Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others.

• Jurisdiction: European Union
• Celex Number: 62012CJ0293
• ECLI: ECLI:EU:C:2014:238
• Docket Number: C‑293/12,C‑594/12
• Court: Court of Justice (European Union)
• Procedure Type: Reference for a preliminary ruling
• Date: 08 April 2014

JUDGMENT OF THE COURT (Grand Chamber)

8 April 2014 (*1 )

‛Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union’

In Joined Cases C‑293/12 and C‑594/12,

REQUESTS for a preliminary ruling under Article 267 TFEU from the High Court (Ireland) and the Verfassungsgerichtshof (Austria), made by decisions of 27 January and 28 November 2012, respectively, received at the Court on 11 June and 19 December 2012, in the proceedings

Digital Rights Ireland Ltd (C‑293/12)

v

Minister for Communications, Marine and Natural Resources,

Minister for Justice, Equality and Law Reform,

Commissioner of the Garda Síochána,

Ireland,

The Attorney General,

intervener:

Irish Human Rights Commission,

and

Kärntner Landesregierung (C‑594/12),

Michael Seitlinger,

Christof Tschohl and others,

THE COURT (Grand Chamber),

composed of V. Skouris, President, K. Lenaerts, Vice-President, A. Tizzano, R. Silva de Lapuerta, T. von Danwitz (Rapporteur), E. Juhász, A. Borg Barthet, C.G. Fernlund and J.L. da Cruz Vilaça, Presidents of Chambers, A. Rosas, G. Arestis, J.-C. Bonichot, A. Arabadjiev, C. Toader and C. Vajda, Judges,

Advocate General: P. Cruz Villalón,

Registrar: K. Malacek, Administrator,

having regard to the written procedure and further to the hearing on 9 July 2013,

after considering the observations submitted on behalf of:

— Digital Rights Ireland Ltd, by F. Callanan, Senior Counsel, and F. Crehan, Barrister-at-Law, instructed by S. McGarr, Solicitor,

— Mr Seitlinger, by G. Otto, Rechtsanwalt,

— Mr Tschohl and Others, by E. Scheucher, Rechtsanwalt,

— the Irish Human Rights Commission, by P. Dillon Malone, Barrister-at-Law, instructed by S. Lucey, Solicitor,

— Ireland, by E. Creedon and D. McGuinness, acting as Agents, assisted by E. Regan, Senior Counsel, and D. Fennelly, Barrister-at-Law,

— the Austrian Government, by G. Hesse and G. Kunnert, acting as Agents,

— the Spanish Government, by N. Díaz Abad, acting as Agent,

— the French Government, by G. de Bergues and D. Colas and by B. Beaupère-Manokha, acting as Agents,

— the Italian Government, by G. Palmieri, acting as Agent, assisted by A. De Stefano, avvocato dello Stato,

— the Polish Government, by B. Majczyna and M. Szpunar, acting as Agents,

— the Portuguese Government, by L. Inez Fernandes and C. Vieira Guerra, acting as Agents,

— the United Kingdom Government, by L. Christie, acting as Agent, assisted by S. Lee, Barrister,

— the European Parliament, by U. Rösslein and A. Caiola and by K. Zejdová, acting as Agents,

— the Council of the European Union, by J. Monteiro and E. Sitbon and by I. Šulce, acting as Agents,

— the European Commission, by D. Maidani, B. Martenczuk and M. Wilderspin, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 12 December 2013,

gives the following

Judgment

1 These requests for a preliminary ruling concern the validity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).

2 The request made by the High Court (Case C‑293/12) concerns proceedings between (i) Digital Rights Ireland Ltd. (‘Digital Rights’) and (ii) the Minister for Communications, Marine and Natural Resources, the Minister for Justice, Equality and Law Reform, the Commissioner of the Garda Síochána, Ireland and the Attorney General, regarding the legality of national legislative and administrative measures concerning the retention of data relating to electronic communications.

3 The request made by the Verfassungsgerichtshof (Constitutional Court) (Case C‑594/12) concerns constitutional actions brought before that court by the Kärntner Landesregierung (Government of the Province of Carinthia) and by Mr Seitlinger, Mr Tschohl and 11 128 other applicants regarding the compatibility with the Federal Constitutional Law (Bundes-Verfassungsgesetz) of the law transposing Directive 2006/24 into Austrian national law.

Legal context

Directive 95/46/EC

4 The object of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), according to Article 1(1) thereof, is to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with regard to the processing of personal data.

5 As regards the security of processing such data, Article 17(1) of that directive provides: ‘Member States shall provide that the controller must implement appropriate technical and organi[s]ational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.’

Directive 2002/58/EC

6 The aim of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11, ‘Directive 2002/58), according to Article 1(1) thereof, is to harmonise the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and to confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the European Union. According to Article 1(2), the provisions of that directive particularise and complement Directive 95/46 for the purposes mentioned in Article 1(1).

7 As regards the security of data processing, Article 4 of Directive 2002/58 provides: ‘1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented. 1a. Without prejudice to Directive 95/46/EC, the measures referred to in paragraph 1 shall at least: — ensure that personal data can be accessed only by authorised personnel for legally authorised purposes, — protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and, — ensure the implementation of a security policy with respect to the processing of personal data, Relevant national authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security which those measures should achieve. 2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.’

8 As regards the confidentiality of the communications and of the traffic data, Article 5(1) and (3) of that directive provide: ‘1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality. … 3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent...