EU Data Retention Requirements Ruled 'Invalid' By EU Court Of Justice
from the no-more-"because-terrorism" dept
Back in December, we reported on a slightly mixed ruling from the EU Court Of Justice’s Advocate General regarding the 2006 Data Retention Directive, which obliges European telecom companies to retain metadata about their customers. Although the Advocate found the Directive incompatible with fundamental European rights, he proposed merely suspending it until it was fixed. His opinion was not binding on Europe’s highest court, but was generally regarded as indicative of the final verdict.
Today, the EU Court Of Justice (ECJ) handed down its judgment. As expected, it does follow the same general lines as the Advocate’s view, but in a surprising and welcome turn of events, it goes far beyond it in the harshness of its condemnation and finality of its ban (pdf)
The Court of Justice declares the Data Retention Directive to be invalid
It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.
The ECJ clarified what exactly it meant when it declared the Directive “invalid”:
Given that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the directive entered into force.
In other words, it is not just invalid from today’s judgment, it was invalid from the moment it came into existence — a pretty stunning slap down. The Court has no hesitation in declaring that blanket data retention interferes with fundamental rights (the emphasis below is in the original):
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
Equally, the Court does recognize that there are valid circumstances for retaining such personal data:
the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.
The key issue — one that Techdirt has emphasized many times — is proportionality, and here the ECJ has no doubts:
the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.
The Court goes on to list three specific ways in which the Data Retention Directive fails the test of proportionality. First, it notes that the Directive specifies that all data must be retained, without any kind of “differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.” That is, the “collect it all mentality” that has infected security services is inherently disproportionate and thus unacceptable.
The Court then notes that there are no objective criteria that can be used to assess whether the police or other authorities are allowed to access that data: again, pretty much anything goes with the current Directive. In addition:
the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.
It’s perhaps not surprising to see Europe’s highest court insisting that national authorities need to ask a judge for permission to access highly personal data, but it’s a hugely important reminder of the need to do so against a background where governments seem to regard such formalities as optional and dispensable.
Finally, the ECJ points out that there are no objective criteria for setting the Directive data retention period as between six and 24 months, and that no distinctions are made based on the kind of data stored, and about whom. It also notes that the Directive does not address the important issues of abuses or unlawful access, that nothing is said about how data should be destroyed at the end of the retention period, and there is no requirement for data to be retained within the EU at all times.
As with the Advocate’s opinion, the ECJ’s judgment offers implicit guidance on how the major flaws in the Data Retention Directive might be addressed — with the important difference that the Court has imposed far more stringent conditions that will require those drafting any new Directive to be much more cautious in the requirements they lay down. Even if that’s possible, the end result is likely to be a far meeker version of the current Directive.
It’s also not yet clear what the status of existing national legislation implementing the Directive is now. These laws were passed by the EU member states in order to comply with the Directive; now that the Directive is invalid, it presumably means that they, too, are invalid. Will they be repealed by governments, or will they continue until challenged in national courts? Those are questions that politicians and lawyers around Europe will doubtless be discussing with some urgency. Here’s what the European Commission claims:
National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.
One thing is for certain: the large-scale and disproportionate surveillance activities carried out by the NSA and GCHQ within Europe, which bear many similarities to those authorized under the Data Retention Directive, cannot now be justified by invoking “national security”. Today’s ruling by the EU Court of Justice means that “because terrorism” is no longer a trump card that can be used in Europe to justify anything and everything.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: data retention, disproportionate, eu, eu court of justice, privacy
Comments on “EU Data Retention Requirements Ruled 'Invalid' By EU Court Of Justice”
Huh
So that’s where the Fourth Ammendment wandered off to.
Re: Huh
The 4th Amendment is an American thing. It only covers Americans, in America.
And who have not communicated with any non-Americans. I’m Canadian. You’re welcome. And have you received any spam from China or Nigeria?
And who are not “three hops” from any suspects. Which yields a population larger than some US states who are OK to watch. Per suspect. The terror watch list having over 700,000 suspects.
Neither the 4th Amendment nor any other US law nor this EU Court Of Justice ruling stops the NSA from performing bulk surveillance in the EU.
And since turnabout is fair play, nothing stops EU countries from performing bulk surveillance in the US. (Or kidnapping suspects – including American citizens – off US streets for that matter.) Nor would the US have any credible right to complain.
It would not be cynical to assume that the NSA or CIA is obtaining information on it’s own citizens from other countries not bound by American laws on spying on Americans. But only because the cynical would point out that the NSA itself shows no sign of being so bound.
Re: Re: Huh
woosh
Re: Re: Re: Huh
ChurchHatesTucker cracked a silly and valueless joke and Roger Smith chose to ignore him and took the question seriously. I wish there were more Rogers and fewer CHTs out there.
Re: Re: Re:2 Huh
Couldn’t disagree more. The joke amused me. Humor has value. Roger Strong didn’t say anything I didn’t already know.
Too many people, like Strong, have no sense of fucking humor. I wish there were more CHTs and no Strongs.
Re: Re: Re:3 Huh
And your comment provided neither humor nor information, just petulant whining.
Re: Re: Re:4 Huh
You might want to look in the mirror when you say that.
Re: Re: Re:5 Huh
It’s alright. It’s your mom’s fault you’re not too bright, not yours.
Re: Re: Huh
So we kidnap a few Americans? OK, Can we torture them? OK, Can we start with Hayden? Then Cheney, yeah? Then finish up with Clapper and Dubya Bush?
Does this mean mandatory data retention without respect to a specific criminal investigation could nonetheless be considered legitimate if the law were worded just right?
It has taken 8 years to invalidate this law. Within 6-12 months there will be a new one, using different wordings, which accomplishes the same. (Idea: perhaps store data under the “you must be a pirate” mantra.) Another 8 years follow before that law has been taken down.
Lather, rinse, repeat.
Re: Re:
Actually the directive was struck down on both proportionality, potentially subsidiarity and encroachment on fundamental rights.
Prooving proportionality or subsidiarity in the requirements, is a bureaucratic burden and fixing those are time-consuming since it basically has to start the legislative process from scratch as in: DGs writing up a new and improved impact assessment, “open hearing” for people to comment on it, IAB smacking them around a bit to avoid an encore, national input, maybe regional input and definitely lobbyist input before it can reach the commission who can then start the political drafting process.
If this invalidation is as serious as it seems we are years away from new legislation!
and what is the first thing the german government says about it? they want to do it anyway…
Re: Actually
The German implementation of this directive has already been judged to be unconstitutional.
Re: Re: Actually
They want to introduce another one, for all I have seen, just as illegal, but they don’t care.
Re: Re:
Once CDU party member immediately took to Twitter claiming that this was a day for organized crime to celebrate. Of course he could offer NO evidence for data retentention (initially planned to be implementd to stop terrorism) would do anything about this nor how it did not surge since 2010 when the temporary data rentention was put on hold.
The CDU party is also thinking loudly about cutting the powers of the Bundesverfassungericht which smacked down several of the laws they cooked up.
Re: Re: Re:
Well there was a study done and the result was something along the lines of a 0.0006% increase of solved cases (in Germany), 6 more solved cases on a million solved cases, due to this data retention.
Quite hard to square the costs in 3rd parties, invasion of privacy and other negative effects if the benefit is that small.
but… but… terrorism. How can we catch it if we can’t see what everyone is doing all the time?
They might be able to think terrorist thoughts without us knowing. We can’t let them do it or the terrorists will win. It would be bad if the Terrorists win. You guys can’t do this or the Terrorists will win.
In the name of national security, don’t let the terrorists win. We need to break more laws than they do to even stand a chance.
There is one thing left out in the article.
This is a directive which the countries making up the EU have to implement in their own laws. Those laws have not (yet) been invalidated by this and most likely won’t be unless challenged in court.
Re: Re:
What happens to those laws will depend on how those countries have implemented it. And how the Charter of Fundamental Rights of the EU works.
In some theories, the CFREU applies to any EU law and any domestic law that is implementing EU law. So if the Data Retention Directive breaks the CFREU, any law trying to implement it will also break the CFREU and therefore be illegal. Depending on how that country handles legality of laws.
In the UK things are a bit weird as the Directive was implemented through a “Regulation” – which is a special kind of secondary legislation that the Government has the power to rush through under the original EU-joining Act. But this power can only be used to comply with EU obligations – and if the Directive is invalid, the Government couldn’t have used the power to introduce the Regulation – meaning that the Regulation is illegal.
So… over the next few days expect the various national governments and ISPs to come out with their plan for what they’re going to do next.
i wonder how the UK is going to take this? it wont be happy! i bet that it just carries on letting the NSA do what it wants, then get off of them the parts needed by the UK authorities and carry on like before. it’s a shame this wasn’t sorted out a while ago. the UK could easily have been in the poop over Greenwald’s partner and how he was stopped, detained and searched, then how the Guardian was forced to destroy HDDs to prevent info being printed. unbelievable that anyone would be childish and stupid enough to do this, but then think about the embarrassment caused
Re: Re:
With GCHQ being as it is a franchise operation for the NSA, it will indeed carry on doing what its masters tell them.
Amazing how so many English people, fear a loss of sovereignty to the EU which they are equals in, but are oblivious to the control exerted by the US which they have no influence with.
Actually, court made an error. Directive is not void because of privacy laws, but because it is a directive (separation of powers). Same for Obama’s EOs. These cannot create new laws. It is Congress’ business.
Since this decision is effectively retrospective to the date of implementation of this directive, does that mean that anyone convicted of crimes based on evidence obtained by exercising this directive (or the local laws made to comply with the directive) now have valid grounds of appeal?
Re: Re:
No.
This is great news for VPNs.