The Court of Justice has ruled that the Data Retention Directive entailed a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.
As a result, what will happen to the national legislation that was introduced as a result of this Directive? The Directive is a non-starter in its current form. We won’t know for sure what will happen to the national legislation until more legal challenges start to pop up to deal with those statutory provisions that were implemented to give effect to the Directive.
Digital Rights Ireland brought a challenge about data retention – these are the laws that require Internet Service Providers (ISPs like BT, Sky & Virgin) to spy on you by logging all of the data that comes alongside your online, digital footprint - your GPS location, your emails, your text messages, and your mobile phone use. They were required to store that information for up to two years. Digital Rights Ireland had argued that this was “mass surveillance” and taking place “on the entire population”.
Digital Rights Ireland argued was that this was disproportionate - spying - without any suspicion of any kind and therefore, a breach of the right to privacy, the Constitution, the European Convention on Human Rights and the Charter of Fundamental Rights.
Legally, the Directive is gone and so each piece of legislation must stand or fall in local courts without having any EU backing.
What the Directive was there to do was to ensure that any communications that were retroactively found to have been ongoing between Terrorist A and Terrorist B was good enough to identify the subscriber or the user. What it was not designed to do was to permit the content of the communication or of the information to be used. Digital Rights Ireland had challenged the Irish authorities regarding the national measures that Ireland had implemented to the retention of data relating to electronic communications.
The main objective of the Data Retention Directive was to harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks. Like a lot of surveillance legislation, the purpose was to ensure that data was available for “the purpose of the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism.”
The judgement today means that the Directive is invalid.
The Court observed that retaining all of the data in the manner that it did made it possible “to know the identity of the person with whom a subscriber or registered user has communicated and by what means”. Identifying the time of the communication as well as the place from which that communication took place and knowing the frequency of the communications of the subscriber or registered user with certain persons during a given period. This meant that, collectively, it may make possible to identify very precise information on the private lives of the persons whose data are retained. This would have been a violation of the fundamental right to privacy and to the protection of personal data. The “habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.
Furthermore, the fact that data is retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance. The Court then examined whether such an interference with the fundamental rights at issue is justified. It states that the retention of data required by the directive is not such as to adversely affect the essence of the fundamental rights to respect private life and to the protection of personal data.
“The directive does not permit the acquisition of knowledge of the content of the electronic communications as such and provides that service or network providers must respect certain principles of data protection and data security.
“The retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest - namely the fight against serious crime and public security. However, the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.”
“In that context, the Court observed that, in view of the important role played by the protection of personal data in the light of the fundamental right to respect private life and the extent and seriousness of the interference with that right caused by the directive, the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict. Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.”
The Court also found that the Directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. Without any requirements to ensure the irreversible destruction of the data at the end of the two year retention period, there were not suitable security measures in place. In particular the court ruled that the directive could have regard to the economic considerations when determining what type of security measures to implement and that it does not ensure the irreversible destruction of the data at the end of their retention period.
Hannes Swoboda, Chair of the Group of Progressive Alliance of Socialists and Democrats in the European parliament, said:
"The European Court of Justice has done more for citizens' privacy today than the European Council – which has consistently blocked efficient data-protection legislation at European level – has done in years. It is high time for the Council to bring forward good legislation on data protection, as adopted by the European Parliament last month.
"Surveillance must always be the exception, not the rule. Mass collection of data, be it from governments, service providers or companies, cannot be accepted and police access to citizens' data must be targeted and authorised by a judge".
Claude Moraes, the European Parliament's lead investigator on the NSA scandal and S&D spokesperson on civil liberties, justice and home affairs, said: "Today's ruling by the ECJ comes at an extremely timely moment given the ongoing debate, both in the US and in the EU, following Edward Snowden's revelations that many tech companies may have been actively or passively part of mass surveillance activities.
"The increase in the use of technology, including mobile devices, and the collection of data on user behavior by companies has offered police and intelligence agencies unique opportunities that did not exist before. Today's ruling aims at striking the correct balance between ensuring that intelligence agencies continue to do the vital job of protecting us against terrorist and cyber threats, and protecting EU citizens' data. It highlights that data retention must always remain proportional to the risks and in line with fundamental rights.
"We have led the way on investigating the Edward Snowden revelations and has pushed for a European Digital Bill of Rights to protect EU citizens' fundamental rights and privacy. The ECJ ruling on data retention is another step towards achieving this aim and one which will be high on our political agenda in the next mandate of the European Parliament."