In a decision issued yesterday, the European Court of Justice - CJEU - declared the Data Retention Directive to be in breach of Fundamental Rights of the European Union - namely: respect for private life (article 7) and protection of personal data (article 8). This decision creates great uncertainty for both government and commercial interests, as the open Rights Group observes. The judgment follows requests from the High Court of Ireland and the Constitutional Court of Austria in 2012.
Adopted on March 15th 2006, the Data Retention Directive required members states to store citizens' telecommunications data for six months to two years for the needs of the police and National security agencies. Building on the 1995 Data Protection Directive and the 2002 Directive on Privacy and Electronic Communications, which the Data Retention Directive was supposed to complement, the Court observes that the Data Retention Directive makes it possible:
(1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means,
(2) to identify the time of the communication as well as the place from which that communication took place and
(3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period.
Which, according to the Court, are disproportionate provisions with regards to the Directive's objectives - and thus, in contradiction of the EU Proportionality Principle:
Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. [...] Not only is there a general absence of limits [...] but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use.
This raises important questions, the most pressing of which is: what happens to National regulations adopted pursuant to the directive? Can Telecom and Internet Service Providers still store personal data over six months or is it now definitelly to be considered as illegal, as digital rights defenders have been claiming for years? How about ongoing contracts and subventions from governments in favor of such data retention?
According to Open Rights Group Executive Director Jim Killock :
The companies need to think quickly about liability, retention and government payments; the government may need to legislate. If the government legislates it needs to take the ECJ judgement into account, to avoid having to rewrite the rules again if the EU introduces new data retention legislation. We’ve been given guidance to the limits of surveillance and data retention, including requirements to limit the uses and confine the retention to relevant data. It is essential that the UK takes notice of these requirements.
Whatever the outcomes of this historical decision, it may well mark a turning point for the way European Directives are handled at National scale. The government of Luxembourg is not cancelling the law it built to address the Directive, signalling a preservation of sovereignty. Other governments may choose to decouple implementation of European Directives to avoid future issues of a similar nature.
Meanwhile the mess needs dealing with. It is likely hawkish minds in the British establishment will see this as a chance to re-animate the zombie Snoopers' Charter; we need to stay vigilant, force an informed debate on national surveillance and ensure legislation brought forward in the dying days of the Parliament gets things right. We learned our lesson from the disgraceful introduction of the Digital Economy Act in the cold embers of the last government.
[Prepared jointly with Alexandra Combes of Meshed Insights]