On April 8th the Court of Justice of the European Union declared the Data Retention Directive (DRD) invalid. This is a significant decision that will have ramifications both in Brussels and across the EU.
The DRD required telecommunications service and network providers (but not over the top providers like social networks) to retain certain categories of data for a specific period of time and to make them available to law enforcement where needed.
Whilst recognising that the retention of personal data for the purpose of law enforcement and related matters is compatible with EU law per se, the Court found that the DRD failed to comply with the principle of proportionality, arguing that the “the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.”
The Court particularly highlighted that the directive allows for blanket data retention of all individuals and all communications and traffic data without any differentiation, limitation or exception. It further pointed out that the Directive failed to specify objective access criteria and especially flagged up the use “investigation, detection, and prosecution of serious crimes” as an access criterion.
The Court ruling poses some serious challenges for Member States. Some countries implemented the Directive in such a way that local telecommunications providers had to invest heavily both in terms of equipment and compliance costs and may now face challenges from these operators. Other countries (e.g. the UK or Germany) already had a lively debate about data retention (Communication Data Bill in the UK and Vorratsdatenspeicherung in Germany) and the judgment is likely to lead to a shake-up of this debate. In any case, all Member States will have to urgently assess whether changes need to be made to the national law.
The European Commission is currently assessing the verdict and its impacts and “will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework,” said Cecilia Malmström, Commissioner for Home Affairs.
Following the announcement, the European Data Protection Supervisor (EDPS) and Martin Schulz, the President of the European Parliament, already intervened publicly calling for a new framework to be proposed by the Commission:
“We anticipate that the Commission, taking into account the Court’s judgment, will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive “ said the EDPS.
“Today’s judgment must be carefully examined and the Commission will have to make a proposal which strikes the right balance between the legitimate interests at stake” said Schulz.
Data retention has always been an exciting issue but we expect some frantic political and lobbying activity across the EU especially because the Snowden revelations have heightened public awareness of the issue.