On Thursday, the Court of Justice of the EU ordered Sweden to pay a lump sum of €3 million for failure to transpose the EU’s Data Retention Directive (the “Directive”) into national law within the prescribed period.  The Directive obliges electronic communications service providers to store information about communications for a period of 6 – 24 months in case they are needed by law enforcement authorities.  The deadline for EU Member States to transpose the Directive had expired on September 15, 2007.  In 2010, following an initial action brought by the European Commission, the Court held that Sweden had exceeded the time limit for adopting the laws, regulations and administrative provisions necessary to comply with the Directive.

In 2011, the Commission brought a subsequent action, asking the Court to order Sweden to pay a daily penalty for each day that Sweden delays in complying with that judgment.  In March 2012, however, the Swedish Parliament adopted measures transposing the Directive into Swedish legislation.  As a result, the Commission withdrew the request for a daily penalty payment, but maintained its claim regarding the payment of a lump sum.

In Thursday’s judgment, the Court held that it was necessary to order Sweden to make a lump sum payment as it had failed to fulfill its obligations under EU law.  In particular, the Court considered the impact of Sweden’s failure on both public and private interests, especially in view of the Directive’s aim to ensure that electronics communications data are available for the purpose of the investigation, detection and protection of serious crime. In calculating the amount,  the Court also considered the duration of the continuation of the infringement of over two years and the fact that Sweden was a first time “offender.”

Sweden is in any event likely not to be the last EU Member State that is hit by a penalty payment, with Germany being the next candidate.  In May last year, the Commission initiated legal action against Germany before the Court for failure to fulfill its obligation to transpose the Directive, requesting that a daily penalty payment of more than € 300,000 be imposed for each day of continued breach after the Court ruling.

And this will not be the last legal dispute concerning the Directive.  The Court may have to deal with the question of the compatibility of the Directive with EU fundamental rights, including the right to data protection, as laid down in the Treaty of Lisbon and the EU Charter of Fundamental Rights, in two other cases that are pending before it.  Earlier this year, the Austrian data protection regulator requested that the Court interpret the provisions under the Directive regarding the possibility to restrict the access rights of individuals to their own data.  The compatibility of the Directive with EU fundamental rights will also be tested in two other cases, with one originating in Austria and one in Ireland.

Although national governments reportedly back the Directive, it remains highly contentious. The European Commission is considering whether to revise it but no timetable for a review has yet been set.