EU Data Retention Requirements Ruled 'Invalid' By EU Court Of Justice
from the no-more-"because-terrorism" dept
Back in December, we reported on a slightly mixed ruling from the EU Court Of Justice's Advocate General regarding the 2006 Data Retention Directive, which obliges European telecom companies to retain metadata about their customers. Although the Advocate found the Directive incompatible with fundamental European rights, he proposed merely suspending it until it was fixed. His opinion was not binding on Europe's highest court, but was generally regarded as indicative of the final verdict.
Today, the EU Court Of Justice (ECJ) handed down its judgment. As expected, it does follow the same general lines as the Advocate's view, but in a surprising and welcome turn of events, it goes far beyond it in the harshness of its condemnation and finality of its ban (pdf)
The Court of Justice declares the Data Retention Directive to be invalid
The ECJ clarified what exactly it meant when it declared the Directive "invalid":
It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.
Given that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the
date on which the directive entered into force.
In other words, it is not just invalid from today's judgment, it was invalid from the moment it came into existence -- a pretty stunning slap down. The Court has no hesitation in declaring that blanket data retention interferes with fundamental rights (the emphasis below is in the original):
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
Equally, the Court does recognize that there are valid circumstances for retaining such personal data:
the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.
The key issue -- one that Techdirt has emphasized many times -- is proportionality, and here the ECJ has no doubts:
the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.
The Court goes on to list three specific ways in which the Data Retention Directive fails the test of proportionality. First, it notes that the Directive specifies that all data must be retained, without any kind of "differentiation, limitation or exception being made in the light of the objective of fighting against serious crime." That is, the "collect it all mentality" that has infected security services is inherently disproportionate and thus unacceptable.
The Court then notes that there are no objective criteria that can be used to assess whether the police or other authorities are allowed to access that data: again, pretty much anything goes with the current Directive. In addition:
the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.
It's perhaps not surprising to see Europe's highest court insisting that national authorities need to ask a judge for permission to access highly personal data, but it's a hugely important reminder of the need to do so against a background where governments seem to regard such formalities as optional and dispensable.
Finally, the ECJ points out that there are no objective criteria for setting the Directive data retention period as between six and 24 months, and that no distinctions are made based on the kind of data stored, and about whom. It also notes that the Directive does not address the important issues of abuses or unlawful access, that nothing is said about how data should be destroyed at the end of the retention period, and there is no requirement for data to be retained within the EU at all times.
As with the Advocate's opinion, the ECJ's judgment offers implicit guidance on how the major flaws in the Data Retention Directive might be addressed -- with the important difference that the Court has imposed far more stringent conditions that will require those drafting any new Directive to be much more cautious in the requirements they lay down. Even if that's possible, the end result is likely to be a far meeker version of the current Directive.
It's also not yet clear what the status of existing national legislation implementing the Directive is now. These laws were passed by the EU member states in order to comply with the Directive; now that the Directive is invalid, it presumably means that they, too, are invalid. Will they be repealed by governments, or will they continue until challenged in national courts? Those are questions that politicians and lawyers around Europe will doubtless be discussing with some urgency. Here's what the European Commission claims:
National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.
One thing is for certain: the large-scale and disproportionate surveillance activities carried out by the NSA and GCHQ within Europe, which bear many similarities to those authorized under the Data Retention Directive, cannot now be justified by invoking "national security". Today's ruling by the EU Court of Justice means that "because terrorism" is no longer a trump card that can be used in Europe to justify anything and everything.