ECJ finds Data Retention Directive invalid. What next?

On 8 April 2014 the European Court of Justice ruled that the Data Retention Directive 2006/24/EC interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. The Directive is declared invalid. Today’s post by Sylvie Rousseau and Matthias Vierstraete explains what the court decided and the implications for national laws across Europe.

A. The Directive

Directive 2006/24/EC strives for harmonization of the Member States’ national legislations providing for the retention of data by providers of publicly available electronic communications services or of a public communications network for the prevention, investigation, detection and prosecution of criminal offences. The initial intention was that service and network providers would be freed from legal and technical differences between national provisions.

The Directive and national laws implementing the Directive were often criticized. The main argument being that massive data retention was said to endanger the right to privacy. The advocates of the rules, however, argued that these rules were necessary for authorities to investigate and prosecute organized crime and terrorism.

B. The Court of Justice

By way of preliminary rulings referred to the Court of Justice of the European Union, the Irish High Court and the Austrian Constitutional Court asked the Court of Justice to examine the validity of the Directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.

Analysis of the data to be retained
The Court of Justice verified the data which providers must retain pursuant to the Directive. This data includes data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify the location of mobile equipment, the name and address of the user, the number called, IP addresses, etc. The Court observes that the retention of this data makes it possible to know the identity of the participants in communications, to identify the time of the communication, the place from where the communication took place and the frequency of communications with certain persons (§26).

This data, according to the Court allows very precise conclusions concerning private lives of persons whose data has been retained, such as habits of everyday life, places of residence, movements, social relationships and social environments frequented.

Analysis of the interference with fundamental rights
The Court comes to the conclusion that both requiring the retention of the data and allowing competent national authorities to access those data constitutes in itself interference with the fundamental right to respect for private life and with the fundamental right to the protection of personal data (respectively articles 7 and 8 of the Charter of Fundamental Rights of the European Union) (§ 32 – 36).

The Court agrees with the Advocate General when it states that the interference is “particularly serious”. The Court in this respect holds that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the person concerned the feeling that their private lives are the subject of constant surveillance” (§37).

This interference is according to the Court not only serious, but moreover it is not justified. Besides the fact that the retention of data as required by the Directive does not as such adversely affect the essence of the respect for private life and protection of personal data (content of the communications as such may not be reviewed) and the Directive genuinely satisfies an objective of general interest (public security), the Court is of the opinion that the Directive has exceeded the limits imposed by the proportionality principle (§69):

The Directive covers all persons and all means of electronic communications as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (§57);
The Directive fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to data and their subsequent use (§60);
The data retention period is set at between a minimum of 6 months and a maximum of 24 months without any distinction being made between categories of data and not stating that the determination of the period must be based on objective criteria (§63 – 64);
The Directive does not provide for sufficient safeguards to ensure effective protection of data against the risk of abuse and against unlawful access and use (§66);
The Directive does not require data to be retained within the EU and thus does not meet the Charter’s requirement that compliance control by an independent authority is ensured.
The Court of Justice thus declares the Directive invalid.

C. What’s next?

Following the Court’s invalidation of the Directive, one could wonder how this will affect European legislation and national legislation.

Europe
The invalidity ruled by the Court applies from the day where the Directive entered into force. It is as if the Directive never existed.

The European Commission stated in a first reaction that it “will now carefully asses the verdict and its impacts”. It is not clear whether the Commission will draft new legislation replacing the invalidated Directive. Taking into account the fact that the current Commission’s term only runs until 31 October 2014, it is not much anticipated that new law will be put forward soon.

Member States
Member States having transposed the Directive into national laws may now consider the future of these laws.

In case their national law is a literal transposition of the now invalidated Directive, the national laws meet with the same fate. One may consider that in such situation Member States should redraft their laws in order to be in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

If national law deviates from the Directive, Member States should assess whether the deviations are in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

The Court of Justice’s ruling may also have an impact on national cases concerning the legality of national laws implementing the Directive, as there are several cases pending before the constitutional courts.

  • Austria and Ireland are obviously at the basis of the European Court of Justice’s ruling, following their constitutional courts’ requests for a preliminary ruling concerning the validity of Directive 2006/24/EC;
  • Belgium: On 24 February 2014, the Belgian “Liga voor Mensenrechten” and “Ligue des droits de l’Homme” together filed a complaint before the constitutional court in order to obtain cancellation of the Belgian law implementing the Directive. The complaint was funded through crowdfunding. Following the Court of Justice’s ruling, some political parties already asked government to take the necessary steps and to amend the current legislation;
  • Bulgaria: In 2008, the Bulgarian Constitutional Court found part of the national law incompatible with the right to privacy;
  • France: In 2006, the French Constitutional Court ruled that French law provisions similar to those provided for in the Directive are not contrary to the constitution. However, in December 2013, the French data protection authority (CNIL) reacted vigorously against a new law enabling certain ministries, including French secret services, access to data retained by telecommunications operators, internet and hosting service providers, without prior approval from a judge. On that occasion, the CNIL called for a national debate on surveillance issues which could be influenced by the recent ECJ’s ruling.
  • Germany: The German Constitutional Court already declared the German implementing act unconstitutional in 2010;
  • Romania: In 2009, the Romanian Constitutional Court declared the national law on data retention unconstitutional as breaching, among others the right to privacy and the secrecy of correspondence;
  • Slovakia: In 2012, a complaint was filed before the constitutional court in order to assess the conformity with the constitution;
  • Spain: The Directive was implemented into national laws in 2007. The Spanish data protection authority (AEPD) had voiced its reservations about the Directive and requested the Government to accompany the implementation of these rules with measures curtailing the impact on data subjects’ privacy;
  • Sweden: In May 2013, Sweden was ordered to pay the European Commission 3 million EUR because Sweden had failed its obligation to timely implement the Directive;
  • United Kingdom: As yet there has been no official comment from the UK government or the Information Commissioner on the ruling of the Court of Justice. Controversial 2012 proposals for a Communications Data Bill to overhaul and significantly extend the UK’s data retention obligations were already in the political long grass – and the Court of Justice’s ruling means they are likely to stay there as we understand it.

European Data Protection Supervisor questions need for Data Retention Directive: no public reply from the spooks expected…

This week the European Data Protection Supervisor (EDPS) published an opinion that concludes that:

“the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, for the following reasons:

  • the necessity of data retention as provided for in the Data Retention Directive has not been sufficiently demonstrated;
  • data retention could have been regulated in a less privacy-intrusive way; and
  • the Data Retention Directive lacks foreseeability.”

and goes on to:  

“…call upon the Commission to consider seriously all options in the impact assessment including the possibility of repealing the Directive, either per se or combined with a proposal for an alternative, more targeted EU measure.

A future Data Retention Directive could be considered only if there were agreement on the need for EU rules from the perspective of the internal market and police and judicial cooperation in criminal matters and if, during the impact assessment, the necessity of data retention, supported and regulated by the EU, could be sufficiently demonstrated, which includes a careful consideration of alternative measures. Such an instrument should fulfil the following basic requirements:

  • It should be comprehensive and genuinely harmonise rules on the obligation to retain data, as well as on the access and further use of the data by competent authorities.
  • It should be exhaustive, which means that it has a clear and precise purpose; and the legal loophole which exists with Article 15(1) of the ePrivacy Directive is closed.
  • It should be proportionate and not go beyond what is necessary.”

The opinion is not entirely unexpected. The EDPS published a critical opinion in 2005 before the Data Retention Directive was implemented, and more recently intervened in a case before the ECJ challenging the validity of the Directive.

At the heart of this debate is where the line between the interests of the state and the interests of the individual is drawn. That is ultimately a political rather than a legal debate, although the legal framework of article 8 of the European Convention on Human Rights and articles 7 and 8 of the EU Charter of Fundamental Rights clearly provide a locus for the courts to intervene and are the backdrop against which the EU legislates. 

It is difficult to accurately track both sides of this debate, as whilst the EDPS sets out the case for the interests of individuals, the case for the state interfering with individuals rights for the purposes of preventing serious crime for the benefit of society has in general not been well articulated by the relevant security agencies that are not used to engaging in public debate, but rather tend to prefer influencing  ‘behind the scenes’. Put another way, I am not expecting a contrary view to be published any time soon by a joint committee of the various national security services and agencies – instead their views will be filtered through national representatives within the Council.

As a result, it isn’t clear what the next steps will be. There is no doubt that the Data Retention Directive was in part a knee-jerk reaction to terrorist attacks and that there are serious questions about its legal validity (discussed in detail in the EDPS opinion). However, the influence of those putting the (less public) counter-arguments leads me to think that it highly likely that data retention requirements will survive for the forseeable future, albeit in an attenuated and more closely controlled form.  

 

Europe to review data retention rules

Readers will recall from the curious case of Mr Spitz that European telecoms operators already retain very large amounts of information about their customers. In an evaluation report adopted today by the European Commission, the Commission proposes to review the existing rules.

The Commission summarise the main findings of the report as:

  • Most Member States take the view that EU rules on data retention remain necessary for law enforcement, the protection of victims and the criminal justice systems. As criminal investigation tools, the use of data related to telephone numbers, IP address or mobile phone identifiers have resulted in convictions of offenders and acquittals of innocent persons.
  • Member States differ in how they apply data retention. For example, retention periods vary between 6 months and 2 years, the purposes for which data may be accessed and used, and the legal procedures for accessing the data, vary considerably.
  •  Given that the Directive only seeks to partially harmonise national rules, it is not surprising that common approach has not emerged in this area. The overall low level of harmonisation can however create difficulties for telecommunication service providers and in particular smaller operators. Operators are reimbursed differently across the EU for the cost of retaining and giving access to data. The Commission will consider ways of providing more consistent reimbursement of the costs.
  • Data retention represents a significant limitation on the right to privacy. Whilst there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place. The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data.

The Commission will now commence a consultation with stakeholders prior to publishing its proposed amendments to the existing Data Protection Directive.

This area is very sensitive politically, as it draws one of the lines between the interest of the state and the interests of citizens. As such some countries have delayed implementation of existing rules and in others their legality has been subject to challenge. It remains to be seen how the Commission will seek to meaningfully engage on those issues which are not really addressed to a substantive extent in the report.

Mobile operators obliged to retain location information across Europe

There has been some coverage recently of the case of Mr Spitz. Malte Spitz is a German green party politician and privacy advocate. He went to court to obtain details of the location information stored by his mobile phone provider and discovered that over a six month period that they had stored over 35,000 items of geographic information. He was concerned enough to ask a newspaper to help him map the data – you can see the results here.

For those familiar with the amount and type of information stored by mobile networks it is not perhaps surprising, but it graphically demonstrates the amount of information stored.

What has not been picked up widely in the reports is that the requirement to store this type of information exists across Europe as a result of the implementation of the Data Retention Directive, which was in the wake of 9/11 to address national security concerns. Whilst the Directive gives Members States some latitude on its implementation, article 5 (f) requires the retention of:

‘…data necessary to identify the location of mobile communication equipment:

(1) the location label (Cell ID) at the start of the communication; and

(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.’

Details of how this requirement has been implemented in the UK can be found here.