Since the 2014 decision of Europe’s highest court – the CJEU – in Digital Rights Ireland, various Member States have seen changes to their national data retention laws. In the Digital Rights Ireland case, the court found the EU Data Retention Directive to be invalid. In particular, the court found the Directive incompatible with the fundamental right to privacy and viewed European lawmakers as having gone beyond what was proportionate to tackle serious crime.
In the 18 months following the case, a number of challenges to national data retention laws have taken place, including in the UK. Interestingly, despite the application to the CJEU having its roots in an Irish case, Irish data retention laws still remain untouched and the case is still pending before the Irish courts. Recently, the European Commission (“EC”) issued a statement on national data retention laws, providing some additional insight into the views at EU level.
What has the EC said?
In a recent press release, the EC has clarified its continued position regarding national data retention laws:
“the decision of whether or not to introduce national data retention laws is a national decision”.
Despite any contrary expectations, the EC goes on to state that it is not due to announce any new initiatives around data retention.
Germany in the Firing Line?
This recent statement follows allegations that the EC was gearing up to sue Germany over concerns around its national data retention law. In 2012, the EC brought Germany before the CJEU for failure to fully transpose the Directive into German law. Despite this previous action, however, the EC has confirmed that no such action is being planned.
The position for Member States
In the absence of the Directive, the EC notes that Member States are free to either keep their current data retention systems or create new ones. The EC reminds Member States that the core issue is ensuring these systems comply with EU law, including the ePrivacy Directive. This largely aligns with the Opinion from the European Parliament’s Legal Service which indicates that Member States should examine their national data retention measures to see whether they comply with the decision of the court.
In short, the EC is “neither opposing, nor advocating the introduction of national data retention laws.” Instead, it is down to each Member State to decide.
The EC is clear about its reservations around entering into debates regarding data retention, noting that such debates are often very sensitive and political in nature. While the EC has specifically left it to Member States to decide the fate of their respective national data retention laws, it has not expanded further on how to ensure compliance with EU law nor has it indicated any plans for reform at an EU level. For many Member States, this is likely to be unsatisfactory.
Presumably, in line with the CJEU’s views, the proportionality of the national laws will be key in determining on-going compliance at national level. In addition, another core measure of compliance is likely to be the extent of safeguards imposed on data collection and retention.