In his Opinion delivered on 12 December, Advocate General Pedro Cruz Villalón, takes the view that the Data Retention Directive is as a whole incompatible with the requirement, laid down by the Charter of Fundamental Rights of the European Union, that any limitation on the exercise of a fundamental right must be provided for by law. The Opinion arises from two sets of proceedings brought to challenge data retention policies. In one, Digital Rights Ireland Ltd claim that the Irish authorities have unlawfully processed, retained and exercise control over communications data. In the other, the claim from various applicants is that the Austrian law on telecommunications is contrary to the Austrian Constitution.
Any Opinion in an area so fraught with the politics of terror and security is one where the need to emphasise caution about the non-binding nature of an Advocate General’s view is even greater than usual. The uncomfortable fact is that the Court of Justice’s final judgment may be more influenced by politics than the legally precise view of the Advocate General. Caution when considering this Opinion applies double when a careful reading shows that the headline finding of incompatibility is rather undermined by the view expressed as to the balance between the importance of the Data Retention Directive’s objectives and the quite specific problems with it. If the Advocate General is right, these are readily remediable so the Directive is very far from undermined.
According to the Advocate General, the Directive constitutes a serious interference with the fundamental right of citizens to privacy, by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications.
The Advocate General points out, in this regard, that the use of those data may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity. There is, moreover, an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious. Indeed, the data are not retained by the public authorities, or even under their direct control, but by the providers of electronic communications services themselves. Nor does the Directive provide that the data must be retained in the territory of a Member State. They can therefore be accumulated at indeterminate locations in cyberspace.
In the light of that serious interference, the Directive should, first of all, have defined the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use. Thus, the European Union legislature should, in particular, have provided a more precise description than ‘serious crime’ as an indication of the criminal activities which are capable of justifying access of the competent national authorities to the data collected and retained. The European Union legislature should have guided the Member States’ regulation of authorisation to access the data collected and retained, by limiting access, if not solely to judicial authorities, at least to independent authorities or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary. Similarly, it could have been expected to lay down the principle that Member States may provide for exceptions preventing access to retained data in certain exceptional circumstances or may prescribe more stringent requirements for access in situations in which access may infringe fundamental rights guaranteed by the Charter, as in the context of the right to medical confidentiality. It should have established the principle that the authorities authorised to access the data are required, first, to erase them once their usefulness has been exhausted and, second, to notify the persons concerned of that access, at least retrospectively, after the elimination of any risk that such notification might undermine the effectiveness of the measures justifying the use of those data.
However, the Directive – which indeed regulates neither access to the data collected and retained nor their use – assigns the task of defining and establishing those guarantees to the Member States. Accordingly, the Directive does not comply with the requirement, laid down by the Charter, that any limitation on the exercise of a fundamental right must be provided for by law, as that requirement is more than just a purely formal one. Thus, when the European Union legislature adopts, as in the case of the Data Retention Directive, an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, it must assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of the necessary guarantees. It is this very regulation which makes it possible to assess the scope of what the interference with the fundamental right entails in practical terms and which may, therefore, determine whether or not the interference is constitutionally acceptable.
Advocate General Cruz Villálon finds, next, that the Data Retention Directive is incompatible with the principle of proportionality in that it requires Member States to ensure that the data are retained for a period whose upper limit is set at two years (and the retention period must not be less than six months).
The Advocate General considers that the Directive pursues an ultimate objective that is perfectly legitimate, ie the objective of ensuring that the data collected and retained are available for the purpose of the investigation, detection and prosecution of serious crime, and may be regarded as appropriate and even, subject to the guarantees with which it should be coupled, as necessary for achieving that objective. However, he has not found, in the various views submitted to the Court of Justice defending the proportionality of the data retention period, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year.
So far as concerns the temporal effects of the finding of invalidity, the Advocate General proposes, after weighing up the various competing interests, that the effects of a finding that the Directive is invalid should be suspended pending adoption by the EU legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period. His view is that the relevance and even urgency of the ultimate objectives of the limitation on fundamental rights at issue are not in doubt and that the findings of invalidity are of a very particular nature. First, the Directive is invalid as a result of the absence of sufficient regulation of the guarantees governing access to the data collected and retained and their use (quality of the law), an absence which nevertheless may have been corrected in the implementing measures adopted by the Member States. Secondly, the Member States have, in general, as is apparent from the information provided to the Court, exercised their powers with moderation with respect to the maximum period of data retention.