What does this cover?
The European Commission (EC) is maintaining its position regarding national data retention laws, commenting in a press release on October that “the decision of whether or not to introduce national data retention laws is a national decision”. The EC has also confirmed that it does not intend to announce new initiatives in this area and "has no intention to go back on this statement or reopen old discussions." In essence, the EC is "neither opposing, nor advocating the introduction of national data retention laws" and will not involve itself in discussions that individual member states are having on this matter.
Since the EU Data Retention Directive was annulled in April 2014 on the basis that blanket infringement was a breach of fundamental rights, EU member states can either create new data retention systems or maintain their current systems, provided they operate within EU law. This is a controversial area, and the EC's intention not to involve itself, will be unsatisfactory to many member states.
Meanwhile, on 22 and 23 October the Court of Appeal were due to hear the UK government's appeal to a decision of the High Court in July which found that provisions on data retention in section 1 of the Data Retention and Investigatory Powers Act (DRIPA) (the Act) were inconsistent with EU law.
Under the Act, the Home Secretary is authorised to instruct communications service providers (CSPs) (defined as an operator who controls or provides a public telecommunication system or provides a public telecommunications service) to retain communications such as emails, texts and phone records, as well as communications between the company and journalists, MPs and lawyers, for up to 1 year.
- The High Court held that sections one and two of the Act breached Article 8 of the EU Charter of Fundamental Right, for the following reasons:
- The Act failed to ensure data would only be employed to for the purposes of the "prevention, detection or prosecution of defined, sufficiently serious crimes"; and
- The Act did not require use of the data to be authorized by a court or other independent body, in order to limit the use of the data to what is "strictly necessary".
DRIPA is often criticised for the rushed manner with which it was progressed through Parliament, resulting in a lack of scrutiny and debate on the details of the Act.
To view the High Court judgment, please click here.
To view the EC press release, please click here.
What action could be taken to manage risks that may arise from this development?
We await the outcome of the Court of Appeal hearing.
Companies should monitor the developments in individual member states in which they operate.