Following European Court of Justice's Lead, Austria First to Nullify Data Retention Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti  

June 30 — The Austrian Constitutional Court (VfGH) June 27 nullified the country's data retention law, becoming the first European Union member state to move to implement the ruling by the EU's highest court that the Data Retention Directive (2006/24/EC) is invalid.

The Austrian court ruling reflects the reality of the need to eliminate laws in member states that transposed the Data Retention Directive, which was recently nullified by the European Court of Justice court, Lukas Feiler of Baker & McKenzie LLP in Vienna, told Bloomberg BNA June 30.

Amid continuing concerns about government surveillance, the European Court of Justice ruled in April that the Data Retention Directive contravenes the privacy rights of individuals and is therefore invalid. The directive required EU member states to adopt laws obliging telecommunications companies and Internet service providers to retain certain unique user data for up to two years, and to provide the data to law enforcement authorities if requested.

The Austrian ruling is “very significant in the sense that it is the first constitutional court of a member state that has followed the European Court of Justice,” Feiler said. Austria “is setting a very good example of how to implement the ECJ's decision and that is by invalidating national implementation of the directive,” he said.

Follows ECJ Reasoning

The VfGH ruling overturned May 2011 data retention amendments to the Austria Telecommunications Act 2003, the Security Police Act and the Code of Criminal Procedure. The court said the amendments contradict “the fundamental right to data protection as well as Article 8 of the European Convention on Human Rights (Right to Respect for Private and Family Life),” the court said in a statement announcing the ruling.

The VfGH's legal reasoning is in line with the ECJ's reasoning, Feiler said.

The ECJ ruled the directive contravened the privacy rights of individuals and violated the principle of proportionality, despite some legitimate grounds for retention of communications traffic data for law enforcement and antiterrorism purposes. Similarly, the VfGH ruled that although data retention regulations “may be admissible to fight serious crime,” they must conform to data protection requirements and the Convention on Human Rights, according to the Austrian court's statement.

“In their context, the data retention provisions in the Telecommunications Act, in the Code of Criminal Procedure, and in the Security Police Act now challenged constitute an excessive interference and such a violation of the fundamental right to data protection,” the court statement said.

Data Retention ‘Dead in the Water. ’

Austria's now defunct data retention legislation required telecommunications, e-mail and Internet service providers to save data, such as login names, Internet protocol addresses, user names and addresses, login and logout times and the addresses of incoming and outgoing e-mails, for six months. The law didn't require the content of e-mails or phone calls to be stored.

Both the EU and Austrian court decisions will make it difficult for legislators to move ahead with any further data retention laws in Europe, Feiler said.

“My assessment would be that this is dead in the water, there will not be a second data retention directive,” Feiler predicted. “Specifically in Austria, there will be no attempt to legislate around the ECJ's decision and now around the Austrian Constitutional Court's decision because requirements formulated by both courts are so strict,” he said.

It would be impossible for lawmakers to formulate data retention legislation that would meet those requirements, he said.

Data protection authorities in the EU member states welcomed the ECJ ruling when it was announced, but offered differing views on how they would act regarding complaints and enforcement issues related to the laws that transposed the data retention directive while awaiting action by courts and legislatures in their countries.

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law Privacy and Data Security