On 8 April 2014, the European Court of Justice ("ECJ") declared the Data Retention Directive (the "Directive")1 , which had been the subject of great debate, invalid. The Directive required telecommunications providers to retain certain categories of traffic and location data in order to allow law enforcement authorities to access this data for the purpose of (severe) crime and terrorism prevention and prosecution.
Eight years after the Directive entered into force, the ECJ has now declared the Directive invalid. It is the ECJ's view that the Directive interferes with the fundamental rights to respect for private life and to the protection of personal data (Articles 7 and 8 of the European Charter of Fundamental Rights of the European Union; the "Charter").2 It is worth noting that in its ruling, the ECJ states that the data retention obligation as provided by the Directive does not per se interfere with the cited fundamental rights and that this obligation principally serves legitimate public interests. However, the ECJ has taken the view that the Directive is disproportionate, as the interference it causes with the said fundamental rights goes beyond the extent absolutely necessary to achieve the objectives pursued by the Directive.
The ECJ states that the Directive affects individuals, communications, and related data in an all-embracing manner without differentiating properly. The ECJ is primarily concerned about the fact that the Directive does not sufficiently define the severity of the crimes to be prosecuted by means of the retained data. The ECJ also highlighted that safeguards sufficient to ensure an effective protection of the retained data were missing. The ECJ criticized in that respect inter alia that a prior court order (or an order from an independent administrative body) is not a prerequisite for granting data access to law enforcement authorities. Further, it was the view of the Court that the data retention period in the Directive does not appropriately distinguish between the retained data and the potentially affected individuals in relation to the objectives pursued by the Directive. Finally, but arguably most notably, the ECJ found the Directive to be invalid because it does not require the data to be stored within the EU. In the absence of such an obligation, data protection compliance cannot be safeguarded by an independent authority, as required by the European Charter of Fundamental Rights.