In a decision rendered on 8 April 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid. The Court’s decision was grounded on its conclusion that, by requiring the retention of the data falling within the scope of the Directive, and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
The judgment was rendered in response to questions posed to the ECJ by the national courts of two EU Member States. The Irish High Court posed questions regarding the legality of national legislative and administrative measures concerning the retention of data relating to electronic communications. The Austrian Constitutional Court posed questions arising from an action by 11130 individuals in Austria questioning the compatibility with the Federal Constitutional Law of the Austrian provisions transposing the Data Retention Directive into Austrian national law.
In its judgment, the ECJ examined the validity of the Data Retention Directive to determine the implications of its provisions in relation to respect for private life and communications provided by Article 7 of the Charter of Fundamental Rights of the European Union, the protection of personal data provided by Article 8 of the Charter, and respect for freedom of expression provided by Article 11 of the Charter.
The ECJ determined that the data collected by providers of publicly available electronic communications services or of public communications networks, taken as a whole, could allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. The Court concluded that, although the Directive does not permit retention of the content of communications or of information consulted using an electronic communications network, it is not inconceivable that the data of which the Directive permits retention might have an effect on the use, by subscribers or registered users, of the means of communication covered by the Directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter.
The ECJ continued that retention of data as provided by the Directive for the purpose of possible access by the competent national authorities directly and specifically affects private life and, consequently, the rights guaranteed by Article 7 of the Charter. Referring to its previous case law, the Court further concluded that such retention of data also falls under Article 8 of the Charter. This is because it constitutes the processing of personal data within the meaning of that Article and, therefore, necessarily has to satisfy the data protection requirements arising from that Article.
Examining the Data Retention Directive in light, not only of Articles 7 and 8 of the Charter but also of the Data Protection Directive and the Directive on the protection of personal data in the electronic communications sector, the ECJ confirmed the opinion of the Advocate General that the Data Retention Directive derogates from the system of protection of the right to privacy established by those Directives in regard to the processing of personal data. The Court continued with the robust conclusion that, to establish the existence of an interference with the fundamental right to privacy, it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way. It concluded that the obligations imposed by the Directive and the fact that competent national authorities had access to this data, in themselves, constituted an interference with the rights guaranteed by Article 7 of the Charter.
The ECJ concluded that the interference caused by the Data Retention Directive with the fundamental rights provided in Articles 7 and 8 of the Charter was wide-ranging and must be considered particularly serious. However, the Court acknowledged that the retention of data for the purposes of allowing competent national authorities to have possible access to these data in the fight against international terrorism and to maintain international peace and security constitutes objects of general interest.
Nevertheless, applying the principle of proportionality the ECJ recalled that the protection of fundamental rights requires that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary. Analysing in some detail the provisions of the Data Retention Directive and their scope of application in this context the Court concluded that the Directive does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. Rather, it entails wide-ranging and particularly serious interference with those fundamental rights without such interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary. The Court concluded that, in adopting the Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
This last conclusion raises a question of context. The ECJ concluded that adoption of the Data Retention Directive was contrary to the intentions of Articles 7, 8 and 52(1) of the Charter. The Directive was adopted on 15 March 2006. The Charter, although pronounced on 7 December 2000, did not have full legal effect until the entry into force of the Treaty of Lisbon on 1 December 2009. The ECJ’s approach in the present case is interesting in light of the Court’s own case law, according to which the validity of laws should be examined in light of the legal environment applicable at the time at which they were adopted.
The ECJ’s decision will trigger a rethink of both EU and EU Member States’ laws on government surveillance. A recent report of the European Parliament criticized not only the practices of the NSA, but those of several EU Member State governments that have surveillance legislation permitting broad, and relatively unsupervised, data collection for national security purposes. Some EU Member States (e.g., France) have data retention laws that go beyond the requirements of the Data Retention Directive, requiring data retention by hosting providers, not just telecom operators.
The dilemma now for ISPs and telecom operators will be whether they should stop retaining traffic data in order to comply with the ECJ decision and respect individual rights (but at the risk of violating national law), or whether they should continue data retention, which might expose them to individual claims for violation of individual rights. Telecom operators are likely to apply to national courts for clarification on their duties.