In Joined Cases C-293/2012 and C-594/2012, the Court of Justice was asked to rule on the validity of Directive 24/2006 on the retention of data processed in connection with the provision of electronic communications services or of public communications networks. This directive aims to ensure the availability of traffic data, location as well as the related data necessary to identify the subscriber or user for the purpose of investigation, detection and prosecution of serious crime, such as offenses related to organized crime and terrorism.
The Court had been asked by the High Court (High Court, Ireland) and by Verfassungsgericht (Constitutional Court, Austria) to review the Directive in the light of two fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union: the right to respect for life privacy and the right to protection of personal data.
The Court noted at the outset that the data that the Directive requires to store allow you to gather a variety of information of a private nature, such as with whom and by what means the user or subscriber has notified, the time and place of the communication and the frequency of communication, thus allowing to draw a picture of the daily activities of the subject and its movements. For these reasons, the directive affects significantly the fundamental rights to respect for private life and protection of personal data. The Court added, however, that such treatment does not affect, however, the essence of those rights and is secure in the justification objective of public security and the fight against crime.
The Court considers, however, that the Community legislature has exceeded the limits imposed by respect for the principle of proportionality because of the type of rights which the Directive has an impact, the legislature has a discretionary power reduced and must abide by a strict regulation of the matter is that and limited to a strict minimum. From this point of view, the Community judicature censorship, first and foremost, the fact that the Directive takes into account a generic collection of individuals, media and data, without making distinctions, limitations or exceptions due to the objective of combating the serious crimes. In addition, the Directive does not provide substantive and procedural requirements for access to and use of such data by the national authorities, with the consequence of not restrict or control, in fact, the use that can do the same. The Court expresses itself in a negative sense in relation to the duration of data retention, not differentiated according to the parties involved and the objectives of conservation.
The court finally concludes by stating that the directive in question is devoid of guarantees that would enable effective protection of recorded data, and thus prevent the risk of abuse. The same does not impose, in fact, special security systems or obligations of irreversible destruction of data collected at the end of the retention period, and does not require the storage of data within the European Union. For the Court is missing the opportunity to establish full control by an independent authority that can ensure compliance with the requirements of security and protection required by the Charter, in particular the control necessary and essential in relation to a matter as delicate as the protection of personal data of the individuals involved.
The outcome of the examination of the Court is, therefore, the declaration of invalidity of Directive 24/2006.