Late last week, the Article 29 Working Party released a short press statement announcing that it had agreed guidance for the implementation of the May 2014 CJEU ruling against Google on the “right to be forgotten.” See our first post on the Working Party’s guidance here. The Working Party has now published a full
Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed.
The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read into the Data Protection Directive (95/46/EC) in the May 2014 case, Google Spain v AEPD and Mario Costeja González (C-131/12). At its heart, the right to be forgotten (RTBF) enables European Union residents to request that search engines to take down certain types of search results based on searches of the requestor’s individual name. For example, the right enables requests to take down “irrelevant” or out of date search results.…
Covington will be hosting a book launch for the 2014 title ‘Data Protection & Privacy Law 2nd Edition’, edited by Monika Kuschewsky, in partnership with The European Lawyer (Thomson Reuters) on September 23, 2014 in Brussels. The event will comprise a half-day workshop followed by a drinks reception. We are pleased to confirm…
By Philippe Bradley and Mark Young
The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive (Directive 2006/24/EC)1 is invalid. The CJEU ruled that the retention of data under the Directive constitutes an impermissibly broad and serious interference with fundamental human rights to private life and the protection of personal data.
The Data Retention Directive requires all EU Member States to ensure that communications service providers retain certain traffic, location and related data necessary to identify subscribers or users in relation to every communication carried (“communications data”), for the purpose of investigating, detecting and prosecuting “serious crime”, as defined by national law. Today, the CJEU ruled that the Directive is unlawful despite its legitimate aim and the measures it put in place to protect retained data, and regardless of the fact that it does not require the content of communications to be retained.
The effect of the declaration of invalidity is immediate and effectively back-dated to the day on which the Data Retention Directive entered into force. This raises interesting questions about the status of national implementing data retention laws (and possibly also about costs that service providers have incurred in complying with such laws), and whether the EU legislature will attempt to create an alternative data retention system that respects the limits set out in the ruling.…
By Maria-Martina Yalamova & Mark Young
On 12 December 2013, the Advocate General (“AG”) to the Court of Justice of the European Union (the “CJEU”), Mr Cruz Villalón, gave an opinion that the EU’s Data Retention Directive 2006/24/EC (the “Directive”) violates the fundamental right to privacy in the EU. His reason, in short, is that the Directive mandates the blanket retention of citizens’ traffic and location data by telecom companies, but fails to establish rules on minimum guarantees regarding access to and use of such data.
This is not the first time the lawfulness of the Directive has been challenged. Originally introduced to help fight serious crime and terrorism, the Directive quickly became one of the most controversial pieces of European legislation. In 2011, the European Commission identified in its evaluation report several flaws, such as a lack of clear guidance on what constitutes “serious crime” and on the purposes for which data can be retained and accessed. The European Data Protection Supervisor (EDPS) (see 2011 opinion here), the Article 29 Working Party (see 2010 report here and 2006 Opinion here), and civil rights groups have also publically expressed doubts about the lawfulness of the data retention measures. In addition, the constitutional courts of Germany, the Czech Republic and Romania have ruled that national laws implementing the Directive are unconstitutional as they violate the right to privacy.