By Maria-Martina Yalamova & Mark Young
On 12 December 2013, the Advocate General (“AG”) to the Court of Justice of the European Union (the “CJEU”), Mr Cruz Villalón, gave an opinion that the EU’s Data Retention Directive 2006/24/EC (the “Directive”) violates the fundamental right to privacy in the EU. His reason, in short, is that the Directive mandates the blanket retention of citizens’ traffic and location data by telecom companies, but fails to establish rules on minimum guarantees regarding access to and use of such data.
This is not the first time the lawfulness of the Directive has been challenged. Originally introduced to help fight serious crime and terrorism, the Directive quickly became one of the most controversial pieces of European legislation. In 2011, the European Commission identified in its evaluation report several flaws, such as a lack of clear guidance on what constitutes “serious crime” and on the purposes for which data can be retained and accessed. The European Data Protection Supervisor (EDPS) (see 2011 opinion here), the Article 29 Working Party (see 2010 report here and 2006 Opinion here), and civil rights groups have also publically expressed doubts about the lawfulness of the data retention measures. In addition, the constitutional courts of Germany, the Czech Republic and Romania have ruled that national laws implementing the Directive are unconstitutional as they violate the right to privacy.
The AG’s opinion
The AG’s opinion reflects some of the issues raised by regulators and civil society over the last few years. Specifically, the AG found that the Directive is incompatible with the Charter of Fundamental Rights of the European Union (the “Charter”) on two main grounds: (1) it fails to define the fundamental principles governing minimum guarantees for access to and use of retained data by competent national authorities; and (2) retaining data for up to two years is not proportionate to the objective it pursues. The AG’s opinion was delivered in connection with two national cases, including a long-running dispute brought against the Irish authorities.
1) Too much discretion left to Member States
The AG criticized the Directive for assigning to Member States the task of establishing guarantees relating to access and use of retained data, contrary to the requirement laid down by the Charter that any limitation on the exercise of a fundamental right must be provided for in law. According to the AG, the following principles should have been included in the Directive:
- a more precise description of “serious crime” as an indication of the types of criminal activities that are capable of justifying access of the competent national authorities to retained data;
- a principle that limits access to data to judicial or other independent authorities, or, failing that, by makes requests for access subject to judicial review;
- a provision that mandates case-by-case examination of requests to limit the data provided to that which is strictly necessary;
- specified that Member States may adopt more stringent requirements when access may infringe fundamental rights (e.g., right to medical confidentiality);
- a provision requiring relevant authorities to delete data once the usefulness of the data has been exhausted, and to notify individuals of access to data, at least retrospectively.
The AG argues that the current lack of clear guidance on the conditions of access and use of stored data and, consequently, the scope of the interference with the right to privacy, make it impossible to determine whether the law is constitutionally acceptable.
Article 52(1) of the Charter requires that any limitation on the exercise of a fundamental right must be provided for in law and that such limitation should be subject to the principle of proportionality. The AG took the view that the Directive violates the proportionality principle by requiring Member States to mandate data retention for a period of up to two years. Although the Directive pursues a legitimate purpose, according to the AG, the specified maximum period of data retention is not necessary to achieve that objective, and there is no justification for not limiting the retention of data to less than one year.
Effect of a finding of invalidity
The AG’s finding of invalidity relates to the quality of the law and does not challenge the legitimacy of the Directive’s overarching objective — to ensure that retained data are available for the prevention and prosecution of serious crime. In the interest of legal certainty, the AG considered that the effects of this finding should be suspended pending adoption by the EU legislature of the measures necessary to remedy the invalidity, provided such measures are adopted within a reasonable period of time.
Although the AG’s opinion is non-binding on the CJEU, it carries substantial weight in the judicial process and historically the Judges of the CJEU have followed the main recommendations set out by the AG. If the CJEU rules that the Directive is invalid, the European legislator will be required to take necessary steps to remedy that illegality.