On 8 April, the Court of Justice of the European Union (CJEU) delivered its judgment in the Data Retention case. The latter concerned two preliminary references, from the High Court of Ireland and the Austrian Constitutional Court, regarding the validity of Directive 2006/24/EC on the retention, by telecom operators and Internet Service Providers (ISPs), of certain categories of electronic communications data. The preliminary references questioned such validity in light of a number of provisions of the EU Charter of Fundamental Rights (EUChFR) and the Treaty on the Functioning of the European Union, as well as concerned interesting questions on the interrelationship between EUChFR, European Court of Human Rights case law and secondary EU data protection legislation. The CJEU, however, focused on the validity of the Directive in light of Articles 7 and 8 EUChFR (the rights to private life and the protection of personal data, respectively). Before addressing the main points of the judgment, the modalities of data retention under the Directive need to be summarised.
The Directive de facto obliged Member States (MS) to enact measures, under which telecom operators and ISPs were to retain certain categories of electronic communications data for a period of minimum six and at most twenty-four months. Such data was to be made accessible to the competent (inter alia, law enforcement) national authorities for the purpose of investigation, detection and prosecution of ‘serious crime’, as defined in MS laws. The data retained was that which was necessary to identify the initiator and addressee, date and time, duration and type of the communication, as well as the type of equipment used and its location. Thus, it was predominantly traffic data, such as initiator and addressee’s telephone numbers, IP addresses, log-in and log-off time, that was retained, with no communications content being involved. While regulating the categories of data subject to retention, specifying minimum and maximum retention periods, and further providing security and confidentiality safeguards that such retention had to comply with, the Directive left the regulation of limitations and safeguards on access to and use of the data entirely to the MS.
The CJEU accepted the appropriateness of retaining traffic and location data for the purpose of fighting serious crime. In contrast to its approach in the first data retention judgment, the Court placed a much greater emphasis on this ‘material’ objective of the Directive, as opposed to its formal goal - harmonisation of retention obligations on economic operators, necessary to reduce obstacles to the functioning of the internal market. In the Court’s view, however, the interference with privacy and data protection rights under the Directive was not limited to what was strictly necessary to achieve its material goal. This approach partially contrasted with that of the Advocate General, who opined that the absence of safeguards regarding access to and use of data by competent authorities made the ‘quality of law’ insufficient within the meaning of the European Convention on Human Rights, and thus Article 52(1) EUChFR. On the other hand, the Court, implying that absence of such safeguards might result in wide-scale and potentially arbitrary access and use, considered that it breaches the necessity requirement. Equally, under the necessity prong, the Court ruled unacceptable very wide scope of the Directive, involving electronic communications data of ‘practically the entire European population’, without any distinction being made either among the categories of data retained (according to its usefulness for crime fighting) or of the persons concerned (inter alia, based on a prior suspicion of them being linked to serious crime). In contrast to the Advocate General’s suggestion that the maximum retention period be reduced to one year, the Court emphasised that the Directive neither provided any objective criterion for MS to determine such period, nor adjusted the latter based on the particular categories of the data or persons concerned. The judgment went on to point out that the basic system of security and confidentiality measures, provided under the Directive, was insufficiently adapted to the reality of the retention regime – wide-scale, involving data of a sensitive nature and subject to risks of unlawful access. Finally, the Court emphasised that the Directive did not require telecom providers or ISPs to retain data within the EU territory, thus weakening supervision and control of the retention regime by national Data Protection Authorities.
This is a landmark judgment, clearly affirming that the indiscriminate retention of electronic communications data in the EU, with safeguards on (law enforcement) access to and use of such data being left entirely at the discretion of MS, is unacceptable. Implications as to possible limitations of scope could be drawn for other wide-scale EU surveillance measures, such as the proposed Passenger Name Records Directive – which, although regulating law enforcement use of the data, obliges air carriers to share with competent authorities the data of all passengers on the flights entering or leaving the EU territory. No less valuable is the CJEU guideline on organising data retention within the EU territory, which would limit the possibilities of third-country law enforcement or intelligence agencies gaining access to such data. In an age where plentiful possibilities exist to track and trace our digital steps, it is all the more reassuring to see the Court taking a strong and clear stance against indiscriminate surveillance.