(May 21, 2014) On April 8, 2014, the Court of Justice of the European Union (ECJ) issued a much-anticipated judgment concerning the legality of Directive No. 2006/24/EC, commonly referred to as the Data Retention Directive. (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L105) 54, EURLEX.)
The Directive was challenged on the grounds of infringement of the right to private life and of the right to protection of the personal data of individuals, as enshrined in the Charter of Fundamental Rights of the European Union. (Charter of Fundamental Rights of the European Union, 2012 O.J. (C326) 391, EURLEX.) The High Court in Ireland and the Constitutional Court of Austria posed the preliminary questions to the ECJ and requested that the ECJ review the legality of the Data Retention Directive. (Grand Chamber Digital Rights Ireland Ltd (C-293/12) v. Minister for Communications, Marine and Natural Resources [hereinafter Grand Chamber case] (Apr. 8, 2014), EURLEX.)
The Data Retention Directive required telecommunications companies and Internet service providers to retain traffic and location data belonging to individuals or to legal entities. The retention period was to last from six months to two years. The sole purpose of processing and storing personal data was to allow access to that data to national competent authorities for the prevention, investigation, and prosecution of serious crime, such as organized crime and terrorism. The content of communications of individuals was not retained. (Press Release No. 54/14, ECJ, The Court of Justice Declares the Data Retention Directive to Be Invalid (Apr. 8, 2014).)
Judgment
The ECJ, in its analysis of the Data Retention Directive, stated that the Directive must contain clear and precise rules concerning the processing and storing of personal data and must also include certain safeguards to ensure that individuals whose data are retained have certain guarantees “against the risk of abuse and against any unlawful access and use of that data.” (Grand Chamber case, ¶ 54.)
The ECJ then proceeded to examine whether the interference by national authorities as authorized in domestic legislation was proportionate to the objective pursued. According to the settled case law of the Court, the EU legislation in question must meet the standards of being “appropriate” and “necessary” in order to achieve its objectives. The ECJ reasoned that considering the important role of electronic communications in the investigation of crimes and the corresponding need of national authorities to access data, the retention of data is an important tool and is appropriate to achieve its goals. As far as the necessity test, the ECJ observed that the scope of the Directive is far reaching, extends to all subscribers and telephone users, and is not limited to those individuals whose data may lead to legal action. (Id. ¶¶ 56 & 58.)
However, the ECJ stated that the Directive neither establishes limits of access, either substantive or procedural, applicable to competent national authorities using the data retained,, nor requires the Member States to establish such limits. (Id. ¶¶ 59-62.)
The ECJ concluded that the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.” (Id. ¶ 65.)
Regarding the security and protection of data to be retained, the ECJ held that Directive 2006/24 does not contain sufficient safeguards, as required by article 8 of the Charter of Fundamental Rights of the European Union, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. The Court went on to state that Directive 2006/24 does not contain rules that are specific and adapted to: (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data, and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down. (Id. ¶ 66.)
Consequently, the ECJ held that the EU legislative bodies, by adopting Directive 2006/24, exceeded the limits imposed by the principle of proportionality in light of articles 7, 8, and 52(1) of the Charter. It therefore held the Directive to be invalid. (Id. ¶ 73.)