In a commendable preliminary ruling, the European Court of Justice has declared the European Union’s Data Retention Directive invalid.
Data Retention Directive
The judges viewed the directive’s wide-ranging powers to store communications data without the presence of criminal suspicion and without limitation as incompatible with EU law.
German lawyer, Christian Solmecke, gives his assessment, “This judgment from the ECJ is a real slap on the hand for the EU legislature. Given that so many important points were criticised, it seems unlikely that a newly drafted directive on data retention will be enacted any time in the near future. The requirements the ECJ judges have placed on the legislature are too high.
Violation of fundamental rights
The judges came to the conclusion that the current Data Retention Directive interferes too deeply with the fundamental rights to private life and to the protection of personal data; and that as such violations are not restricted to that which is necessary, it is illegal.
The data retention framework enables communications data to be stored including on the participants, the length, frequency and location of the communication. The collection of such data allows information on a person’s daily customs to be collected, including their activities, social environment and location. According to the judges, the possibility of being able to create such personality profiles represents “a particularly severe interference with fundamental rights to private life and the protection of personal data”.
The severe interference is also not justifiable on the grounds of fighting serious crime. The principle of proportionality, which must be observed in the case of any interference with fundamental rights, had not been adhered to here. A severe interference of this kind should be restricted only to that which is necessary. However, the court stated that this is not the case with the current ability to retain data without suspicion, as the directive allows the general retention of data relating to all persons, electronic communications and traffic data, without differentiation, restriction or exception.
There lacks “objective criteria enabling national authorities’ access to data and their use to be restricted to the prevention, investigation and prosecution of offences”, the judges stated.
Lack of security
Finally the judges criticised two major points which have been questioned for a long time:
- Firstly, the fact that the directive does not provide for sufficient safeguards against the abuse of data – Service providers are able, on financial grounds, to save in relation to security, meaning that the directive does not fully ensure the irreversible destruction of data at the end of the retention period.
- Secondly, the directive does not require data to be stored in the European Union, meaning that, where data is stored outside the EU, compliance with the directive cannot be fully ensured.
It is generally permissible for the directive on data retention to permit to storage of data without reason. However, due to the severe interference with fundamental right which this represents, such acts would have to be restricted to that which is necessary.
Following the sharp criticism of the EU’s current Data Retention Directive, it is clear that his is not the case here.
Here is the ECJ’s full press release:
„The Court of Justice declares the Data Retention Directive to be invalid
It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary
The main objective of the Data Retention Directive is to harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks. It therefore seeks to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism. Thus, the directive provides that the abovementioned providers must retain traffic and location data as well as related data necessary to identify the subscriber or user. By contrast, it does not permit the retention of the content of the communication or of information consulted.
The High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court, Austria) are asking the Court of Justice to examine the validity of the directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.
The High Court must resolve a dispute between the Irish company Digital Rights Ireland and the Irish authorities regarding the legality of national measures concerning the retention of data relating to electronic communications. The Verfassungsgerichtshof has before it several constitutional actions brought by the Kärntner Landesregierung (Government of the Province of Carinthia) and by Mr Seitlinger, Mr Tschohl and 11 128 other applicants. Those actions seek the annulment of the national provision which transposes the directive into Austrian law.
By today’s judgment, the Court declares the directive invalid
The Court observes first of all that the data to be retained make it possible, in particular, (1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means, (2) to identify the time of the communication as well as the place from which that communication took place and (3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
The Court then examines whether such an interference with the fundamental rights at issue is justified.
It states that the retention of data required by the directive is not such as to adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data. The directive does not permit the acquisition of knowledge of the content of the electronic communications as such and provides that service or network providers must respect certain principles of data protection and data security.
Furthermore, the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.
However, the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.
In that context, the Court observes that, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by the directive, the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict.
Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.
Firstly, the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
Secondly, the directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference. On the contrary, the directive simply refers in a general manner to ‘serious crime’ as defined by each Member State in its national law.
In addition, the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.
Thirdly, so far as concerns the data retention period, the directive imposes a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued.
Furthermore, that period is set at between a minimum of six months and a maximum of 24 months, but the directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary.
The Court also finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. It notes, inter alia, that the directive permits service providers to have regard to economic considerations when determining the level of security which they apply (particularly as regards the costs of implementing security measures) and that it does not ensure the irreversible destruction of the data at the end of their retention period.“