Data Retention Directive Invalid! – European Court Rules

April 8, 2014

Data Rentention Directive’s days numbered?

08 April 2014: Today’s ruling in the Court of Justice of the European Union was in essence due to a referral to it by the High Court (2012) and the Austrian Constitutional Court on whether or not the Directive was incompatible with the Charter of Fundamental Rights.

Digital Rights Ireland brought the Irish case, arguing that this legislation permitting the accessing of ‘log data’ is in essence accessing private personal data and should not be retained for up to two years as it is in violation of a fundamental right. In the post-Snowden era the implications of this judgement are still unclear, but it seems likely that any new Data Retention Directive will have to have greater oversight by courts or some other national judicial mechanism which can retain public confidence in the law enforcement authorities as they pursue the aims of such data retention legislation.

In any event DRI will now have to wait and see what the long term domestic implications will be now that the green light has been given to continue with their case here. DRI brought the case in 2006, challenging legislation on the grounds that this information is specific and sensitive enough to constitute a violation of fundamental European rights.

This result was largely expected since Advocate General Cruz Vallion had signalled in his advice last December that the Data Retention Directive as it currently stands goes against the proportionality principle that the collection of data relating to ISP customers location, subscriber number and other non-content related data is sensitive enough to constitute a violation of two fundamental rights of EU citizens – namely respect for private life and to the protection of personal data[1].

In order for this to be proportional the CJEU goes some way in setting out in the full judgement what would be required by law enforcement agencies to trump those rights in carrying out their security and justice functions.

The judgement is a scathing indictment of that fact that these conditions were not set out in the Directive and it is clear that following this landmark judgement any new Directive would have to be more prescriptive in order for it to overcome the deficiencies of the now incompatible Directive. It seems likely that the Directive will still be in force in members states in the guise of national laws, according to how it was transposed in the various nations – each member state will have to assess its liability based on their domestic laws and situation.

In this sense it may be argued that Ireland and Austria will get clarification sooner than the other member states given that they have referred these specific points of law to the CJEU and have cases dealing with the content of the judgement going through their national courts.

Other concerns raised by the judgement relate to: vagueness as to the class of classes of persons covered by the directive (this should be clear and relate to the seriousness of the crimes, etc); objective criterion for the oversight of data access, the purposes for which it is held and by whom it is held and the time period which data can be retained based on the objective being pursued. Absences of safeguards against abuse of retained data were also highlighted by the judgement as well as the silence of the directive on the requirement that data be retained within the EU as required by the Charter[2]:

“Lastly, the Court states that the directive does not require that the data be retained within the EU. Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.”

This judgement is a vindication of the ISPAI policy on data retention going back to when it was first conceived. As stated in an article on this site welcoming the Advice of Advocate General Cruz Villalón, in December[3], the current Directive needs to have supporting legislation to ensure that the information collected and requested by member state government agencies with respect to various customer location and communication data from ISPs and telcos is properly overseen and safeguarded and not open to abuse or overly-invasive requests from law enforcement or revenue collecting agencies.

We await with interest the progression of the DRI case in the High Court.