In a judgment of the Grand Chamber on 8/4/14 the CJEU has ruled that the EU’s Data Retention Directive (2006/24/EC) is invalid. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and C-594/12 Seitlinger were heard together and generated much interest from privacy and digital rights groups, Member States and the media.
The Court examined the Directive on the basis of fundamental rights relating to privacy and data protection, Articles 7 and 8 of the Charter, and found that the Directive exceeded a justified level of proportionate interference with those rights. The judgment is significant for, amongst other things, its approach to reviewing EU legislation in the light of fundamental rights. It held that the review of legislation by the CJEU in such circumstances should be strict.
The Directive is concerned with obligations on electronic communications businesses to retain data generated by them for billing purposes for periods of between six months to two years (depending on national legislation). The CJEU acknowledged that the Directive does not permit acquisition of knowledge of the content of the communications, but said that the data which could be retained (including the time, place and recipient of a communication) may allow very precise conclusions to be drawn concerning the private lives of persons and that they are likely to have the feeling that their private lives are subject to constant surveillance.
The Directive was introduced following the Madrid bombings. The CJEU held that its objective of ensuring security was a legitimate and appropriate aim. A number of Member States (including the United Kingdom) and the EU institutions supported the usefulness of such data retention obligations for the purposes of investigations into criminal and terrorist activity and the safeguards on accessing such data.
The CJEU relied on a number of factors in its ruling. These included the facts that the obligation applies in relation to persons for whom there is no evidence suggesting their conduct may have a link, even remote, with serious crime; is not specifically restricted to particular time periods, persons or geographical zone; does not contain express reference to the conditions for accessing such data, nor for assessing the length of retention to ensure that it does not exceed what was strictly necessary. The CJEU also criticised the Directive for not laying down rules to govern the protection and security of the data in a clear and strict manner, to require the data to be held in the EU and to be irreversibly destroyed at the end of the period.
It remains to be seen what steps the EU will now take in terms of establishing a new data retention obligation.
The judgment is here.
The BBC news report is here.
Sarah Lee appeared for the United Kingdom.