EU Data Retention Requirements Ruled 'Invalid' By EU Court Of Justice
from the no-more-"because-terrorism" dept
Back in December, we reported on a slightly mixed ruling from the EU Court Of Justice's Advocate General regarding the 2006 Data Retention Directive, which obliges European telecom companies to retain metadata about their customers. Although the Advocate found the Directive incompatible with fundamental European rights, he proposed merely suspending it until it was fixed. His opinion was not binding on Europe's highest court, but was generally regarded as indicative of the final verdict.
Today, the EU Court Of Justice (ECJ) handed down its judgment. As expected, it does follow the same general lines as the Advocate's view, but in a surprising and welcome turn of events, it goes far beyond it in the harshness of its condemnation and finality of its ban (pdf)
The Court of Justice declares the Data Retention Directive to be invalid
The ECJ clarified what exactly it meant when it declared the Directive "invalid":
It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.Given that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the
date on which the directive entered into force.
In other words, it is not just invalid from today's judgment, it was invalid from the moment it came into existence -- a pretty stunning slap down. The Court has no hesitation in declaring that blanket data retention interferes with fundamental rights (the emphasis below is in the original):
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
Equally, the Court does recognize that there are valid circumstances for retaining such personal data:
the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.
The key issue -- one that Techdirt has emphasized many times -- is proportionality, and here the ECJ has no doubts:
the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.
The Court goes on to list three specific ways in which the Data Retention Directive fails the test of proportionality. First, it notes that the Directive specifies that all data must be retained, without any kind of "differentiation, limitation or exception being made in the light of the objective of fighting against serious crime." That is, the "collect it all mentality" that has infected security services is inherently disproportionate and thus unacceptable.
The Court then notes that there are no objective criteria that can be used to assess whether the police or other authorities are allowed to access that data: again, pretty much anything goes with the current Directive. In addition:
the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.
It's perhaps not surprising to see Europe's highest court insisting that national authorities need to ask a judge for permission to access highly personal data, but it's a hugely important reminder of the need to do so against a background where governments seem to regard such formalities as optional and dispensable.
Finally, the ECJ points out that there are no objective criteria for setting the Directive data retention period as between six and 24 months, and that no distinctions are made based on the kind of data stored, and about whom. It also notes that the Directive does not address the important issues of abuses or unlawful access, that nothing is said about how data should be destroyed at the end of the retention period, and there is no requirement for data to be retained within the EU at all times.
As with the Advocate's opinion, the ECJ's judgment offers implicit guidance on how the major flaws in the Data Retention Directive might be addressed -- with the important difference that the Court has imposed far more stringent conditions that will require those drafting any new Directive to be much more cautious in the requirements they lay down. Even if that's possible, the end result is likely to be a far meeker version of the current Directive.
It's also not yet clear what the status of existing national legislation implementing the Directive is now. These laws were passed by the EU member states in order to comply with the Directive; now that the Directive is invalid, it presumably means that they, too, are invalid. Will they be repealed by governments, or will they continue until challenged in national courts? Those are questions that politicians and lawyers around Europe will doubtless be discussing with some urgency. Here's what the European Commission claims:
National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.
One thing is for certain: the large-scale and disproportionate surveillance activities carried out by the NSA and GCHQ within Europe, which bear many similarities to those authorized under the Data Retention Directive, cannot now be justified by invoking "national security". Today's ruling by the EU Court of Justice means that "because terrorism" is no longer a trump card that can be used in Europe to justify anything and everything.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data retention, disproportionate, eu, eu court of justice, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Huh
[ link to this | view in chronology ]
Re: Huh
And who have not communicated with any non-Americans. I'm Canadian. You're welcome. And have you received any spam from China or Nigeria?
And who are not "three hops" from any suspects. Which yields a population larger than some US states who are OK to watch. Per suspect. The terror watch list having over 700,000 suspects.
Neither the 4th Amendment nor any other US law nor this EU Court Of Justice ruling stops the NSA from performing bulk surveillance in the EU.
And since turnabout is fair play, nothing stops EU countries from performing bulk surveillance in the US. (Or kidnapping suspects - including American citizens - off US streets for that matter.) Nor would the US have any credible right to complain.
It would not be cynical to assume that the NSA or CIA is obtaining information on it's own citizens from other countries not bound by American laws on spying on Americans. But only because the cynical would point out that the NSA itself shows no sign of being so bound.
[ link to this | view in chronology ]
Re: Re: Huh
[ link to this | view in chronology ]
Re: Re: Re: Huh
ChurchHatesTucker cracked a silly and valueless joke and Roger Smith chose to ignore him and took the question seriously. I wish there were more Rogers and fewer CHTs out there.
[ link to this | view in chronology ]
Re: Re: Re: Re: Huh
Too many people, like Strong, have no sense of fucking humor. I wish there were more CHTs and no Strongs.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Huh
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Huh
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Huh
[ link to this | view in chronology ]
Re: Re: Huh
[ link to this | view in chronology ]
Does this mean mandatory data retention without respect to a specific criminal investigation could nonetheless be considered legitimate if the law were worded just right?
[ link to this | view in chronology ]
Lather, rinse, repeat.
[ link to this | view in chronology ]
Re:
Prooving proportionality or subsidiarity in the requirements, is a bureaucratic burden and fixing those are time-consuming since it basically has to start the legislative process from scratch as in: DGs writing up a new and improved impact assessment, "open hearing" for people to comment on it, IAB smacking them around a bit to avoid an encore, national input, maybe regional input and definitely lobbyist input before it can reach the commission who can then start the political drafting process.
If this invalidation is as serious as it seems we are years away from new legislation!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Actually
[ link to this | view in chronology ]
Re: Actually
[ link to this | view in chronology ]
Re:
The CDU party is also thinking loudly about cutting the powers of the Bundesverfassungericht which smacked down several of the laws they cooked up.
[ link to this | view in chronology ]
Re: Re:
Quite hard to square the costs in 3rd parties, invasion of privacy and other negative effects if the benefit is that small.
[ link to this | view in chronology ]
They might be able to think terrorist thoughts without us knowing. We can't let them do it or the terrorists will win. It would be bad if the Terrorists win. You guys can't do this or the Terrorists will win.
In the name of national security, don't let the terrorists win. We need to break more laws than they do to even stand a chance.
[ link to this | view in chronology ]
This is a directive which the countries making up the EU have to implement in their own laws. Those laws have not (yet) been invalidated by this and most likely won't be unless challenged in court.
[ link to this | view in chronology ]
Re:
In some theories, the CFREU applies to any EU law and any domestic law that is implementing EU law. So if the Data Retention Directive breaks the CFREU, any law trying to implement it will also break the CFREU and therefore be illegal. Depending on how that country handles legality of laws.
In the UK things are a bit weird as the Directive was implemented through a "Regulation" - which is a special kind of secondary legislation that the Government has the power to rush through under the original EU-joining Act. But this power can only be used to comply with EU obligations - and if the Directive is invalid, the Government couldn't have used the power to introduce the Regulation - meaning that the Regulation is illegal.
So... over the next few days expect the various national governments and ISPs to come out with their plan for what they're going to do next.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Amazing how so many English people, fear a loss of sovereignty to the EU which they are equals in, but are oblivious to the control exerted by the US which they have no influence with.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]