Data Retention Directive Declared Invalid

April 7, 2014

In its judgment in Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, the CJEU has determined that the Data Retention Directive is invalid in its present form. That invalidity applies from the date the Directive came into force. The effect on the various instruments implementing that Directive may well be that all are invalid. The reference to the CJEU arose from proceedings in Ireland and Austria but the impact will be felt across the EU.

What follows is based on a press release. This apparently devastating judgment was not available at the time of writing on the official site but has just been uploaded here.

Background

The main objective of the Data Retention Directive is to harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks. It therefore seeks to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism. Thus, the Directive provides that such providers must retain traffic and location data as well as related data necessary to identify the subscriber or user. It does not permit the retention of the content of the communication or of information consulted.

The High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court, Austria) asked the Court of Justice to examine the validity of the directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.

The Irish court is faced with a dispute between the Irish company Digital Rights Ireland and the Irish authorities regarding the legality of national measures concerning the retention of data relating to electronic communications. The Verfassungsgerichtshof has before it several constitutional actions brought by the Kärntner Landesregierung (Government of the Province of Carinthia) and by Mr Seitlinger, Mr Tschohl and many other applicants. Those actions seek the annulment of the national provision which transposes the directive into Austrian law.

Judgment

The Court observes first of all that the data to be retained makes it possible, in particular, (1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means, (2) to identify the time of the communication as well as the place from which that communication took place and (3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.

The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

The Court then examined whether such an interference with the fundamental rights at issue is justified. It states that the retention of data required by the Directive is not such as to adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data. The Directive does not permit the acquisition of knowledge of the content of the electronic communications as such and provides that service or network providers must respect certain principles of data protection and data security.

Furthermore, the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.

However, the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.

In that context, the Court observes that, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by the directive, the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict.

Although the retention of data required by the Directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.

Firstly, the Directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.

Secondly, the Directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference. On the contrary, the directive simply refers in a general manner to ‘serious crime’ as defined by each Member State in its national law. In addition, the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.

Thirdly, so far as concerns the data retention period, the directive imposes a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued. Furthermore, that period is set at between a minimum of six months and a maximum of 24 months, but the Directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary.

The Court also finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. It notes, inter alia, that the Directive permits service providers to have regard to economic considerations when determining the level of security which they apply (particularly as regards the costs of implementing security measures) and that it does not ensure the irreversible destruction of the data at the end of their retention period.

Lastly, the Court states that the Directive does not require that the data be retained within the EU. Therefore, the Directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.