EU Data Retention Directive Invalidation May Undercut Other Data Collection Laws

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

July 23 — Some European Union laws, international agreements and proposed directives that include bulk data retention requirements are likely to need review due to the invalidation of the bloc's Data Retention Directive (2006/24/EC), according to a legal analysis report released July 23.

In April, the European Court of Justice ruled that the directive—which required EU countries to adopt laws obliging telecommunications companies and Internet service providers to retain certain unique user data for up to two years and to provide it to law enforcement authorities if requested—violated principles of purpose limitation and proportionality and contravened individual privacy rights.

The ECJ ruling left data retention laws adopted in the EU member states to transpose the directive open to challenge. But the impact of the ruling may prove more widespread than first realized, the report, which was produced for the Green Party group in the European Parliament by Franziska Boehm, an assistant professor at Germany's University of Münster, and Mark D. Cole, a law professor at the University of Luxembourg indicates.

Speaking at a briefing at the European Parliament in Brussels July 23, Cole said the indirect impact of the court ruling on other EU laws and agreements could be “very significant.”

In particular, U.S.-EU agreements on the transfer of airline passenger name records (PNR) and on access to financial data under the U.S. Terrorist Finance Tracking Program (TFTP) “do not comply with some of the standards set in the DRD judgement” and require “review and renegotiation,” according to the analysis.

Other EU laws and proposals that might be vulnerable to challenge after the court ruling are the draft EU directive on the processing of data by law enforcement authorities, which is being negotiated alongside a proposed EU data protection regulation, a draft EU PNR directive, proposals for a European Terrorist Financing Tracking System, rules on access by governments to the Eurodac law enforcement database of the fingerprints of asylum seekers and proposals for an entry-exit system to track travellers crossing EU borders, the analysis said.

Focus on Fundamental Rights

The ruling clarified that EU measures relating to the use of personal data for law enforcement must be consistent with Articles 7 and 8 of the EU Charter of Fundamental Rights, which deal with the rights to privacy and the protection of personal data, Cole said.

Consequently, all measures dealing with blanket data retention require strict necessity and proportionality tests before it can be decided if they are in line with the Charter of Fundamental Rights, Cole said.

Boehm, speaking at the same briefing, said that some measures, including the EU-U.S. agreements on PNR and access to financial data, are “even more infringing” than the Data Retention Directive and have “considerable shortcomings when it comes to compliance with fundamental rights.”

For these measures, “a renegotiation even if it is painful and lengthy possibly needs to be carried out,” Boehm said. “The sending of data to third states must be definitively reviewed against the finding of the court,” she added.

Differing Member State Responses

Cole said that lawmakers at EU and member state level “don't really know what to do” with the court judgment on data retention, and are “in a state of flux.”

In terms of the direct effect on national laws that were enacted to implement the Data Retention Directive, EU countries have responded differently to the court judgment. Data protection authorities in the member states generally said decisions on how to precede lay with legislators.

Austria's Constitutional Court in June nullified the Austrian data retention law, in line with the cancellation of the Data Retention Directive.

The U.K. government fast-tracked a new law to replace its implementation of the Data Retention Directive. The U.K. Data Retention and Investigatory Powers (DRIP) Act, approved July 17, clarifies that data retention rules equivalent to those implemented under the Data Retention Directive will continue to apply in the U.K.

Cole told Bloomberg BNA July 23 that “the U.K. at least has understood the impact of the judgment,” and had acted, in part, to clarify the responsibilities of companies covered by data retention rules.

The U.K. government wanted to avoid the deletion of retained data by companies, because it would have been difficult to enforce the retention of data under a national law that had been based on a subsequently invalidated EU directive, Cole said.

However, “it is very likely that the DRIP Act will get into trouble” if tested against the standard set by the EU Court of Justice data retention judgment, Cole added.

Four Swedish telecommunications companies deleted their retained data shortly after the ECJ judgment, and the Swedish regulator decided it couldn't take action against them, despite the continued existence of the Swedish data retention law, Cole said.

European Commission Intervention?

The invalidation of the Data Retention Directive technically creates a situation in which the European Commission, the EU's executive arm, will be forced to intervene, Cole said.

This is because the 2002 ePrivacy Directive (2002/58/EC) generally prohibits blanket data retention, except where it is “necessary, appropriate and proportionate” for national security purposes.

The Data Retention Directive amended the ePrivacy Directive to remove prohibitions on data retention, but the court's invalidation of the Data Retention Directive means that the original text of the ePrivacy Directive now applies, Cole said.

In principle, the European Commission, which must enforce EU law, is now required to enforce the provisions in the ePrivacy Directive, including the general prohibition on data retention, Cole said.

Jan Philipp Albrecht, a German Green lawmaker who is the European Parliament's rapporteur, or lead negotiator, on the draft data protection regulation, told Bloomberg BNA July 23 that the European Parliament would press the commission to act in hearings in the fall. “After the summer, we will completely have this on the table,” Albrecht said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Full text of the report, “Data Retention after the Judgement of the Court of Justice of the European Union,” is available at

Request Bloomberg Law Privacy and Data Security