For more information, please contact:
+49 (0) 69 29 908 189
European Court of Justice Declares Data Retention Directive Invalid
In a landmark judgment1, the Court of Justice of the European Union ("EU") has declared the EU Data Retention Directive2 to be invalid.
Objective of Data Retention Directive
The Data Retention Directive, which was highly controversial in many EU Member States, was aimed to harmonize the Member States’ legislation regarding the retention of certain data, which are generated or processed by telecommunications companies. The Directive sought to ensure that the data were available, for a limited period of time, to prevent, investigate, detect and prosecute serious crimes, such as, in particular, organized crime and terrorist acts. To this end, the providers of publicly available electronic communications services or of public communications networks were obligated to retain traffic and location data as well as certain related data necessary to identify the user. The Directive did not permit the recording and retention of the content of the communication.
Requests for Preliminary Ruling
The High Court of Ireland and the Verfassungsgerichtshof (Constitutional Court) of Austria had requested a preliminary ruling on the validity of the Data Retention Directive. The request made by the High Court resulted from a dispute between the Irish company Digital Rights Ireland and the Irish authorities regarding the legality of certain national measures regarding the retention of data in relation to electronic communications. The Austrian Verfassungsgerichtshof had to decide on a number of constitutional actions brought by the government of the province of Carinthia and by approximately 11,000 citizens.
Judgment of the European Court of Justice
The Court of Justice of the European Union (“ECJ”) found that the data to be retained under the Data Retention Directive make it possible, in particular, to know the identity of the person with whom a subscriber or a registered user has communicated and by what
means, and to identify the time of the communication as well as the
place from which that communication took place and the frequency
of the communications of the subscriber or registered user with
certain persons during a given period. In sum, the Court found that,
taken as a whole, those data "may allow very precise conclusions to
be drawn concerning the private lives of the persons whose data has
been retained, such as the habits of everyday life, permanent or
temporary places of residence, daily or other movements, the
activities carried out, the social relationships of those persons and
the social environments frequented by them" (para 28).
Even though the Data Retention Directive does not permit the
retention of the content of the communication or of information
consulted using an electronic communications network, the Court
found it "not inconceivable" that the retention of the data in question
might have a chilling effect on the use, by subscribers or registered
users, of the means of electronic communication covered by the
Directive on their exercise of the freedom of expression, which is
guaranteed by Article 11 of the Charter of Fundamental Rights of the
By requiring the retention of data relating to a person's private life
and to his communications and by allowing the access of national
authorities to such data, the Data Retention Directive interferes in a
particularly serious manner with the fundamental rights to respect for
private life and communications and to the protection of personal
data, as enshrined in Articles 7 and 8 of the Charter. The Court found
that the retention of data does not "adversely affect the essence of
the fundamental rights to the protection of personal data" and is, in
principle, justified by an objective of general interest, namely the
prosecution of serious crime, thus ensuring public security (para. 39).
However, the Court found that the Directive violates the principle of
proportionality, which requires "that acts of the EU institutions be
appropriate for attaining the legitimate objectives pursued by the
legislation at issue and do not exceed the limits of what is
appropriate and necessary in order to achieve those objectives."
Whereas the Court found that the retention of data may be
considered to be "appropriate for attaining the objective pursued" by
the Directive, the retention measures established under the Directive
could not be considered "necessary" to achieve the legislative
objective (para. 46, 51 seq.). According to the Court, the EU
legislature has exceeded the limits imposed by the principle of
proportionality in several respects:
- First, the Data Retention Directive covers, in a generalized
manner, all persons and all means of electronic communication
as well as all traffic data without any differentiation, limitation or
exception being made in the light of the objective of fighting
against serious crime. In particular, the Directive applies even to
persons for whom there is no evidence of suggesting that their
conduct might have a link, even an indirect or remote one, with
serious crime. It also does not require any relationship between the data whose retention is provided for and a threat to public security nor does it restrict retention to data pertaining to a particular time period, particular geographical zone or a circle of particular persons likely to be involved in a serious crime or to persons who could contribute, by the retention of the data, to the prevention, detection, or prosecution of serious offenses.
- Second, the Court criticized that the Directive fails to lay down any objective criteria by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offenses that, in view of the fundamental rights at stake, may be considered to be sufficiently serious to justify such an interference. In this context, the Court pointed out that the Directive does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use and that it does not lay down any objective criterion by which the number of persons authorized to access and subsequently use the data retained is limited to what is strictly necessary in light of the objective pursued. "Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a recent request of those authorities submitted within the framework of procedural prevention, detection or criminal prosecutions" (para. 62).
- Third, the Court found that the data retention period of at least six months, without any distinction being made between the categories of data on the basis of their possible usefulness for the purposes of the directive was not justified under the principle of proportionality. Moreover, the Court found that the Directive does not provide for sufficient safeguards to ensure effective protection of the data during the retention period and does not require "the data in question to be retained within the European Union, with the result that it cannot be held that the control, …by an independent authority of compliance with the requirements of protection and security" is fully ensured (para. 68). Such control, carried out on the basis of EU law, is (as the Court had stated in previous case law)3 an essential component of the protection of individuals with regard to the processing of their personal data.
Judgment of the European Court of Justice
The Court of Justice of the European Union (“ECJ”) found that the data to be retained under the Data Retention Directive make it possible, in particular, to know the identity of the person with whom a
subscriber or a registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place and the frequency of the communications of the subscriber or registered user with certain persons during a given period. In sum, the Court found that, taken as a whole, those data "may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them" (para 28).
In all other EU Member States, the national laws transposing the Data Retention Directive will remain valid until challenged, in accordance with national procedural rules, before the national courts. In France, for example, the national law transposing the Data Retention Directive can be challenged before the Conseil Constitutionel by way of a preliminary decision proceeding question (prioritaire de constitutionnalité) resulting from a pending court case. In Germany, the Federal Constitutional Court had held, in a judgment dated 2 March 2010, that the German provisions transposing the Data Retention Directive violated the fundamental right to privacy of electronic communications guaranteed by the German constitution. Following the Constitutional Court's judgment, the German Federal Government has not attempted to reintroduce legislation transposing the Data Retention Directive in line with the requirements set out in the Federal Constitutional Court's judgment, despite an infraction procedure which the European Commission had initiated against the Federal Republic of Germany4. In Italy, the relevant section of the Italian Data Protection Code may be challenged before the Italian Corte Costituzionale. In Poland, the constitutional tribunal has to decide on several complaints for the annulment of the national law's transposing the EU Data Retention Directive and it is expected that the Court will declare the national regulations to be null and void. In Spain, the national legislation can be challenged before the Constitutional Court where the rules would be measured against national data protection principles and fundamental rights, presumably with an outcome identical to the judgment of the ECJ. In the United Kingdom, a challenge could be brought before the Administrative Court on the basis that the national rules are ultra vires, because there no longer is a proper legal authority for them.
The Future of Data Retention: Storage “within the European Union”
The European Court of Justice's judgment marks the culmination - but probably not the end - of a long-standing legal battle relating to a highly controversial piece of EU legislation.
Providers of public communications services and public
communications networks will remain subject to national data retention obligations as long as the relevant national laws are not invalidated at Member State level. It is likely that the European Commission will renew its efforts to establish a legal framework harmonizing the Member States' provisions concerning the retention of data for the purpose of the investigation, detection, and prosecution of serious crime taking into the account the detailed considerations of proportionality spelled out by the ECJ. It is to be expected that, in the future, new (and “improved”) data retention obligations under EU law will be established, requiring telecommunications companies to retain data, subject to strict security requirements, in data storage facilities "within the European Union". These data centers must be subject to "control", carried out on the basis of EU law, by "an independent authority."
Whether the European Commission will opt for the harmonization of European data retention rules on the basis of another directive or for use the legal instrument of a “regulation”, is currently an open question. In view of the required lengthy time period for the transposition of a directive into national law and the likely result of a patchwork of national rules, it is not inconceivable that the European Commission will opt for a data retention Regulation, which would have direct legal effect in all EU Member States and not require time consuming transposition into national law.
1 Judgment of the Court (Grand Chamber) 8 April 2014, Digital Rights Ireland, Joined Cases C-293/12, C-594/12 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0293&qid=1397489170026
2 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ 2006L105, p. 54.
3 ECJ, Case C-614/10, Commission v. Austria, EU: C 2012: 631, para. 37.