Data Retention Directive

By Maria-Martina Yalamova & Mark Young

On 12 December 2013, the Advocate General (“AG”) to the Court of Justice of the European Union (the “CJEU”), Mr Cruz Villalón, gave an opinion that the EU’s Data Retention Directive 2006/24/EC (the “Directive”) violates the fundamental right to privacy in the EU.  His reason, in short, is that the Directive mandates the blanket retention of citizens’ traffic and location data by telecom companies, but fails to establish rules on minimum guarantees regarding access to and use of such data.  

This is not the first time the lawfulness of the Directive has been challenged.  Originally introduced to help fight serious crime and terrorism, the Directive quickly became one of the most controversial pieces of European legislation.  In 2011, the European Commission identified in its evaluation report several flaws, such as a lack of clear guidance on what constitutes “serious crime” and on the purposes for which data can be retained and accessed.  The European Data Protection Supervisor (EDPS) (see 2011 opinion here), the Article 29 Working Party (see 2010 report here and 2006 Opinion here), and civil rights groups have also publically expressed doubts about the lawfulness of the data retention measures.  In addition, the constitutional courts of Germany, the Czech Republic and Romania have ruled that national laws implementing the Directive are unconstitutional as they violate the right to privacy. 

Continue Reading Advocate General finds the EU’s Data Retention Directive Incompatible with the Fundamental Right to Privacy

On Thursday, the Court of Justice of the EU ordered Sweden to pay a lump sum of €3 million for failure to transpose the EU’s Data Retention Directive (the “Directive”) into national law within the prescribed period.  The Directive obliges electronic communications service providers to store information about communications for a period of 6 – 24 months in case they are needed by law enforcement authorities.  The deadline for EU Member States to transpose the Directive had expired on September 15, 2007.  In 2010, following an initial action brought by the European Commission, the Court held that Sweden had exceeded the time limit for adopting the laws, regulations and administrative provisions necessary to comply with the Directive.

In 2011, the Commission brought a subsequent action, asking the Court to order Sweden to pay a daily penalty for each day that Sweden delays in complying with that judgment.  In March 2012, however, the Swedish Parliament adopted measures transposing the Directive into Swedish legislation.  As a result, the Commission withdrew the request for a daily penalty payment, but maintained its claim regarding the payment of a lump sum.

In Thursday’s judgment, the Court held that it was necessary to order Sweden to make a lump sum payment as it had failed to fulfill its obligations under EU law.  In particular, the Court considered the impact of Sweden’s failure on both public and private interests, especially in view of the Directive’s aim to ensure that electronics communications data are available for the purpose of the investigation, detection and protection of serious crime. In calculating the amount,  the Court also considered the duration of the continuation of the infringement of over two years and the fact that Sweden was a first time “offender.”Continue Reading Sweden Hit with €3M Penalty Payment For Delay in Transposing Data Retention Directive

Today the European Commission adopted an evaluation report on the Data Retention Directive.  This Directive requires EU Member States to ensure that telecommunications service providers retain certain categories of data for the purpose of investigations, detection and prosecution of  serious crime, as defined by the national law of the Member States.  Since its adoption in