EU Member State Privacy Regulators Ponder Response to End of Data Retention Directive

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti, Brett Allan King, Ali Qassim, Rick Mitchell, Bogdan Turek, Stephen GardnerEric Lyman, Christine Pirovolakis and Marcus Hoy  

April 22 — The recent invalidation of the European Union Data Protection Directive (2006/24/EC) was in large part welcomed by EU privacy officials, but what it means for specific data retention activities in the 28 member states in the bloc isn't clear, they told Bloomberg BNA.

The directive was adopted in 2005 to require EU countries to adopt laws obliging telecommunications companies and Internet service providers to retain certain communications contact data for up to two years and to provide it to law enforcement authorities if requested.

On April 8, the European Court of Justice, the EU's highest court, ruled that the directive contravened the privacy rights of individuals. Although the ECJ found that there are legitimate law enforcement and anti-terrorism purposes to require the retention of certain communications information, it held the directive violates the principle of proportionality.

The ruling, which came amid continuing EU concerns about government surveillance of communications, including the efforts of the U.S. National Security Agency, opened up the possibility of challenges to the statutes that transposed the directive into national law in the EU member states.


Germany transposed the directive into law in 2007, but the Federal Constitutional Court struck it down in 2010 as being too broad.

In 2012, the European Commission referred Germany to the ECJ for failing to transpose the directive. The validity of that proceeding is certainly in doubt given the ECJ's ruling invalidating the directive.

Chancellor Angela Merkel's Christian Democrats and her junior coalition partners, the Social Democrats, had outlined their intention to push for a new law to transpose the directive but to also ask to amend the retention period in the directive to three months.

Germany's Federal Data Protection Commissioner Andrea Vosshoff said in a statement provided to Bloomberg BNA that Germany should wait for EU lawmakers, who may decide to draft a new data retention directive. Germany should “wait until European lawmakers decide” whether to enact a new directive before addressing what to do about a German national law, Vosshoff said.

In a statement, Hamburg Data Protection Commissioner Johannes Caspar said national lawmakers shouldn't rush to pass a data retention law because the ECJ's questioning of proportionality in the directive “implicitly questions the principle of data retention.”

But Interior Minister Thomas de Maiziére said in a statement that although the directive was invalidated, the ECJ ruling's acknowledgement that the law enforcement purposes for retaining data are valid “has brought certainty” that some sort of “data retention instrument is compatible with Germany's constitution and European law.”

Spain, Portugal

The ECJ ruling “forcefully confirms” that although security is “very relevant,” it is by no means “absolute nor prevailing in its character,” Spain's privacy regulator, the AEPD, told Bloomberg BNA, noting that the Article 29 Working Party had already “expressed reservations” about the directive before the ruling.

In 2010, the Art. 29 Party, which serves as the official privacy advisory body to the European Commission, concluded that the directive had been implemented unlawfully.

A spokeswoman for Portugal's National Data Protection Commission (CNPD) told Bloomberg BNA that the regulator is “truly satisfied” with the ECJ ruling.

“As far as companies go, given that there is no ruling either by Portuguese courts or the CNPD to not apply national law, they must continue to scrupulously comply” with the country's data retention law, Clara Guerra, CNPD consultant for communication and international affairs, said.

The ECJ decision “has no effect on national laws,” but the CNPD needs “more exhaustive analysis” of its national data retention law to decide whether to continue its enforcement, she said. It is possible that extra privacy protections might not need to be added to the national law to make it compliant with the ECJ's interpretation of EU privacy law because the law already has provisions providing judicial control over data access requests and limits on who is authorized to access data, Guerra said.

U.K., Ireland

A U.K. Information Commissioner's Office spokesman told Bloomberg BNA that the ICO would defer to the government's response to the ECJ ruling. The ICO “can only regulate the law as it stands in the U.K.,” he said.

A spokeswoman for the U.K. Home Office, the government department responsible for combating terrorism and crime, said “the retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security.”

A spokeswoman for Ireland's Office of the Data Protection Commissioner told Bloomberg BNA that the office had supported the court challenges in Ireland that were directly considered by the ECJ and “therefore very much welcomes” the ECJ ruling.

“We understand that this matter has been referred back to the Irish Courts for consideration in relation to national law and so it would be a matter for the Courts to consider the implications of the ECJ ruling on national law.”


France's data protection authority, CNIL, said in a statement provided to Bloomberg BNA that is hasn't decided how to react to the ECJ decision.

After France transposed the directive in 2011, CNIL criticized the national law, saying it overlapped other anti-terrorism laws and created “legal uncertainty” for privacy protection.

The Internet Corporation for Assigned Names and Numbers (ICANN) March 12 granted a French Internet domain registrar a waiver of ICANN's data retention requirements.

The European Data Protection Supervisor is urging ICANN to grant a blanket waiver to EU registrars in light of the ECJ ruling.


“I agree with all chief issues given by the Court,” Wojciech Rafal Wiewiorkowski, the director of the Polish data protection authority, GIODO, told Bloomberg BNA. The ruling won't have an immediate impact on Polish law, but the government will have to consider if there is a good reason to enforce the law, he said.

“The home law should not disappear in the moment when the Data Retention Directive has disappeared,” he said, adding that there will be a discussion in the Polish Parliament soon on the retention of the telecommunications data.

Benelux Countries

The Belgian Commission for the Protection of Privacy, the Dutch Data Protection Authority and the Luxembourg National Commission for Data Protection told Bloomberg BNA that they broadly welcomed the ECJ ruling, which they said largely vindicated their formal advisory opinions on problems with the directive.

But they added that they had no powers to intervene in national law and would have to wait to see how their respective governments respond.

Eva Wiertz, spokeswoman for the Belgian Commission for the Protection of Privacy, told Bloomberg BNA that the commission expects a legal challenge to the Belgian law from privacy advocacy groups, which have raised through crowdfunding sufficient money to launch a challenge.

Dutch Data Protection Authority spokeswoman Merel Eilander told Bloomberg BNA that DPA Chairman Jacob Kohnstamm has said the Dutch government would be “wise” to change its data retention law.

Netherlands State Secretary for Security and Justice Fred Teeven told the Dutch House of Representatives April 8 that the government would take about eight weeks to consider the implications of the ECJ decision.

Gérard Lommel, president of the Luxembourg National Commission for Data Protection, told Bloomberg BNA that Luxembourg's data retention law could be improved with clearer data security obligations for companies that are obliged to retain data and defined best practices to prevent unauthorized access, he said.


The ECJ ruling “goes in the direction we have always hoped for a stronger protection of rights,” Antonello Soro, president of Italy's Garante per la Protezione dei Dati Personali, told Bloomberg BNA.

Communications contact data “is not neutral information,” Soro said. “It reveals a great deal about us and our private lives. Conservation of this data over long periods exposes it to great risk.”

He said the ECJ decision strikes “a balance between two values: security and privacy, which in recent years had been significantly misaligned.”


The Hellenic Data Protection Authority hasn't adopted an official position concerning the ECJ ruling, DPA Director Dimitris Zografopoulos told Bloomberg BNA.

“I believe the Greek government has to abolish, as soon as possible, national provisions having implemented the Directive,” he said. Until then, the DPA won't apply the national law “in order to preserve the above rights of the persons concerned” and to avoid further governmental responsibility, Zografopoulos said.

Nordic Countries

Sweden's Post and Telecom Authority (PTS), which regulates Sweden's electronic communications sector, said in a statement that it would now be “very difficult” to take action against companies that didn't comply with the data retention requirements of the national law implementing the directive.

Following the publication of the PTS statement, Swedish telecommunications companies Alltele and Bahnhof AB announced that they had deleted personal data that they were required to store under the terms of the directive.

Norway, which is not a member of the EU but is part of the European Economic Area (EEA) and was therefore under a treaty obligation to abide by the directive, issued a statement through its Data Protection Agency saying that the ECJ ruling means that EU and EEA nations no longer have a duty to abide by the directive. Because the “directive as such is now illegal,” Norway is “no longer required to implement it under the EEA Agreement.”

Data protection authority officials in Finland and Denmark told Bloomberg that the implications of the ECJ ruling were still being considered.

U.S. Groups Petition White House

Meanwhile in the U.S., a coalition of privacy groups April 16 sent a letter to the White House urging the Obama administration to recognize the ECJ's opinion.

The groups said the ruling “bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy.”

To contact the reporters on this story: Jabeen Bhatti in Berlin; Brett Allan King in Madrid; Ali Qassim in London; Rick Mitchell in Paris; Bogdan Turek in Warsaw; Stephen Gardner in Brussels; Eric Lyman in Rome; Christine Pirovolakis in Athens; and Marcus Hoy in Copenhagen at

To contact the editor responsible for this story: Donald G. Aplin at

The U.S. privacy groups' letter to the White House is available at

Request Bloomberg Law Privacy and Data Security