On 8 April 2014, the European Court of Justice ("ECJ") declared the Data Retention Directive (the "Directive"), which had been the subject of great debate, invalid. The Directive required telecommunications providers to retain certain categories of traffic and location data in order to allow law enforcement authorities to access this data for the purpose of (severe) crime and terrorism prevention and prosecution.
Eight years after the Directive entered into force, the ECJ has now declared the Directive invalid. It is the ECJ's view that the Directive interferes with the fundamental rights to respect for private life and to the protection of personal data (Articles 7 and 8 of the European Charter of Fundamental Rights of the European Union; the "Charter").2 It is worth noting that in its ruling, the ECJ states that the data retention obligation as provided by the Directive does not per se interfere with the cited fundamental rights and that this obligation principally serves legitimate public interests. However, the ECJ has taken the view that the Directive is disproportionate, as the interference it causes with the said fundamental rights goes beyond the extent absolutely necessary to achieve the objectives pursued by the Directive.
The ECJ states that the Directive affects individuals, communications, and related data in an all-embracing manner without differentiating properly. The ECJ is primarily concerned about the fact that the Directive does not sufficiently define the severity of the crimes to be prosecuted by means of the retained data. The ECJ also highlighted that safeguards sufficient to ensure an effective protection of the retained data were missing. The ECJ criticized in that respect inter alia that a prior court order (or an order from an independent administrative body) is not a prerequisite for granting data access to law enforcement authorities. Further, it was the view of the Court that the data retention period in the Directive does not appropriately distinguish between the retained data and the potentially affected individuals in relation to the objectives pursued by the Directive. Finally, but arguably most notably, the ECJ found the Directive to be invalid because it does not require the data to be stored within the EU. In the absence of such an obligation, data protection compliance cannot be safeguarded by an independent authority, as required by the European Charter of Fundamental Rights.
Given these considerations, the ECJ declared the Directive in its totality invalid. The first media reactions to this ruling were quite positive. But what are the legal implications of this ruling on a national level?
The ECJ's Data Retention Directive ruling is of particular interest from an Austrian perspective, not least because it was the Austrian Constitutional Court - alongside the High Court of Ireland - that had asked the ECJ to challenge the validity of the Directive. Based on the ECJ ruling, the Austrian Constitutional Court will now resume its proceedings and might very likely repeal all or at least several provisions of Section 102a of the Austrian Telecommunications Act (which implements the Directive into national law).
Until the Austrian Constitutional Court reaches such a decision, the Austrian statutory data retention obligations will, however, remain in force. Yet one could argue that the fundamental rights to respect for private life and to the protection of personal data, which formed the yardsticks for the ECJ's assessment, have obtained supremacy over the said Austrian statutory data retention provisions. Hence, Austrian authorities and courts should not be allowed to apply the data retention provisions as they are stated in the Austrian Telecommunications Act. Since settled case law on the questions of when and to which extent the law of the European Union supersedes national law in scenarios like the present one is largely missing, there remains a degree of legal uncertainty until the Austrian Constitutional Court issues a ruling.
However, another aspect to consider is the ECJ's remark on the Directive's illegitimacy on account of the fact that the Directive does not require the data to necessarily be retained within the EU and, coupled with this, the fact that the data is not necessarily stored within the jurisdiction of an independent authority. This raises the reflexive question of whether the ECJ regards any personal data, at least if it exceeds a certain degree of volume and intrusiveness, that is stored outside the EU to be in breach of the Union's laws because of the fact that the data is stored within the jurisdiction of an authority that is not necessarily an independent authority within the understanding of the ECJ. In that respect, one should remember that in its decision C-614/10, the ECJ took a rather strict view on the authority's independency requirements by claiming that the authority must not only be functionally independent, but also be established in a manner that ensures full organizational independence. If this decision in fact reflects the ECJ’s general stance on the matter, it would have an impact that goes far beyond the present telecommunications data retention considerations. Such a stance would instead encompass literally all kinds of data processing scenarios that include international data transfers and international data storing (such as cloud services). Yet the ECJ's ruling does not address the details of this question. However, for the time being, one can extrapolate from the ECJ's explicit territoriality considerations that the ECJ seems to take a -- to say the least - "critical" view on personal data processing activities that take place outside the EU.