No sooner had it been adopted than the Data Retention Directive was receiving criticism from various Member States and other stakeholders. They can now breathe easier; the directive was declared invalid by the CJEU in its decision of April 8, 2014.
The Court delineated several problems with the directive:
- in general it covers all individuals, all means of electronic communication and all traffic data, without any differentiation, limitation or exception to take into account the objective of fighting against serious crime;
- it fails to provide any objective criterion to ensure that the data is accessible only to competent national authorities and that they will use it for legitimate purposes only;
- it does not state data retention periods applicable to the different categories of data, the persons concerned with it or the use of the data; also, it does not state on what criteria the retention period will be determined, to ensure that it is only what is strictly necessary;
- it does not provide a sufficient safeguard to ensure effective protection from abuse (for example, since service providers may consider economic considerations when determining the level of security, the security level is not guaranteed); and
- it does not require that the data be retained within the EU.
This declaration of invalidity takes effect from the date on which the directive entered into force.
By this ruling the court has precisely provided what a EU legislator will need to include if he wants to reintroduce a new text on Data Retention. In the meantime the national laws that have implemented the directive are not invalidated, but may probably be challenged for lack of consideration "of the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union." (See article 15 of directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector.)