By Philippe Bradley and Mark Young

The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive (Directive 2006/24/EC)1 is invalid.  The CJEU ruled that the retention of data under the Directive constitutes an impermissibly broad and serious interference with fundamental human rights to private life and the protection of personal data.

The Data Retention Directive requires all EU Member States to ensure that communications service providers retain certain traffic, location and related data necessary to identify subscribers or users in relation to every communication carried (“communications data”), for the purpose of investigating, detecting and prosecuting “serious crime”, as defined by national law.  Today, the CJEU ruled that the Directive is unlawful despite its legitimate aim and the measures it put in place to protect retained data, and regardless of the fact that it does not require the content of communications to be retained.

The effect of the declaration of invalidity is immediate and effectively back-dated to the day on which the Data Retention Directive entered into force.  This raises interesting questions about the status of national implementing data retention laws (and possibly also about costs that service providers have incurred in complying with such laws), and whether the EU legislature will attempt to create an alternative data retention system that respects the limits set out in the ruling.

The Data Retention Directive has been controversial since its inception.  In 2003 and subsequently, we argued that the blanket retention of communications data — essentially data about who contacted whom, when, for how long and from what location — is a disproportionate interference with human rights, in particular the right to privacy under Article 8 of the European Convention on Human Rights.

Following two parallel references from the High Court of Ireland and the Constitutional Court of Austria, the CJEU has now ruled in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others that this is indeed the case (relying on the analogous right to privacy under Article 7 of the Charter of Fundamental Rights of the European Union (the “Charter”)).  The CJEU also added that the Data Retention Direction infringes the fundamental right to protection of personal data under Article 8 of the Charter.

The CJEU took the view that retaining communications data permits very precise conclusions to be drawn about individuals’ private lives, including about their daily habits, movements and social relationships.  The Court identified three significant flaws in relation to the retention of and access to communications data under the Directive:

  • First, all traffic data of all subscribers and registered users is retained, without differentiation, limitation or exception, entailing “an interference with the fundamental rights of practically the entire European population”. 
  • Second, the criteria for access to the data are not objective and procedural protections are lacking; for example, access does not require a court or independent administrative body to carry out a prior review.
  • Third, data must be retained for at least six months, without any distinction being made regarding the categories of data or their potential usefulness, or based on any objective criteria to ensure that retention is limited to what is strictly necessary.

For these reasons, the CJEU held that the interference with fundamental rights under the Directive is not strictly necessary to meet its stated aims (i.e., to help the fight against serious crime) — a crucial element of the relevant test under Article 52(1) of the Charter and associated case-law.  The CJEU also criticized the latitude given to communications providers to consider economic factors when deciding on the level of security to provide, and the lack of an obligation to delete the data at the end of the retention period. 

It will take time before the practical implications of the ruling are clear.  Already, a Swedish Internet Service Provider announced that it will immediately cease collecting customer traffic data, regardless of the status of Swedish national implementing law.  But the broader impact on national law is more complicated.  The European Commission was quick to publish an FAQ today noting that, “National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.

It will also be interesting to observe how law enforcement and Western intelligence services react to this ruling, particularly in light of the recent Snowden revelations and subsequent U.S. government proposals to require telecoms providers to retain communications data for up to 18 months.  Those agencies have long defended the lawfulness of bulk collection of communications data through programs such as TEMPORA, precisely because they involve retaining metadata rather than content, and the data is adequately protected.  Those programs are now also facing a legal challenge before the CJEU, in a case brought by the Privacy Not Prism coalition of UK civil society groups.

 1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.