Data retention rules are struck down

Data retention rules are struck down

In a recent landmark judgment of the Court of Justice of the European Union (CJEU), the Data Retention Directive was declared invalid.

This judgment was triggered by two separate requests made by the Irish High Court and the Austrian Constitutional Court, which were dealing with national actions concerning the legality of domestic legislative and administrative measures implementing the Data Retention Directive that deals with the retention of data by service providers in electronic communications.

These two cases were joined and the Court of Justice handed down one judgment applicable to both requests for a preliminary ruling.

The EU Data Retention Directive came into force in 2006 re­quir­ing member states to retain communications data for fixed line, mobile telephony and internet communications. The main objective of the directive was intended to harmonise member states’ laws concerning the retention of data generated or processed by providers of publicly available electronic communication services or of public communication networks in order to ensure that the data is available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as organised crime and terrorism.

This necessitated retention of data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data that consists of the name and address of the subscriber or the user, the calling telephone number, the number called and the IP address for internet services, the frequency of the communications of the subscriber or the user with certain persons during a given period, and to retain details of internet and call data for six to 24 months. The retained data had to be made available on request to law enforcement authorities.

The comprehensive extent of the data protection rules could allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. For this reason, the obligation on these providers to retain such data raised questions relating to respect for private life and communications, the protection of personal data and respect for freedom of expression, rights that are enshrined in the EU Charter of Fundamental Rights.

In fact, prior to the CJEU decision, the constitutional courts of certain member states such as Germany, Romania, the Czech Republic, Cyprus and Bulgaria had already declared the national data retention laws unconstitutional.

As is the usual practice, the Opinion of the Advocate General preceded the judgment delivered by the Court of Justice. The Advocate General concluded that the EU Data Retention Directive was incompatible with the Charter of Fundamental Rights in that the rules contained in the directive constituted an interference with the fundamental rights of individuals and highlighted the risk that the retained data could be used for unlawful purposes. In addition, he found the imposed timeframe for the retention of data for up to two years as not justified. However, the Advocate General proposed that the effects of the finding of invalidity should be suspended in order to enable the EU legislature to adopt, within a reasonable period, the measure necessary to remedy the invalidity found to exist.

In its ruling, the Court of Justice in essence followed the conclusions contained in the Advocate General’s Opinion. The court took particular issue with the overreaching nature of the data retention rules that cover all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception.

The court considered that the data retention rules interfered with the fundamental rights to respect for private life and to the protection of personal data

The CJEU also criticised the directive for allowing individual member states too much freedom to decide how long telecoms businesses in their country are obliged to retain the data. It considered that the Data Retention Directive was such as to generate a feeling in individuals that their private lives may be under surveillance, failed to prohibit data-fishing expeditions and lacked sufficient security measures to prevent abuse and unlawful access to data.

For this reason, the court considered that the data retention rules interfered with the fundamental rights to respect for private life and to the protection of personal data, and that such interference was disproportionate.

In view of all these considerations, the court concluded that the EU legislature had breached the principle of proportionality, and ruled the directive invalid.

The EU Commission is currently in the process of comprehensively reforming the EU data protection rules. Until then, however, given that the CJEU did not limit the temporal effects of its ruling, the declaration of invalidity would be deemed to take effect from the date of entry into force of the directive.

Josette Grech is adviser on EU law at Guido de Marco & Associates.

Comments not loading? We recommend using Google Chrome or Mozilla Firefox with javascript turned on.
Comments powered by Disqus