The Court of Justice ("CoJ") of the European Union ("EU") has declared the Data Retention Directive 2006/24/EC ("Directive") to be invalid (the "Decision"). We provide for a summary of the Decision and discuss its possible consequences, including reactions to the judgment in Germany, the United Kingdom, France, Italy, Spain, the Netherlands and Belgium.
(Press release of the Court of Justice available under http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf)
Full text of the Decision available under http://curia.europa.eu/juris/documents.jsf?num=C-293/12.)
The Decision and its consequences
The Data Retention Directive basically provides that certain traffic and location data as well as related data necessary to identify a subscriber or user must be retained by providers of publicly available electronic communications services or of public communications networks for a period of at least six months and for no longer than two years from the date of the communication. The CoJ regarded this as a particularly serious interference with the fundamental rights to respect for private life and the protection of personal data, since the retained data procure precise information about the private lives of the persons whose data are retained. This interference is not as such unlawful. The CoJ acknowledged that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, genuinely satisfies an objective of general interest, namely the defense against serious crime and international terrorism. But how the Data Retention Directive was adopted exceeds by far the limits set by the principle of proportionality, for the following reasons:
The Directive fails to set out objective criteria defining when the retained data may be accessed by authorities. It is not sufficiently ensured that an offence must be serious enough to justify the interference, and access to the data is not made dependent on prior review by a court or an independent administrative body. The data retention period is imposed without making a distinction between the categories of the data on the basis of the persons concerned, or the usefulness of the data for the purposes of the objective pursued. Sufficient safeguards, designed to protect the data against the risk of abuse and against any unlawful access and use, are missing. The Directive does not require that the data are to be retained within the EU. Therefore, security controls by an independent authority, carried out on the basis of EU law, cannot be ensured. Referencing this requirement is seen by some as a reaction to the NSA scandal...