On April 8, the Court of Justice of the European Union’s (CJEU) ruled on the Data Retention Directive and invalidated this controversial European law.
Adopted in 2006, the Data Retention Directive required all telecommunications data – including mobile, landline phones, fax, and email – to be indiscriminately collected and retained by providers for a minimum of six months and up to two years.
Access Now welcomes this decision as it confirms what civil society has long argued: indiscriminate communications surveillance mandated by this directive violates fundamental rights. This post takes a closer look at the court’s ruling and what it means for the future of data retention in Europe.
What did the Court say?
1. The Directive interferes with fundamental rights
The Court acknowledged that processing and accessing personal data by authorities constitutes a “serious interference” with the rights to privacy and data protection as guaranteed under the EU Charter of Fundamental Rights. Such an interference therefore must be justified in accordance with the principles of necessity and proportionality. In this case, the Court concluded that the Data Retention Directive fails to meet these criteria, rendering the interference with these rights unjustified.
2. The rules set under the Directive are not proportionate
The Court established that the interference caused by the Directive goes beyond what is strictly necessary as it requires the retention of all communication traffic of all persons in the European Union. This mass retention of citizen’s activities, outside of the context of a criminal investigation, is a significant challenge to the very foundations of the rule of law and international human rights, namely the presumption of innocence.
The Court found the arbitrary time period for retention set out in the Directive – between six months and two years – problematic, particularly as it lacked a criteria upon which such time periods should be determined.
3. The Directive does not provide safeguards
The law does not define clear rules limiting the access and use of data retained by authorities. Indeed, since its adoption back in 2006, the implementation of the Directive in the EU member states lead to a series of abuses. In 2001, it was revealed that Irish police abused the database for personal reasons, such as to check up on daughter’s boyfriends or potentially cheating spouses. In Poland between 2005 and 2007, telecommunications traffic and subscriber data was used by two major intelligence agencies to illegally expose journalistic sources without any judicial control. And the list goes on. The Court therefore found that the Directive lacked the adequate, or minimum, safeguards needed to ensure the security and protection of the retained data.
Furthermore, the Directive does not provide rules to ensure that data retained must be deleted once the retention period has expired. Finally, and in the post-Snowden world, perhaps most chillingly, the Directive does not specify that the data be retained in Europe. If there are no guarantees that the data is stored on EU territory, authorities are unable to ensure the protection of such data as required by the Charter of Fundamental rights of the EU.
As a consequence of the disproportionate interferences with fundamental rights and the absence of safeguards, the Court decided to invalidate the Directive on Data Retention.
What does this ruling mean for the EU member states?
Since 2006, member states had to implement the rules set by the Data Retention Directive at national level. While the objective of this Directive was ostensibly to harmonise data retention rules in Europe, there is now a patchwork of 28 different rules implementing the directive.
As a consequence of the courts ruling, member states are no longer are under the obligation to retain data as mandated by this Directive and can now modify their legislation or even repeal national laws on data retention. For instance, Finland and Luxembourg have already announced that their national laws on data retention would be reviewed. Moreover, a Swedish ISP has already decided to delete all retained customer data in the wake of the court ruling.
Access Now strongly encourages member states to immediately reexamine the compliance of their data retention laws with the court’s recent ruling.
European Commission’s reaction to the ruling
The Commissioner for Home Affairs responsible for the creation of this Directive back in 2006, Cecilia Malmström, welcomed the court’s ruling as it “confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive.”
Ironically, the same year as this report, the European Commission fined the Swedish government three million euros for its delay in implementing the Data Retention Directive. It is unclear at the moment if Sweden will be able to get this money back from the European Union.
The Court of Justice of the European Union’s landmark ruling on the Data Retention Directive shows that security measures do not take precedence over the rights of privacy and data protection in Europe. This decision is especially important as the EU negotiates the adoption of modernised rules on data protection after adopting a report deploring the impact of mass surveillance programmes on EU citizens’ rights.
With this ruling, the European Union has justified its reputation as a global standard setter. Since the adoption of the Directive in 2006, several countries around the world have adopted similar rules. This ruling will reopen the debate on the relationship between the pursuit of law enforcement to fight terrorism and the protection of fundamental rights.
Access Now is encouraged by the Court’s decisive ruling and will be monitoring closely the national and international consequences of this ruling. As policymakers consider more broadly how to reform communications surveillance laws in the wake of this ruling, we urge them to turn to the International Principles on the Application of Human Rights to Communications Surveillance. The Principles provide a framework for assessing how human rights obligations apply in the context of communications surveillance. The Principles have been endorsed by more than 400 civil society organizations and over 50 legal experts and academics from around the world.