In the European Union, the Data Retention Directive used to be the instrument laying down the rules for the retention of,  and access to communications data for purposes of investigation, detection and prosecution of serious crime.  It required telecommunication service providers to retain traffic, location and subscriber data for up to two years and make it available to law enforcement and security agencies upon request.  The Directive had been transposed into national law by various Member States.

Digital Rights Ireland

In April 2014, the Court of Justice of the European Union (CJEU)  declared the Directive invalid when it ruled in the joined cases of C-293/12 Digital Rights Ireland and C-594/12 Seitlinger and Others (Digital Rights Ireland) that the retention of data as provided for by the Directive disproportionately restricted the fundamental rights to respect for private life and to the protection of personal data as laid down in Articles 7 & 8 of the Charter of Fundamental Rights of the European Union.

While the CJEU decision invalidated the Directive with immediate effect, it did not automatically invalidate the national implementing laws.  Rather, these remain valid and in force until successfully challenged before a national court or repealed by the national government.   This prompts the question what impact (if any) the Digital Rights Ireland ruling has on national Member State legislation implementing the Directive.  A UK Court of Appeal has now asked the CJEU to answer precisely that question. 

The Current Situation

Digital Rights Ireland prompted diverse reactions from EU Member States:

  • In six Member States (i.e., Austria, Slovenia, Belgium, Romania, the Netherlands and Slovakia), national courts have invalidated the implementing national legislation applying Digital Rights Ireland.   
  • In other Member States (like the UK and Luxembourg), parliaments have repealed their existing data retention legislation on their own initiative and have adopted, or are in the process of adopting, new data retention legislation that is generally narrower in scope.  
  • Then there are Member States (e.g., France, Sweden, Denmark) that chose to retain their national laws implementing the Directive (until successfully challenged before the national courts).  

Needless to say that there is a great deal of uncertainty as to the effect of Digital Rights Ireland on national data retention legislation and that this resulted in a confusing and disharmonious approach to data retention legislation across the EU.

Recent Referral To The CJEU

On 20 November 2015, an English Court of Appeal asked the CJEU to clarify (by way of a preliminary ruling) whether in Digital Rights Ireland it intended to lay down mandatory requirements of EU law with which national Member State legislation must comply. 

The first instance UK Court had struck down parts of the UK Data Retention and Investigatory Powers Act (DRIPA) – the temporary legislation enacted in July 2014 to replace the previous UK data retention legislation implementing the Directive – on the basis that it was in breach of EU law.  It had argued that parts of DRIPA were inconsistent with mandatory requirements laid down by the CJEU in Digital Rights Ireland which applied equally to EU and domestic Member State legislation. 

The Court of Appeal provisionally rejected this view and argued that the CJEU in Digital Rights Ireland did not lay down general requirements capable of automatic transposition and application to unspecified national legislation. It argues that the CJEU’s reasoning was closely linked to the objective, provisions and scheme of the Directive and could not be transposed to national legislation with potentially additional objectives without the CJEU expressly stating so.  

As a matter of fact, national data retention laws must comply with EU law. If the EU legislation setting the rules for domestic data retention laws is invalidated for breach of fundamental rights guaranteed under EU law, the national laws implementing (and therefore, at least in principle, mirroring those rules) would be highly likely to breach those same rights and laws. Therefore, the CJEU ruling must have at least some (indirect) effect on national data retention legislation and provide some measure when it comes to assessing the compatibility of national data retention laws with EU law.   

Given the Court of Appeal has asked for the CJEU proceedings to be expedited, some much-needed clarifications might be forthcoming soon. Finally, the Council of the European Union has just invited the EU Ministers to consider whether the EU Commission should be invited to present a new legislative initiative on data retention.  The data retention debate seems far from over.