Today the Court of Justice of the European Union (CJEU) declared the Data Retention Directive to be invalid, based on the fact that ‘the EU legislature has exceeded the limited imposed by compliance with the principle of proportionality’. How did the CJEU come to this decision, what are the governmental responses and what does this mean for harmonisation?
The Directive and the Question
The main objective of the Directive is, as reiterated by the CJEU:
To harmonise Member States’ provisions concerning the retention, by providers of publicly available electronic communications services or of public communications networks, of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as organised crime and terrorism, in compliance with the rights laid down in Articles 7 and 8 of the Charter.
The question posed to the CJEU, was whether the Directive was indeed in compliance with the right to respect for private life (Art. 7) and the right to the protection of personal data (Art. 8) of the Charter.
The Court of Justice Ruling
The Court takes the view that:
“by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”
It continued by stating that in this particular case, such interference is justified (paragraphs 41-44), however it is not proportional. The measures adopted exceeded the powers of the legislature in terms of proportionality for the following reasons:
- The Directive fails to differentiate, limit or make exceptions between individuals and means of electronic communication in the light of the objective of fighting against serious crime (paragraphs 57-59).
- The Directive does not lay down objective criteria by which access to the data is granted, the general term of ‘serious crime’ is the only criterion which is insufficiently capable of being a basis on which a sufficient balance of fundamental rights and the goal pursued can be made (paragraphs 60-62).
- The data retention period does not depend on the type of data or the type of crime, it is six months for all. The six months can be extended to 24 months, but no objective criteria are available to determine the exact time between six and 24 months (paragraphs 63-64).
- The lack of sufficient safeguards to ensure that the risk of abuse or unlawful access and use of data is at an acceptable level is also an issue raised by the CJEU. For instance, service providers are allowed by the Directive to have access, to take into account economic considerations when determining the security measures they put in place and the level of that security. Furthermore, there is no specific guarantee that the data is irreversibly destructed after their retention period has expired (paragraphs 66-67).
- The Court also takes issue with the possibility that the Directive leaves for the data to be retained outside the EU, without the safeguards and control that come with retention within the EU (paragraph 68).
The Directive is therefore declared invalid. It is also interesting to note that given the fact that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the Directive entered into force. Meaning, the Directive was never valid to begin with. Hence, all the references made to the Directive by implementing laws in the Member States, refer to a Directive that had never been valid. More interesting is that though the references to a invalid Directive are not necessarily a problem, the content of these implementing laws is. The reasons for the invalidity of the Directive, are codified in the national laws, which are now (or rather, have always been), contrary to EU law.
The Responses of Some Member States’ Officials
The invalidity of the national laws creates an immediate issue. What to do when you know your law is invalid? Well the responses have been diverse.
- Ireland’s Data Protection Commissioner’s office has welcomed the decision by the European Court of Justice (ECJ) on the data retention directive. Ultan O’Carroll, technology adviser with the office, said the ruling was to be welcomed because there was a “balance and proportionality to be struck” between rights and law enforcement which “I think the commissioner believed was not there before”. (Via Irish Times)
- The UK Home Office was a little less enthusiastic and stated via a spokesperson that: “We are considering the judgment and its implications carefully. The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security.” (Via The Guardian)
- The German Minister of the Interior: “Data retention for the purpose of investigating serious crimes is necessary and that remains the case.” Interesting here is that the Directive had never been implemented in Germany itself, as it encountered a lot of court challenges (the Constitutional Court of Germany even annulled a German Law resulting from the Directive). The German Minister further stated that he no longer sees an immediate need for Germany to draft a substitute data retention legislation. (via dw.de)
- The Dutch Deputy Minister was confronted with the ruling today during question time in Parliament. He stated that he and his staff still have to carefully look at the ruling and he will promised that he would inform Parliament within 8 weeks (which was generally considered to be too long by Parliament). He did however state that he would still want to (find a way to) retain certain data for some time. (via nu.nl) Perhaps he needs the 8 weeks to first carefully study the justification of the (former) Directive itself, because he stated that, this type of information is for instance important to ‘locate stolen phones’. If he considers stolen phones a ‘serious crime’ then the invalidity of the Directive is a godsend.
For those countries that have implemented the Directive there are two options, either they repeal the entire law they enacted to implement the Directive, or they very quickly amend the law. The latter is more likely, but creates its own set of problems. The EU itself can also take up the legislative process once more, and draft a new Directive which takes the issues of the CJEU into account. This however, would probably take up too much time for the national legislatures. Although, the President of the European Parliament already talks about the next proposal which the European Commission should work on.
More likely is the scenario in which the national legislature comes up with a very quick amendment to their national law on data retention. With the amendment the national law could become in accordance with EU law again, if the drafters follow the criticism of the CJEU and take the specific criticisms of the Directive into account in their amendment.
This would however, defeat the purpose of harmonisation. If 28 Member States either have none or differing laws as regards data retention, harmonisation is nowhere to be found. The service providers (internet, telephone and the like) that have to retain the data itself, do not necessarily operate within national borders, and will now be subjected to different rules depending on the specific Member State to an even greater extent. It reinvigorates the debate on privacy and security, and restarts the discussion on data retention in a time in which the Snowden-leaks are still making headlines.