On 8 April 2014, the Court of Justice declared the Data Retention Directive to be invalid in a decision which could have potentially far-reaching consequences across the EU.
The decision was made in light of concerns that the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
Background to the Data Retention Directive
The Data Retention Directive (Directive 2006/24/EC) (the “Directive”) came into force following a series of terrorist attacks in Europe which highlighted the need to harmonise laws across Member States. The key objective of the Directive is to require Member States to ensure that certain data (including traffic and location data) is retained by communication providers for the purpose of investigation, detection and prosecution of serious crimes.
The UK implemented the Directive for fixed and mobile telephony services through the Data Retention (EC Directive) Regulations 2007. This was followed by the Data Retention (EC Directive) Regulations 2009 which extended the scope to the internet and replaced the 2007 regulations.
The Directive allowed Member States to impose a data retention period between 6 and 24 months, with the UK opting for a 12 month retention period.
The Case – Digital Rights Ireland and Seitlinger and Others (C-293/12 and C-594-12)
The Irish High Court and Austrian Constitutional Court asked the Court of Justice to assess the validity of the Directive in light of the fundamental rights to respect for private life and protection of personal data.
The reference by the Irish Court concerned the legality of national legislative measures regarding the retention of data relating to electronic communications. The Austrian Court raised questions concerning actions brought by a number of individuals challenging the national provisions which transpose the Directive into Austrian law.
Decision of the Court of Justice
The Court of Justice ruled that the Directive disproportionately infringes on individuals' fundamental rights to privacy and protection of personal data. The Court therefore declared the Directive to be invalid and some of the key concerns identified in reaching this decision were as follows:
- Generality of the Directive: it covers all individuals, all means of electronic communication and all traffic data without differentiation, limitation or exception.
- Lack of objective criterion: the Directive fails to set out objective criterion and procedures to ensure that competent national authorities have access to the data and use such data for the relevant purposes.
- Data retention period: the minimum retention period imposed is at least six months, regardless of the type of data or the possible usefulness of such data in relation to the objective pursued. Further, retention is permitted up to a period of two years without any objective criteria to determine what period is strictly necessary.
- Risk of abuse: the Directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access and use of the data.
- Absence of retention within the EU: there is no requirement that the data be retained within the EU, therefore the Directive does not adequately ensure compliance with the rules.
The declaration of invalidity will apply retrospectively from the date the Directive entered into force. The precise impact on national implementing legislation will depend on the extent to which the national laws of Member States are a literal transposition of the now invalidated Directive or whether there are deviations in the implementation. Guidance released by the European Commission shortly after the decision suggests that national legislation will only need to be amended with regard to aspects that become contrary to EU law following the judgment.
At UK level, whilst the implementing Data Retention Regulations will not be automatically void following the decision, it seems that legislative changes will be needed going forwards in order to meet the proportionately concerns identified by the Court of Justice. In addition, the decision will cast even further doubt on the Government’s draft Communications Data Bill which proposes extending the existing communications data retention requirements.
Telecom service providers and ISPs will need to carefully follow developments and there is likely to be a period of legal uncertainty as to whether their retention of data may now risk violating individuals’ fundamental rights of privacy and protection of data. In the on-going debate between privacy and surveillance, the decision will clearly be received well among privacy groups.
The European Commission has confirmed that it will now assess the verdict and its implications.