Incyder news


18 July 2014


EU Data Retention Directive Invalid

In April 2014 the Court of Justice of the European Union declared the European Union Data Retention Directive1 invalid. The Court ruled that, despite the Directive’s legitimate purpose of fighting against serious crime and the protection of public security, it does not meet the principle of proportionality and should provide more safeguards regarding the protection of fundamental rights such as respect for private life and the protection of personal data.

The principle objective of the European Union (EU) Data Retention Directive 2006/24 is to harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks with the aim to ensure that the data would be available for the purpose of the prevention, investigation, detection and prosecution of serious crime.2 According to the Directive, providers must retain traffic and location data as well as related data necessary to identify the subscriber, but not the content of the communication.3

The April 2014 ruling reflects the struggle of human rights activists who have fought hard to have the original Europe-wide law re-considered.4 The representatives of the parties who initiated the cases in Ireland and Austria put forward the argument that the Directive is incompatible with the Charter of Fundamental Rights of the European Union,5 and that there is still no evidence available of the excessive collection of communication data being a necessary and proportionate measure for combating organised crime or terrorism in the EU.6 Furthermore, it was argued that the retained data is used for the investigation of crimes not foreseen in the Directive, like theft, drug trafficking and stalking.7

The Court’s ruling found that the retention of data for the purpose of allowing the competent national authorities to have possible access to the data is satisfying an objective of general interest.8 However, when assessing the proportionality of the interference, the Court concluded that “Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter.” Therefore the Court held that the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”9 Moreover, the Court found that the Directive “does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data”10, “does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures” nor “ensure the irreversible destruction of the data at the end of the data retention period”.11 Furthermore, the “Directive does not require the data in question to be retained within the European Union” and consequently, control over the data cannot be fully ensured.12

The consequences of the Directive being held invalid are uncertain. Whereas some states have initiated a review of their national data retention regulation or even ruled national data retention laws invalid,13 others are looking for alternative measures to keep retaining the data14 or have not taken any concrete steps. This leaves the local ISPs in a legal vacuum where it is not certain whether national data retention laws need to be adhered to or not, and results in stopping the collection of subscriber data despite the countries’ data retention laws remaining in force.15 The European Commission has assured that it will carefully assess the verdict and its impacts, and take its work forward in light of progress made in relation to the revision of the e-Privacy directive whilst taking into account the negotiations on the data protection framework.16