threat to internet users’ civil liberties is on-going and omnipresent. Governments’ desire to monitor and store every single piece of information about their citizens (all the better to control them with), combined with the insane lobbying power of an entertainment industry that is determined to preserve its massive profits at any cost, has led to an unprecedented attack on our most fundamental freedoms.

This is a threat that is not just not going away, but will almost increase over coming years as the rich and the powerful try to wrest control of the internet into their own hands. One of the most powerful tools in the fight against this, and for our individual freedoms, is VPN. However, VPN only truly works when no records are kept that can be traced back to individual users. Government and copyright enforcers are well aware of this fact, hence the sweeping powers enshrined in the DRD which aim to remove internet users anonymity.

Fortunately, in Europe some countries have resisted the full implementation of the directive, and provide safe havens (for the being) for VPN users. The future of VPN, and who controls the internet itself is, deeply uncertain but as long as technologies such as VPN can keep one step ahead, the ordinary internet users still stands a chance at retaining their online liberty and autonomy.

Update: We made an error including Switzerland in the DRD. Switzerland is not an EU-member so the DRD does not apply there. It does have its own very strict Data Retention Laws, but these do not apply to VPNs, so it should be included on the list of ‘Good European countries for VPN’, For more details on the situation in Switzerland, see here.

Update 30 June 2014: On 8 April 2014 the European Court of Justice declared the EU Data Retention Directive invalid, on the grounds that,

By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and  to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

See our article here for more details. Unfortunately, Denmark is the only country we are aware of to make any effort at removing local implementation of the DRD from national laws. In most counties, therefore, despite the ECJ ruling, the Data Retention Directive stands (we have an article on the situation in the UK, for example).