By Philippe Bradley and Mark Young
The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive (Directive 2006/24/EC)1 is invalid. The CJEU ruled that the retention of data under the Directive constitutes an impermissibly broad and serious interference with fundamental human rights to private life and the protection of personal data.
The Data Retention Directive requires all EU Member States to ensure that communications service providers retain certain traffic, location and related data necessary to identify subscribers or users in relation to every communication carried (“communications data”), for the purpose of investigating, detecting and prosecuting “serious crime”, as defined by national law. Today, the CJEU ruled that the Directive is unlawful despite its legitimate aim and the measures it put in place to protect retained data, and regardless of the fact that it does not require the content of communications to be retained.
The effect of the declaration of invalidity is immediate and effectively back-dated to the day on which the Data Retention Directive entered into force. This raises interesting questions about the status of national implementing data retention laws (and possibly also about costs that service providers have incurred in complying with such laws), and whether the EU legislature will attempt to create an alternative data retention system that respects the limits set out in the ruling.
The Data Retention Directive has been controversial since its inception. In 2003 and subsequently, we argued that the blanket retention of communications data — essentially data about who contacted whom, when, for how long and from what location — is a disproportionate interference with human rights, in particular the right to privacy under Article 8 of the European Convention on Human Rights.
Following two parallel references from the High Court of Ireland and the Constitutional Court of Austria, the CJEU has now ruled in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others that this is indeed the case (relying on the analogous right to privacy under Article 7 of the Charter of Fundamental Rights of the European Union (the “Charter”)). The CJEU also added that the Data Retention Direction infringes the fundamental right to protection of personal data under Article 8 of the Charter.
The CJEU took the view that retaining communications data permits very precise conclusions to be drawn about individuals’ private lives, including about their daily habits, movements and social relationships. The Court identified three significant flaws in relation to the retention of and access to communications data under the Directive:
- First, all traffic data of all subscribers and registered users is retained, without differentiation, limitation or exception, entailing “an interference with the fundamental rights of practically the entire European population”.
- Second, the criteria for access to the data are not objective and procedural protections are lacking; for example, access does not require a court or independent administrative body to carry out a prior review.
- Third, data must be retained for at least six months, without any distinction being made regarding the categories of data or their potential usefulness, or based on any objective criteria to ensure that retention is limited to what is strictly necessary.
For these reasons, the CJEU held that the interference with fundamental rights under the Directive is not strictly necessary to meet its stated aims (i.e., to help the fight against serious crime) — a crucial element of the relevant test under Article 52(1) of the Charter and associated case-law. The CJEU also criticized the latitude given to communications providers to consider economic factors when deciding on the level of security to provide, and the lack of an obligation to delete the data at the end of the retention period.
It will take time before the practical implications of the ruling are clear. Already, a Swedish Internet Service Provider announced that it will immediately cease collecting customer traffic data, regardless of the status of Swedish national implementing law. But the broader impact on national law is more complicated. The European Commission was quick to publish an FAQ today noting that, “National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.”
It will also be interesting to observe how law enforcement and Western intelligence services react to this ruling, particularly in light of the recent Snowden revelations and subsequent U.S. government proposals to require telecoms providers to retain communications data for up to 18 months. Those agencies have long defended the lawfulness of bulk collection of communications data through programs such as TEMPORA, precisely because they involve retaining metadata rather than content, and the data is adequately protected. Those programs are now also facing a legal challenge before the CJEU, in a case brought by the Privacy Not Prism coalition of UK civil society groups.
1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).