The European Court of Justice (ECJ), the top court in the European Union, has ruled that an EU-wide law that requires telecoms companies to store user-data for up to two years so it can be handed over to law enforcement authorities is invalid.
The EU Data Retention Directive came into force in 2006, requiring Member States to retain communications data for fixed line, mobile telephony and Internet communications, such as the calling telephone number and the name and address of service subscribers/users — and to make the retained data available on request to law enforcement authorities.
The law was characterized as an anti-terrorism measure aimed at protecting the public, and a way for law enforcement authorities to combat other crimes.
However, the ECJ has ruled the directive is invalid on right-to-privacy grounds — specifically flagging up a clash with two fundamental rights under the Charter of Fundamental Rights of the E.U.: “namely the fundamental right to respect for private life and the fundamental right to the protection of personal data”.
The ruling boils down to a view that the directive is disproportionate. In a press release the ECJ notes that the directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”.
It also argues, in what could be couched as a post-Snowden observation, that the law is likely to generate a feeling that citizens’ private lives are “the subject of constant surveillance”.
“The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality,” it adds.
The ECJ takes particular issue with the generalised approach of the data retention law, noting that it covers “all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.”.
So, in other words, it’s the dragnet nature of the directive that’s causing a clash with EU citizens’ fundamental rights.
Another problem, in the ECJ’s view, is the directive’s failure to “lay down any objective criterion” to ensure that national authorities do not misuse their ability to access to citizens’ personal comms data for overreaching data-fishing expeditions. i.e. rather than specifically for…
…prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference
The ECJ also flags up the directive’s failure to establish objective criteria for determining the length of the data retention period — which is set at a minimum of six months but can be as long as two years.
It is also unhappy at security measures covering the retained data, noting a lack of sufficient safeguards against the risk of abuse and unlawful access to the data. And also flagging up that the directive does not ensure the “irreversible destruction” of the data at the end of the retention period.
Finally, the ECJ notes the problematic fact that the directive does not require the data be retained within the E.U., which thus introduces another compliance failure regarding the fundamental rights attached to personal data set out in the Charter:
Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.
The ECJ’s review of the directive was triggered by a request by the Irish and Austrian courts to examine the validity of the law.
The European Union is also in the process of comprehensively reforming EU Data Protection law — and today’s unpicking of the 2006 directive by the ECJ should be seen in that wider context of an acceptance of the need for data protection legislation reform in the E.U.
In a statement following the Court’s ruling, the EC’s Commissioner for Home Affairs, Cecilia Malmström, said: “The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive.”
“The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework,” she added.