By Philippe Bradley and Mark Young

The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive(Directive 2006/24/EC)1 is invalid.  The CJEU ruled that the retention of data under the Directive constitutes an impermissibly broad and serious interference with fundamental human rights to private life and the protection of personal data.

The Data Retention Directive requires all EU Member States to ensure that communications service providers retain certain traffic, location and related data necessary to identify subscribers or users in relation to every communication carried (“communications data”), for the purpose of investigating, detecting and prosecuting “serious crime”, as defined by national law.  Today, the CJEU ruled that the Directive is unlawful despite its legitimate aim and the measures it put in place to protect retained data, and regardless of the fact that it does not require the content of communications to be retained.

The effect of the declaration of invalidity is immediate and effectively back-dated to the day on which the Data Retention Directive entered into force.  This raises interesting questions about the status of national implementing data retention laws (and possibly also about costs that service providers have incurred in complying with such laws), and whether the EU legislature will attempt to create an alternative data retention system that respects the limits set out in the ruling.

The Data Retention Directive has been controversial since its inception.  In 2003 and subsequently, we argued that the blanket retention of communications data — essentially data about who contacted whom, when, for how long and from what location — is a disproportionate interference with human rights, in particular the right to privacy under Article 8 of the European Convention on Human Rights.

Following two parallel references from the High Court of Ireland and the Constitutional Court of Austria, the CJEU has now ruled in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others that this is indeed the case (relying on the analogous right to privacy under Article 7 of the Charter of Fundamental Rights of the European Union (the “Charter”)).  The CJEU also added that the Data Retention Direction infringes the fundamental right to protection of personal data under Article 8 of the Charter.

The CJEU took the view that retaining communications data permits very precise conclusions to be drawn about individuals’ private lives, including about their daily habits, movements and social relationships.  The Court identified three significant flaws in relation to the retention of and access to communications data under the Directive:

  • First, all traffic data of all subscribers and registered users is retained, without differentiation, limitation or exception, entailing “an interference with the fundamental rights of practically the entire European population”. 
  • Second, the criteria for access to the data are not objective and procedural protections are lacking; for example, access does not require a court or independent administrative body to carry out a prior review.
  • Third, data must be retained for at least six months, without any distinction being made regarding the categories of data or their potential usefulness, or based on any objective criteria to ensure that retention is limited to what is strictly necessary.

For these reasons, the CJEU held that the interference with fundamental rights under the Directive is not strictly necessary to meet its stated aims (i.e., to help the fight against serious crime) — a crucial element of the relevant test under Article 52(1) of the Charter and associated case-law.  The CJEU also criticized the latitude given to communications providers to consider economic factors when deciding on the level of security to provide, and the lack of an obligation to delete the data at the end of the retention period. 

It will take time before the practical implications of the ruling are clear.  Already, a Swedish Internet Service Provider announced that it will immediately cease collecting customer traffic data, regardless of the status of Swedish national implementing law.  But the broader impact on national law is more complicated.  The European Commission was quick to publish an FAQ today noting that, “National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.

It will also be interesting to observe how law enforcement and Western intelligence services react to this ruling, particularly in light of the recent Snowden revelations and subsequent U.S. government proposals to require telecoms providers to retain communications data for up to 18 months.  Those agencies have long defended the lawfulness of bulk collection of communications data through programs such as TEMPORA, precisely because they involve retaining metadata rather than content, and the data is adequately protected.  Those programs are now also facing a legal challenge before the CJEU, in a case brought by the Privacy Not Prism coalition of UK civil society groups.

 1Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).

Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.


Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.