The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime. It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws. However, in a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.
How has this come about?
This is not the first time that the Directive has come under scrutiny. The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).
In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data. The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).
What were the Court’s concerns?
The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.
Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate. The ECJ was particularly concerned at:
- The generality of the Directive – it covers all individuals and electronic communications without exception
- The lack of objective criteria for, and procedures regulating, access to and use of the data,
- The minimum data retention period of 6 months not taking into account the type of data or its usefulness
- Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
- The insufficient safeguards against possible abuse, and unlawful access or use, of data
- The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.
So what does this mean?
Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate. It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.
However, in the short term, the ruling is likely to have little practical effect. The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time! So, things are likely to continue as they are for now. In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.