Introduction

On April 8, 2014, the European Court of Justice (ECJ) in the joined cases C-293/12 and C-594/12 ruled that the directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (Data Retention Directive or Directive)2  is invalid in its entirety. The ECJ examined the validity of the Data Retention Directive in the light of Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union,3 and concluded that the interference caused by the Data Retention Directive is “wide-ranging, and it must be considered to be particularly serious.”4

Background

In case C-293/12, an Irish digital rights organization challenged the national law as implemented by the Data Retention Directive and asked the Irish High Court to declare the Data Retention Directive invalid. In case C-594/12, the Austrian Kärntner Landesregierung, Mr Seitlinger, Mr Tschohl and 11,128 other applicants argued that the national law transposing the Data Retention Directive infringes upon individuals’ fundamental rights.

Data Retention Directive

The main objective of the Data Retention Directive is to harmonize the EU Member States’ legislation regarding the obligations imposed upon providers of publicly available electronic communications services and public communications networks concerning the retention of data, as well as to ensure that data is available for the prevention, investigation, detection and prosecution of serious crimes. Therefore, under the Data Retention Directive, providers are obliged to retain data for a minimum period of between six and 24 months (with the precise period decided by the Member States). The Data Retention Directive requires the retention of metadata, also known as traffic data.5 This Directive does not require that the content of the communication between individuals is retained.

 Assessment by the ECJ

The ECJ accepted the challenge and invalidated the Directive. The ECJ concluded that collectively, traffic data facilitate drawing very precise conclusions regarding the private lives of individuals, such as daily movements, social relationships and everyday habits. Furthermore, the ECJ opined that the Data Retention Directive, by making the retention of data mandatory and by providing access to the data for national authorities, interferes with individuals’ fundamental rights, such as the right to respect private life and the protection of personal data, in a particularly severe manner. Therefore, adopting the position of the Advocate General, the ECJ found that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.”

Subsequently, the ECJ assessed whether the interference with these fundamental rights is justified in the present situation. The ECJ noted that the interference did not infringe upon the essence of the fundamental rights because the Data Retention Directive does not extend to the content of communication. Moreover, the ECJ noted that the retention of data serves a general interest: the investigation of serious crime.

Nevertheless, the ECJ determined that the EU legislator exceeded the limits of proportionality in the Data Retention Directive. Considering that fundamental rights were at stake, the discretion of the legislator was limited, and the Directive impinged on those rights too severely. The ECJ found that the extensive and serious interference with fundamental rights is not sufficiently circumscribed to ensure that any infringement upon fundamental rights remains effectively limited to situations strictly necessary to achieve the general interest. The ECJ identified the following defects in the Data Retention Directive:

  1. The Data Retention Directive covers all persons and means of communication, all traffic data without any limitation in the light of the fight against serious crime;
  2. There are insufficient safeguards or objective criteria to limit the access to the data by national authorities;
  3. The Directive provides that all data must be retained for a minimum period of six months, without any differentiation in the various types of data or data related to suspicious persons;
  4. There is inadequate protection against the serious risk of abuse or loss of data; and
  5. The Directive does not require that the data be retained within the EU.

Thus, the ECJ determined that the EU legislator had exceeded the limits on its authority imposed by the principle of proportionality, considering article 7 (respect for private life and family) and article 8 (protection of personal data) of the Charter on Fundamental Right. Therefore, the ECJ declined to review whether article 11 (freedom of expression) of the Charter on Fundamental Rights similarly provided a basis for invalidating the Directive. This judgment stresses a clear protection of fundamental rights and leans towards an ‘individual’s right to be forgotten’. The ECJ ruled on such right to be forgotten recently in case C-131/12 which will be addressed in an upcoming GT Alert.

Conclusion

The ECJ ruled that the Data Retention Directive is invalid. Because the ECJ did not provide a date on which its decision would become effective, the decision has retroactive effect beginning on the Directive’s effective date. Therefore, the EU Member States that implemented the Data Retention Directive need to assess whether or not their legislation transposing the Data Retention Directive meets the restrictions on data retention as provided by the ECJ, or if the national legislation must be annulled or amended.