In April 2014 the Court of Justice of the European Union declared the European Union Data Retention Directive 1 invalid. The Court ruled that, despite the Directive’s legitimate purpose of fighting against serious crime and the protection of public security, it does not meet the principle of proportionality and should provide more safeguards regarding the protection of fundamental rights such as respect for private life and the protection of personal data.
The principle objective of the European Union (EU) Data Retention Directive 2006/24 is to harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks with the aim to ensure that the data would be available for the purpose of the prevention, investigation, detection and prosecution of serious crime.2 According to the Directive, providers must retain traffic and location data as well as related data necessary to identify the subscriber, but not the content of the communication.3
The April 2014 ruling reflects the struggle of human rights activists who have fought hard to have the original Europe-wide law re-considered.4 The representatives of the parties who initiated the cases in Ireland and Austria put forward the argument that the Directive is incompatible with the Charter of Fundamental Rights of the European Union,5 and that there is still no evidence available of the excessive collection of communication data being a necessary and proportionate measure for combating organised crime or terrorism in the EU.6 Furthermore, it was argued that the retained data is used for the investigation of crimes not foreseen in the Directive, like theft, drug trafficking and stalking.2
The Court’s ruling found that the retention of data for the purpose of allowing the competent national authorities to have possible access to the data is satisfying an objective of general interest.7 However, when assessing the proportionality of the interference, the Court concluded that “Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter.” Therefore the Court held that the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”8 Moreover, the Court found that the Directive “does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data”9 , “does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures” nor “ensure the irreversible destruction of the data at the end of the data retention period”.10 Furthermore, the “Directive does not require the data in question to be retained within the European Union” and consequently, control over the data cannot be fully ensured.11
The consequences of the Directive being held invalid are uncertain. Whereas some states have initiated a review of their national data retention regulation or even ruled national data retention laws invalid,12 others are looking for alternative measures to keep retaining the data13 or have not taken any concrete steps. This leaves the local ISPs in a legal vacuum where it is not certain whether national data retention laws need to be adhered to or not, and results in stopping the collection of subscriber data despite the countries’ data retention laws remaining in force.14 The European Commission has assured that it will carefully assess the verdict and its impacts, and take its work forward in light of progress made in relation to the revision of the e-Privacy directive whilst taking into account the negotiations on the data protection framework.15
- European Union, Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006, http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1405060274756&uri=CEL….
- Court of Justice of the European Union, “The Court of Justice Declares the Data Retention Directive to Be Invalid,” Press release no 54/14, 8 April 2014, http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054….
- Electronic Frontier Foundation, “Data Retention Directive Invalid, Says EU’s Highest Court”, 8 April 2014, https://www.eff.org/deeplinks/2014/04/data-retention-violates-human-righ….
- European Union, Charter of Fundamental Rights of the European Union, 2010, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0389….
- EDRI, “Data Retention: “We Ask the Court to Rule in Favour of Freedom””, 17 July 2013, http://history.edri.org/edrigram/number11.14/data-retention-hearing-ecj-….
- European Court of Justice, Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung (C-594/12) and Others., 44 (2014).
- Ibid., l. 65.
- Ibid., l. 66.
- Ibid., l. 67.
- Ibid., l. 68.
- Electronic Frontier Foundation, “‘Data Retention Directive Invalid, Says EU’s Highest Court’; Republic of Slovenia, Information Commissioner, ‘Slovenian Constitutional Court Holds Data Retention Unconstitutional, Orders Deletion of Data’,” 11 July 2014, https://www.ip-rs.si/index.php?id=272&tx_ttnews[tt_news]=1256&cHash=2885….
- NDTV, “UK Government Seeks Data Retention Law After European Union Verdict,” NDTV.com, 10 July 2014, http://www.ndtv.com/article/world/uk-government-seeks-data-retention-law….
- Liam Tung, “Four of Sweden’s Telcos Stop Storing Customer Data after EU Retention Directive Overthrown,” ZDNet, 11 April 2014, http://www.zdnet.com/four-of-swedens-telcos-stop-storing-customer-data-a….
- European Commission, “Data Retention Directive: Commissioner Malmström’s Statement on Today’s Court Judgment,” press release, 8 July 2014, http://europa.eu/rapid/press-release_STATEMENT-14-113_en.htm.