On 8 April 2014 the European Court of Justice ruled that the Data Retention Directive 2006/24/EC interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. The Directive is declared invalid.
A. The Directive
Directive 2006/24/EC strives for harmonization of the Member States’ national legislations providing for the retention of data by providers of publicly available electronic communications services or of a public communications network for the prevention, investigation, detection and prosecution of criminal offences. The initial intention was that service and network providers would be freed from legal and technical differences between national provisions.
The Directive and national laws implementing the Directive were often criticized. The main argument being that massive data retention was said to endanger the right to privacy. The advocates of the rules, however, argued that these rules were necessary for authorities to investigate and prosecute organized crime and terrorism.
B. The Court of Justice
By way of preliminary rulings referred to the Court of Justice of the European Union, the Irish High Court and the Austrian Constitutional Court asked the Court of Justice to examine the validity of the Directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.
- Analysis of the data to be retained
The Court of Justice verified the data which providers must retain pursuant to the Directive. This data includes data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify the location of mobile equipment, the name and address of the user, the number called, IP addresses, etc. The Court observes that the retention of this data makes it possible to know the identity of the participants in communications, to identify the time of the communication, the place from where the communication took place and the frequency of communications with certain persons (§26).
This data, according to the Court allows very precise conclusions concerning private lives of persons whose data has been retained, such as habits of everyday life, places of residence, movements, social relationships and social environments frequented.
- Analysis of the interference with fundamental rights
The Court comes to the conclusion that both requiring the retention of the data and allowing competent national authorities to access those data constitutes in itself interference with the fundamental right to respect for private life and with the fundamental right to the protection of personal data (respectively articles 7 and 8 of the Charter of Fundamental Rights of the European Union) (§ 32 – 36).
The Court agrees with the Advocate General when it states that the interference is “particularly serious”. The Court in this respect holds that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the person concerned the feeling that their private lives are the subject of constant surveillance” (§37).
This interference is according to the Court not only serious, but moreover it is not justified. Besides the fact that the retention of data as required by the Directive does not as such adversely affect the essence of the respect for private life and protection of personal data (content of the communications as such may not be reviewed) and the Directive genuinely satisfies an objective of general interest (public security), the Court is of the opinion that the Directive has exceeded the limits imposed by the proportionality principle (§69):
- The Directive covers all persons and all means of electronic communications as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (§57);
- The Directive fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to data and their subsequent use (§60);
- The data retention period is set at between a minimum of 6 months and a maximum of 24 months without any distinction being made between categories of data and not stating that the determination of the period must be based on objective criteria (§63 – 64);
- The Directive does not provide for sufficient safeguards to ensure effective protection of data against the risk of abuse and against unlawful access and use (§66);
- The Directive does not require data to be retained within the EU and thus does not meet the Charter’s requirement that compliance control by an independent authority is ensured.
The Court of Justice thus declares the Directive invalid.
C. What’s next?
Following the Court’s invalidation of the Directive, one could wonder how this will affect European legislation and national legislation.
The invalidity ruled by the Court applies from the day where the Directive entered into force. It is as if the Directive never existed.
The European Commission stated in a first reaction that it “will now carefully asses the verdict and its impacts”. It is not clear whether the Commission will draft new legislation replacing the invalidated Directive. Taking into account the fact that the current Commission’s term only runs until 31 October 2014, it is not much anticipated that new law will be put forward soon.
- Member States
Member States having transposed the Directive into national laws may now consider the future of these laws.
In case their national law is a literal transposition of the now invalidated Directive, the national laws meet with the same fate. One may consider that in such situation Member States should redraft their laws in order to be in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.
If national law deviates from the Directive, Member States should assess whether the deviations are in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.
The Court of Justice’s ruling may also have an impact on national cases concerning the legality of national laws implementing the Directive, as there are several cases pending before the constitutional courts.
- Austria and Ireland are obviously at the basis of the European Court of Justice’s ruling, following their constitutional courts’ requests for a preliminary ruling concerning the validity of Directive 2006/24/EC;
- Belgium: On 24 February 2014, the Belgian “Liga voor Mensenrechten” and “Ligue des droits de l’Homme” together filed a complaint before the constitutional court in order to obtain cancellation of the Belgian law implementing the Directive. The complaint was funded through crowdfunding. Following the Court of Justice’s ruling, some political parties already asked government to take the necessary steps and to amend the current legislation;
- Bulgaria: In 2008, the Bulgarian Constitutional Court found part of the national law incompatible with the right to privacy;
- France: In 2006, the French Constitutional Court ruled that French law provisions similar to those provided for in the Directive are not contrary to the constitution. However, in December 2013, the French data protection authority (CNIL) reacted vigorously against a new law enabling certain ministries, including French secret services, access to data retained by telecommunications operators, internet and hosting service providers, without prior approval from a judge. On that occasion, the CNIL called for a national debate on surveillance issues which could be influenced by the recent ECJ’s ruling.
- Germany: The German Constitutional Court already declared the German implementing act unconstitutional in 2010;
- Romania: In 2009, the Romanian Constitutional Court declared the national law on data retention unconstitutional as breaching, among others the right to privacy and the secrecy of correspondence;
- Slovakia: In 2012, a complaint was filed before the constitutional court in order to assess the conformity with the constitution;
- Spain: The Directive was implemented into national laws in 2007. The Spanish data protection authority (AEPD) had voiced its reservations about the Directive and requested the Government to accompany the implementation of these rules with measures curtailing the impact on data subjects’ privacy;
- Sweden: In May 2013, Sweden was ordered to pay the European Commission 3 million EUR because Sweden had failed its obligation to timely implement the Directive;
- United Kingdom: As yet there has been no official comment from the UK government or the Information Commissioner on the ruling of the Court of Justice. Controversial 2012 proposals for a Communications Data Bill to overhaul and significantly extend the UK’s data retention obligations were already in the political long grass – and the Court of Justice’s ruling means they are likely to stay there as we understand it.
Obviously the current situation creates uncertainties and we understand the issue will be very much discussed in Brussels (and elsewhere) in the coming weeks.
Sylvie Rousseau and Matthias Vierstraete, Olswang Brussels