By Stephen Gardner
April 8 --The European Union's Data Retention Directive (2006/24/EC) contravenes the privacy rights of individuals and is therefore invalid, the Court of Justice of the European Union ruled April 8 amid renewed EU concerns about surveillance.
The directive--which required EU countries to adopt laws obliging telecommunications companies and Internet service providers to retain certain unique user data for up to two years, and to provide it to law enforcement authorities if requested--was approved by the European Parliament in 2005 as an anti-terrorism measure in response to attacks in Madrid in 2004 and London in 2005 .
But the directive was subject to opposition by many in the bloc ever since its adoption. In July 2010, the Article 29 Working Party of data protection officials from the then 27 EU member states, which serves as the official privacy advisory body to the European Commission, concluded that the directive had been implemented unlawfully .
A European Commission official speaking April 8 on condition of anonymity told Bloomberg BNA that the court recognized the directive had been adopted in “very specific circumstances” and “was done probably in a hurry.”
The viability of the laws enacted by the EU member states to transpose the directive are now open to direct challenge, even though less than a year ago the same court fined Sweden some $3.9 million for failing to adopt the directive by the May 2009 deadline set by the European Commission.
The impact of the “complex decision” may require “months” to be assessed, the commission official said.
The data retention stipulations of the directive led to the amassing of data that could be used to “provide very precise information on the private lives of the persons whose data are retained,” the EU's top court, commonly known as the European Court of Justice (ECJ), said in an April 8 statement announcing the ruling. Law enforcement authorities could access the data without informing the data subject, which would be “likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance,” the ECJ added.
Revelations concerning surveillance by the U.S. National Security Agency and other governments have heightened EU concerns over the retention of data. The office of the European Data Protection Supervisor said in an April 8 statement that the ruling reinforced the need for the EU to take “a firm position in discussions with third countries, particularly the USA on the access and use of communications data of EU residents.”
The court noted that the directive didn't require retained data to be held in the EU and that retained data might consequently be processed in jurisdictions not covered by EU law.
Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA April 8 that “this statement is heavily influenced by the current discussion regarding mass surveillance and access to EU data by foreign law enforcement authorities.”
The court also reasoned that the directive was invalid because it “does not fully ensure the control of compliance with the requirements of protection and security by an independent authority,” the court said.
“Some years ago storing this data in a secure environment abroad would probably have been less of an issue,” Hladjk said.
Digital Rights Ireland Ltd, which was one of the parties to bring the case against the directive, said in an April 8 statement that the judgment would “set the tone for how privacy and data protection issues will be dealt with across the European Union in the post-Snowden era.”
Jan Philipp Albrecht, a German Green lawmaker who is the European Parliament's lead negotiator on the move to reform the EU's data protection framework , said in an April 8 statement that the ruling is “a major victory for civil rights in Europe.”
Although the court found that there are legitimate law enforcement purposes to require the retention of certain communication information, it held the directive violates the principle of proportionality by requiring that telecommunications carriers, including Internet companies, save user identity information, including to whom communications were directed, frequency of contacts and other information.
Retention of data “for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security,” the court said.
But “by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” the ECJ statement said.
Given “the wide-ranging and particularly serious interference of the directive” with the fundamental rights of the right to private life and the protection of personal data, the directive “is not sufficiently circumscribed to ensure that interference is actually limited to what is strictly necessary,” the statement said.
Hladjk said that the ruling “shows that the principles of proportionality must be observed for the concrete design of data retention.”
The European Telecommunications Network Operators' Association, which represents companies such as Germany's Deutsche Telekom AG, Holland's KPN, France's Orange SA and Spain's Telefónica SA that are obliged to implement data retention rules, told Bloomberg BNA April 8 that any data retention obligation on telecommunications operators “needs to be proportionate and strictly necessary in a democratic society for the protection of legitimate aims.”
The commission official told Bloomberg BNA that although the court had found the directive in conflict with the EU Charter of Fundamental Rights, any challenge to legislation in EU countries implementing the directive would have to be considered separately.
Many countries opposed the directive. Belgium didn't transpose the directive into its national law until about six months ago .
Courts in Bulgaria, Cyprus, the Czech Republic, Germany and Romania have found the national laws that implement the directive in those countries to be unconstitutional.
In May 2012, the commission referred Germany to the ECJ for allegedly failing to properly transpose the directive into its national law .
The commission official said Germany “was infringing a directive which doesn't exist any more,” so it is unclear what procedural steps would be taken in the court case against the country.
The European Commission official said that the court decision backdates the invalidation of the Data Retention Directive to the entry into force of the directive, making the directive “void ab initio,” or “as if it never happened.”
The commission in 2011 evaluated the directive and found a number of shortcomings, which it said might require future amendments . EU Commissioner for Home Affairs Cecilia Malmström said in an April 8 statement that the ECJ ruling “confirms the critical conclusions in terms of proportionality of the Commission's evaluation report of 2011.”
However, the anonymous commission official said the court ruling had made it impossible for the commission to revise the directive.
“We can't modify the current framework because we don't have a current legislative framework,” the official said.
The commission would need “the next days and weeks and months to assess the implications,” of the ruling, and the commission and EU member states would consult on next steps, the official said.
The EDPS said in its statement that the commission should “reflect on the need for a new directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive.”
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
The ECJ ruling is available at http://www.scribd.com/doc/216980523/Judgment-of-the-ECJ-in-Digital-Rights-Ireland-data-retention-challenge.
To view additional stories from Privacy & Security Law Report® register for a free trial now