from the principles-of-proportionality-and-necessity dept
Back in April last year, we wrote about a surprising and hugely important ruling by Europe's top court that the framework for data retention in Europe -- the Data Retention Directive -- was "invalid". That was largely because it allowed data retention on a scale that was disproportionate. But an interesting question that arises from that decision is: if the Directive itself is invalid, where does that leave all the EU agreements and laws that require data to be retained? What exactly is their legal status now that the Directive has been struck down? Are they invalid too?
A few months ago, we reported on the leak of a document from a closed meeting of EU Justice and Home Affairs ministers, which suggested that "general and blanket data retention" is no longer possible in the EU, because of the top court's ruling. Independently of that legal opinion, one of the key EU committees -- that dealing with civil liberties -- asked the European Parliament's internal Legal Services for a formal study on the question. That report has now been completed (pdf), and the digital rights organisation Access has obtained a copy. It has also put together an accessible post explaining the key points:
the European Parliament legal services indicates that these agreements [involving data retention], while controversial, are still valid as they benefit from "presumption of legality". However, the report then adds "That said, the 'presumption' of legality of EU acts can also be rebutted and so it cannot be excluded, at this stage, that any other EU act could suffer the same fate as the data retention Directive". Therefore, all existing agreements currently in place remains valid, however, citizens can request the Commission to look into the validity of these agreements, or they can choose to take legal action to test their validity.
In other words, it is the view of the European Parliament's Legal Services that citizens can challenge any EU agreement or law involving data retention so that its validity is examined in the light of the court's ruling. There are two main classes affected.
The first is agreements that the EU has made with other nations. These include the Passenger Name Records agreements (PNR) and the Terrorist Finance Tracking Programme (TFTP). The former allows details of EU air passengers to be passed to other countries (notably the US), while the TFTP allows financial information to be shared (again, mostly with the US.) Successful legal challenges to these would cause huge problems for EU-US co-operation in the realms of counter-terrorism and beyond.
The second class potentially affected by the latest opinion is the national laws passed by EU Member States to implement the Data Retention Directive. It is the EU Legal Service's view that these national laws are also covered by the European court's decision, and that they too may be invalid if disproportionate. As Access explains:
Concerning member states' existing legislation on data retention, the EP legal services clarifies that, while the ruling does not outlaw these national laws, it does created a "twofold effect". First, since member states are no longer obliged by law to retain communication data, they can then decide to repeal their related laws -- as several countries such as Austria or Romania have done since the ruling. Second, if member states were to decide to keep measures for the retention of communication data, such rules would fall under EU legislation from 2002, the so-called E-privacy Directive.
As Access goes on to point out, it seems extremely unlikely the UK's new Data Retention and Investigatory Powers Act (DRIP), rushed through as result of the European court's ruling, would be in compliance. The latest study from the European Parliament's Legal Services is therefore likely to encourage digital rights organizations to add yet another challenge to DRIP, making it even more likely that it, too, will be struck down for being disproportionate, just as the Data Retention Directive was.
Therefore, member states must ensure that their national laws on data retention comply with the EU Charter of Fundamental Rights and fulfill the requirements laid down in the E-privacy Directive regarding the principles of proportionality and necessity. And perhaps, most importantly, the report then adds that all the criteria set out by the Court in its ruling on the need for safeguards, proportionality and the "existence of clear and precise rules" must be included in these national laws. As a result all existing national acts on data retention should be examined on a case-by-case basis to check their compliance with those criteria.