ECJ rules that 2006 Data Retention Directive is invalid for breaching right to privacy and protection of personal data

On April 8th, 2014, the Grand Chamber of the Court of Justice of the European Union (“ECJ”) issued a judgment declaring Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks, to be invalid. In response to two requests for a preliminary ruling, from the High Court (Ireland) and the Verfassungsgerichtshof (Austria)¹, the Court held that Directive 2006/24/EC did not comply with the principle of proportionality in light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union (the “Charter”)².

Directive 2006/24/EC (the “Data Retention Directive”, or “Directive”) harmonised Member-State rules on the retention, by providers of publicly available electronic communications services or public communications networks, of certain traffic and location data related to fixed and mobile communications, internet access, e-mail and internet telephony. The aim was to ensure that the data in question remains available for purposes related to the investigation, detection and prosecution of serious crime, such as organised crime and terrorism.

The Directive covers an extensive array of traffic and location data, pertaining to communications by both legal entities and natural persons. Under Articles 3 and 5 of the Data Retention Directive, the data which providers must retain include data necessary to trace and identify the source of a communication, as well as its destination, to identify the date, time, duration and type of communication, to identify user’s communication equipment and the location of mobile handsets. Relevant information in this context consists of, among others, the name and address of the subscriber or registered user, the calling telephone number, the number called and the IP address for internet services.

Pursuant to Articles 1(2) and 5(2) of the Data Retention Directive, no data pertaining to the actual content of any communications may be retained. Nevertheless, as noted by the ECJ, the data which are to be retained make it possible “...to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place” as well as “the frequency of the communications of the subscriber or registered user with certain persons during a given period” (paragraph 26). The Court added that these data, taken as a whole, “... may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them” (paragraph 27).

The Court held that the retention of data required by the Data Retention Directive constituted a particularly serious interference with the rights to the respect for private and family life and to the protection of personal data, guaranteed by Articles 7 and 8, respectively, of the Charter. The ECJ went on to consider that the Data Retention Directive did not adversely affect the essence of those rights and that the retention of data in accordance with the Directive genuinely satisfies an objective of general interest (to contribute to the fight against serious crime and, ultimately, to public security).

However, the Court concluded that the interference with those rights resulting from the Directive failed the test of proportionality, according to which the acts of EU institutions must not exceed the limits of what is appropriate and necessary in order to achieve their legitimate objectives. And here the ECJ identified three main issues affecting the Data Retention Directive.

First, the Court noted that the Directive covers “...all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception...” and applies “even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime” (paragraphs 57/58). In addition the Directive does not require, also, “...any relationship between the data whose retention is provided for and a threat to public security” (paragraph 59).

Secondly, the Data Retention Directive “fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use” or by which “the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued” (paragraphs 60/61). Above all, “the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body” (paragraph 61).

Thirdly, Article 6 of the Directive sets a data retention period ranging from a minimum of 6 months to a maximum of 24 months but does not state that determination of the specific retention period must be based on objective criteria to ensure it is limited to what is strictly necessary.

The Court concluded that the Directive:

(i) does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter;
(ii) does not provide for sufficient safeguards to ensure effective protection of the data retained against the risk of abuse and against unlawful access and use of that data;
(iii) and does not ensure the irreversible destruction of the data at the end of the data retention period.

In light of these considerations, the ECJ ruled that the Data Retention Directive exceeds the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter and is, therefore, invalid.

Regarding the effects of this ruling, although a judgment given under Article 267 of the Treaty declaring an act of an EU institution to be void is directly addressed only to the national courts that requested the preliminary ruling, “it is sufficient reason for any other national court to regard that act as void for the purposes of a judgment which it has to give”³.

As such, this finding that the Data Retention Directive is invalid should be respected by other national courts. In addition, and in light of the principle of uniform application of EU law, national courts must also give due consideration to this ruling by the ECJ when applying the national legislative instruments that implemented the Directive (in the case of Portugal, Law no. 32/2008, of 17 July).

This article was written by lawyer Gonçalo Machado Borges.

_______________________