By declaring the Data Retention Directive invalid, the European Court of Justice has shifted the balance between the fundamental rights and freedoms of individuals and the rights of the State to process personal data, says Antonio Ghio.

Never did I imagine that the Snowden revelations and recent snooping scandals triggered by democratic governments would have such an impact on the judicial thinking within the European Court of Justice.

Earlier this month, in the joined cases Digital Rights Ireland and Seitlinger and Others (C-293/12 and C-594/12) the European Court of Justice, the highest court in the European Union, declared the Data Retention Directive (Directive 2006/24/EC) to be invalid, finally deciding on a piece of legislation that has been causing controversy for at least a decade.

The main scope behind the Data Retention Directive was to provide a basis for the harmonisation in EU member states of laws regarding the retention of data collected and processed by companies providing publicly available electronic communications services and public communications networks. Typical examples of such providers are mobile telephony operators and internet service providers.

This directive, as transposed into Maltese law by virtue of Legal Notice 98 of 2008, required these service providers to retain certain categories of data and make such data accessible to law enforcement agencies for the purpose of the prevention, investigation, detection and prosecution of serious crimes.

This essentially means that any action taken and personal data collected pursuant to the provisions of the directive can be challenged in court

Under the provisions of Legal Notice 98 of 2008, telecom operators are obliged to store communications relating to internet access and internet e-mail for six months and communications data relating to fixed and mobile telephony, including location and subscriber information for one year. Through this legal notice, law enforcement agencies cannot obtain details regarding the actual contents of the communications in question.

The data protection landscape at the turn of the century was very much different than the one we live in today. It has been claimed several times that one of the reasons why the 9/11 terrorist attack was successful was the inability by security agencies to gather and process information. In 2003, European Data Protection Commissioners had immediately showed their disapproval to any legislative effort aimed at introducing powers to law enforcement agencies to electronic communications data. Following the London and Madrid bombings however, public opinion had changed and Directive 2006/24/EC made it through.

In some countries, the question as to the legality of the Data Retention Directive was put to the test. In 2009, the Romanian Constitutional Court declared the directive as violating constitutional rights – however, following the initiation of a case by the European Commission against Romania for not implementing the directive, the Romanian Parliament passed a new law (nicknamed ‘Big Brother’) in June 2012. Only Germany remained defiant. In March 2010, the German Constitutional Court declared the law unconstitutional.

Following requests by the High Court of Ireland and the Constitutional Court in Austria, the European Court of Justice was tasked to examine whether the Data Retention Directive was an overkill, particularly whether the provisions contained therein went against fundamental rights found under the EU Charter of Fundamental Rights, including the right to private life and the right to the protection of personal data.

The decision of the European Court of Justice was clear, ruling that this directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect private life and to the protection of personal data, without that interference being limited to what is strictly necessary”.

The European Court of Justice further added that “by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality”, and held that the directive is not sufficiently circumscribed to ensure that any interference to our fundamental rights to privacy are limited to what is strictly necessary.

The European Court of Justice referred to the fact that the definition of ‘serious crime’, as contained in the directive, has not been harmonised across EU member states, leaving the national substantive and procedural provisions regarding access to data by the authorities uneven across the EU. The European Court of Justice also made reference to the fact that the present directive fails to provide for sufficient safeguards so that risk of abuse of the data processed is removed.

One has also to note that since the European Court of Justice did not limit the temporal effect of the judgment, the declaration of invalidity should take effect on the date on which the directive entered into force and not just from the date of the judgment. This essentially means that any action taken and personal data collected pursuant to the provisions of the directive can be challenged in court. This also means that the provisions contained in our own Legal Notice 98 of 2008, as well as any information obtained under such legal notice, can be directly challenged in front of the Maltese courts, which will be obliged to respect the binding nature of the decision of the European Court of Justice.

Any data protection law strives to create a balance between the fundamental rights and freedoms of individuals and the rights of the State to process such personal data regarding its subjects. Such balance is in constant flux however. While in 2008 there was consensus that additional powers had to be given to law enforcement authorities in their effort to combat serious crime, following the Snowden saga, such balance is again shifting, and the latest pronunciation by the European Court of Justice is clear evidence of that.

It will be interesting to see how the local legislative and judicial landscapes will react to the ever-changing balance of proportionality when personal data is processed.

Dr Ghio is a partner at Fenech & Fenech Advocates specialising in ICT Law (www.fenechlaw.com). He also lectures ICT Law and Cybercrime at the University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.