EU Data Retention Following the Invalidation of Directive 2006/24/EC

In the joint cases of C-293/12 (Digital Rights Ireland) and C-593/12 (Seitlinger) (April 2014) the CJEU ruled that the Data Retention Directive 2006/24/EC was invalid. The directive effectively required that all citizens telecommunications data (IP address, emails, text messages, phone calls) be retained for a minimum of six months to a maximum of twenty four months should police agencies need to request it. The Directive had long been the subject of criticism by commentators within the EU who argued that it was too far reaching and arbitrary and therefore disproportionate in terms of its negative effect on fundamental rights in seeking to reach its objectives. Indeed, Peter Hustinx (European Data Protection Supervisor) referred to it as “the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.” Aside from affecting individuals, EU commentators argued that it has an adverse effect on certain sectors such as law and journalism where confidential communications legitimately require a degree of non-traceability.

If the directive is somewhat draconian in its form and potentiality (depending on the discretion of the member states in implementing it) it is perhaps best understood in the context of the post 9/11 political atmosphere. Its successful implementation and wide scope is also best understood from the viewpoint of the European Council as its main proponent. Even prior to 9/11 the UK, with strong US support, had been intensely lobbying the EU institutions to make EU wide provisions for data monitoring and retention for potential use by the police and intelligence agencies. This intensified following the terror attacks in London and Madrid. It is little surprise that the momentum for the Directive really began under the UK’s Presidency of the European Council. The result of course was a data retention directive which was rushed (steamrolled through in only three months), insufficiently defined in terms of its scope, and with a wide margin of appreciation, presumably aimed at garnering the support of both proponents and skeptics when time was considered to be of the essence. Those member states who were unable to get the required legislation passed at domestic level funneled their energies through the Council to convince the Commission to support and legislate.

To add another twist to the the tale, in 2006 Ireland and Slovakia voted against the adoption of the Data Retention Directive (hereafter the DRD). Ireland, supported by Slovakia, took a case against the EU Parliament and Council (Case-301/06) asking the CJEU to annul the directive on the grounds that it had not been adopted on an appropriate legal basis. It was adopted on the legal basis of Art 95 EC concerning the functioning of the internal market where it should have been adopted – according to Ireland and Slovakia – on the basis of those Articles relating to police and judicial cooperation on criminal matters within the EU. The CJEU disagreed and held that the various data retention measures adopted by various member states even prior to the DRD had definite economic implications and consequences for telecommunication service providers and the different approaches would have a notable effect on the functioning of the internal market in the absence of some degree of harmonisation on this basis. It also pointed out that the DRD provisions relate solely to service providers and does not govern actual access to data by police or intelligence agencies. Note how no challenge was made on the basis of fundamental rights at that time.

What the Irish government, supported by Slovakia and the UK, were actually seeking was a data retention period greater than a maximum of two years. The CJEU held this would obstruct harmonisation in the EU where certain member states (particularly those previously under Soviet influence one would imagine) would strongly oppose. In any case, the decision of the CJEU to invalidate the DRD has left member states, and indeed the EU institutions, in a state of uncertainty as to what route to take now in order to ensure compliance. Some have effectively chosen to take the opinion on board but to change little if anything (UK and Ireland). Others are trying to frame new legislation in light of the CJEU opinion (Netherlands).

The main point we can take away from the courts decision here is that, moving forward, an arbitrary blanket approach to data retention is not per se legal under EU law. In Romania in July 2014 a date retention Bill (nicknamed the ‘Big Brother’ Bill), deemed to be too wide ranging and arbitrary, was struck down in the Romanian courts on constitutional grounds. In February 2015 the Dutch government was advised by the Dutch Data Protection Agency to take into consideration the CJEU ruling and not present the draft data retention Bill to parliament. The draft Bill was in fact designed to address the fundamental rights concerns of the CJEU decision but the Dutch DPA advised that it did not in fact go far enough. Despite introducing certain safeguards such as: a reduction in the retention time limit to between six and twelve months; and the requirement for judicial approval for police agencies seeking access to private data, the Bill was still deemed to be in violation of the proportionality, necessity and subsidiarity principles.

Any legislation seeking to comply with the CJEU decision will have to be far less wide ranging and give sufficient safeguards for fundamental rights, specifically privacy. This will be difficult if the Bill is to have any real substantive effect in the eyes of those member states concerned with national security and fighting terrorism. The decision of the CJEU was interesting in that it seemed to equate collection/retention of data with access. This can be read to mean that collection, retention and access all equally amount to surveillance. If this were to be the case, any future legislation would have to be: (a) very narrow in scope, perhaps with a six month maximum retention period; (b) strict in terms of allowing access and usage to data; (c) strongly committed to ensuring data security during retention; (d) against the sharing of EU citizen data outside the EU; and; (e) possibly open to providing strict guidelines for data destruction or erasure.

Given the Snowden revelations, which are apparently still forthcoming, many have seen the decision of the CJEU as signaling the reigning in of (perhaps even the end of) mass surveillance in the EU. Many will celebrate this. Others, however, will take a different view. For the UK government it is a setback but for many UK citizens and data privacy advocates any amendments made in light of the decision will be a welcome relief and vindication of the right to privacy, especially given the UK governments recent proposal to bypass encryption in certain cases for the purpose of monitoring subversive individuals. Other EU countries such as Germany, Romania, Hungary, Austria, the Czech Republic and Cyprus have already launched successful constitutional challenges to strict forms of domestic data retention legislation. For them, any further Directive could be deemed more than is necessary even with certain safeguards in tow. It will certainly be interesting to see how this issue progresses both nationally and within the EU institutions. In the meantime however, it is unlikely that the UK and Ireland will trip over each other rushing to legislate in light of the CJEU decision.