Exit Data Retention Directive: a Victory for Privacy in Europe

Last Tuesday, April 8, the European Court of Justice in Luxembourg has declared the Data Retention Directive invalid from the date on which the directive entered into force. In the view of the Court, the requirement in the Data Retention Directive for mobile operators and internet service providers to retain data interfered in a “particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”. Now, does a European citizen or a company in the European Union have to comply with national regulations in the member states of the European Union, implementing the Data Retention Directive? Is the European Court sending the European Commission back to the writing table?

The main objective of the Data Retention Directive (Directive 2006/24/EC, 15 March 2006)  is to harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks. It therefore seeks to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism.

The much debated directive has been pushed through following the terrorist attacks of September 11, 2001 on US soil and the terrorist attacks on the London tube and trains in Madrid. It specifies that mobile operators and internet service providers within the European Union will have to store citizens' telecommunications data (telephone and Internet data - user, recipient and length of calls -) for a period of a minimum of 6 months and at most 2 years.

From the beginning the Data Retention Directive met with considerable resistance in several member states. Sixteen member states, including Germany, Belgium and the Netherlands issued declarations to the Data Retention Directive stating that they will be making use of the option of postponing application of the Directive to the retention of communications data relating to Internet access, Internet telephony and Internet e-mail, for a period not exceeding 18 months following the date of entry into force of the Directive. Several supreme courts of EU member states declared the entire directive, the implementation or parts thereof as unconstitutional. Some countries have implemented the directive belatedly and Berlin has failed to meet the deadline for complying with the EU's guidelines on data retention.

The High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court, Austria) are asking the Court of Justice to examine the validity of the directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data. The High Court must resolve a dispute between the Irish company Digital Rights Ireland and the Irish authorities regarding the legality of national measures concerning the retention of data relating to electronic communications. The Verfassungsgerichtshof has before it several constitutional actions brought by the Kärntner Landesregierung (Government of the Province of Carinthia) and by Mr Seitlinger, Mr Tschohl and 11 128 other applicants. Those actions seek the annulment of the national provision which transposes the directive into Austrian law.

On Thursday, December 12, 2013, Advocate General of the European Court of Justice (ECJ), Cruz Villalón, stated  in his Opinion on Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, that the Data Retention Directive is “as a whole incompatible” with (article 7 of) the EU Charter of Fundamental Rights. The EU legislator could just not, the General Advocate reminds him, adopt legislation including “serious interference with the fundamental rights of citizens of the Union“ and “entirely leave to Member States the task of defining the guarantees capable of justifying that interference.“

The directive finally violates the principle of proportionality, the opinion states, as it requires that data should be retained for a period of up to two years and that there might be lapses once data is transferred. An “accumulation of data at indeterminate locations in cyberspace such as the accumulation at issue, which always concerns actual and particular persons, tends, whatever its duration, to be perceived as an anomaly“ the Advocate warns.

Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.

In the Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others the Court of Justice of the European Union takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality. Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it (fighting against serious crime), the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary. The Court also finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data.

Although the directive indicated that Member States should adopt legislative measures to ensure that data retained under this Directive are provided to the competent national authorities only in accordance with national legislation in full respect of the fundamental rights of the persons concerned, the Court has complained that the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body. As a consequence, while anti-terrorism has been stated as the original motive, the data stored by internet service and telephony providers finally was used in many countries to prosecute even copyright or slander cases.

Now the Court has declared the Data Retention Directive invalid, it will be more difficult to store essential personal data as evidence in prosecuting serious crimes. On the other hand internet service providers who refused to store those data in the past might feel confident to get justice in municipal courts. After all, the legal basis under the municipal legislation implementing the Data Retention Directive is gone.

The European Commission will now have to either amend or scrap the legislation, a process that could take years and requires the approval of the Parliament and national governments. The amended or new Directive should provide more specific regulations concerning protection of or safeguards for (the use and storage of) personal data and the right to privacy.