The Court of Justice of the European Communities today gave its ruling in Case C-301/06 Ireland v Parliament and Council. This was an action to annul Directive 2006/24 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (as amended), on the ground that it was not adopted on an appropriate legal basis. The Court, following the recommendation of the Advocate General last October (noted by Datonomy here), dismissed Ireland’s action.
In short, back in 2004 the French Republic, Ireland, Sweden and the UK submitted to the Council a proposal for a framework decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data in public communication networks for the purposes of the prevention, investigation, detection and prosecution of criminal offences, including terrorism.
The Commission said that Article 47 EU –- which gives power to legislate for police and judicial enforcement in criminal matters — did not allow an instrument based on the EU Treaty to affect the acquis communautaire (in this instance Directives 95/46 and 2002/58). Taking the view that the determination of the categories of data to be retained and of the relevant retention period fell within the competence of the Community legislature, the Commission eventually adopted a proposal, based on Article 95 EC (which empowers it to legislate for the internal market), for what eventually became Directive 2006/24. This Directive was adopted by qualified majority in 2006. Ireland and the Slovak Republic voted against the adoption of that directive. Ireland then brought these proceedings to challenge the Directive’s validity.
According to the Curia press release:
“The Court observes that, prior to adoption of the directive, several Member States had introduced measures designed to impose obligations on service providers in regard to data retention and that those measures differed substantially, particularly in respect of the nature of the data retained and the respective retention periods. Those obligations have significant economic implications for service providers in so far as they may involve substantial investment and operating costs. Furthermore, it was entirely foreseeable that Member States which did not yet have such rules would introduce rules in that area which were likely to accentuate even further the differences between the various existing national measures. Thus, it was apparent that these differences would have a direct impact on the functioning of the internal market and that it was foreseeable that that impact would become more serious with the passage of time. Such a situation justified the Community legislature in pursuing the objective of safeguarding the proper functioning of the internal market thought the adoption of harmonised rules.
The Court also notes that the data retention directive amended the provisions of the directive on the protection of privacy in the electronic communications sector, which is itself based on Article 95 EC. In those circumstances, in so far as it amends an existing directive which is part of the acquis communautaire, the directive could not be based on a provision of the EU Treaty without infringing Article 47 EU.
Finally, the Court finds that the provisions of the directive are essentially limited to the activities of service providers and do not govern access to data or the use thereof by the police or judicial authorities of the Member States. The measures provided for by the directive do not, in themselves, involve intervention by the police or law-enforcement authorities of the Member States. Those issues, which fall in principle within the domain covered by police and judicial cooperation in criminal matters, have been excluded from the provisions of the directive. The Court therefore concludes that the directive relates predominately to the functioning of the internal market”.
While neither the Advocate General nor the Court had any doubt in this matter, it still seems both strange and inherently undesirable that data protection measures should derive their legal validity from the power to legislate for the internal market. Readers’ views on this decision are of course welcome.