Yesterday, the Grand Chamber of the Court of Justice of the European Union (CJEU) gave a compelling judgment in two joined cases: Case C-293/12 Digital Rights Ireland; Case C-594/12 Seitlinger.

The Court has held that the Data Retention Directive 2006/24/EC is invalid, because it is incompatible with various provisions of the EU Charter – primarily Articles 7 and 8, i.e. the right to respect for private life (which is analogous to Article 8 of the European Convention on Human Rights) and the right to protection of personal data. The Court’s conclusion is consistent with many of the views expressed by the Advocate General in December 2013, and which I covered in an earlier post.

The Directive imposes an obligation on economic operators to collect and retain, for a specified tme, data generated or processed in connection with electronic communications effected by citizens throughout the territory of the EU. The obligation to collect and retain (“OCR”) in the Directive is based on two objectives: (i) to ensure that the data is available for investigating and prosecuting serious criminal activity and (ii) to ensure the proper functioning of the internal market.

A summary of the Court’s key findings in relation to Articles 7 and 8 is as follows:

  • The Directive engages both Articles 7 and 8 (§29).
  • The OCR and the access of the competent national authorities to the data constitute interferences with Article 7 (§35) and Article 8 (§36).
  • The interference with both the Article 7 and Article 8 rights is “wide-ranging” and “particularly serious” (§37).
  • The Directive does not, however, “adversely affect the essence of” either Articles 7 or 8 because (1) in relation to Article 7, the Directive “does not permit the acquisition of knowledge of the content of the electronic communications as such” (§39) and (2) in relation to Article 8, “certain principles of data protection and data security must be respected by providers of publicly available electronic communications services or of public communications networks.” (§40).
  • The retention of data for the purpose of allowing the competent national authorities to have possible access to data “genuinely satisfies an objective of general interest” (§44), i.e. the fight against serious crime.
  • It is therefore necessary to consider the proportionality of the interference with these rights (pursuant to Article 52(1), EU Charter) and, in particular, consideration is needed of whether it is an interference that is strictly necessary (§§45; 52).
  • The interference by the Directive with the rights protected by Articles 7 and 8 is not strictly necessary because: (1) the Directive “covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the objective of fighting against serious crime” (§57); (2) the Directive “fails to lay down any objective criterion by which to determine the limits of the access of competent national authorities to the data and their subsequent use” (§60); and (3) the data retention period (6mths-2 years) is not based on objective criterion either (§64).
  • The Directive therefore fails to provide sufficient safeguards because it does not contain specific rules adapted to the quantity of data, its sensitivity and the risk of unlawful access to it (§66) and because it does not require the data to be retained within the European Union (§68).
  • For these reasons, the Directive is invalid pursuant to Articles 7, 8 and 52(1) of the EU Charter (§71).

The judgment in these cases is significant for at least the following reasons:

  • It means that the EU law-making institutions have to go back to the drawing board on data retention and any future reforms will need (if they are to survive any further legal challenges) to be drafted bearing in mind the Court’s observations on the deficiencies of the Directive.
  • The judgment and the invalidation of the Directive has important ramifications within each Member State: an EU directive is “binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authoritites the choice of form and methods.” (Article 249, EC Treaty) Pursuant to that obligation, Member States will have implemented the Directive into national law (e.g. the UK has implemented the Directive by way of the Data Retention (EC Directive) Regulations 2009/859). In light of yesterday’s judgment, Member States will now need to re-evaluate their implementation of the Directive. They are likely to face the risk of legal challenges being brought if they do not.
  • It adds fuel to the ongoing debate, post-Snowden, about the lawfulness of mass surveillance by law enforcement/intelligence agencies.