On April 8, 2014, the Court of Justice of European Union declared invalid the Data Retention Directive no. 2006/24 (Judgment in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others)
For the Court of Justice, although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.
However, the Court of Justice issued its judgment taking into account as follows:
- the directive covers all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime:
- the directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference;
- regarding data retention period, the directive imposes a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued. Furthermore, that period is set at between a minimum of six months and a maximum of 24 months, but the directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary;
- the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data;
- the directive does not require that the data be retained within the EU. Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter.
Regarding the temporal effects of the finding of invalidity of Directive 2006/24, it is important to point out that given that the Court did not limit the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the directive entered into force.
So, in those circumstances, the European Union should adopt the privacy reform within a reasonable period issuing all measures necessary to remedy the invalidity found to exist by the Court of Justice.
In this regard, Cecilia Malmström, Commissioner for Home Affairs said that “The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive. The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework” .