April 8, 2014
CJEU declares Data Retention Directive invalid
Court rules Directive to be a serious and disproportionate interference with fundamental rights
The Court of Justice of the European Union has today declared the Data Retention Directive to be invalid. In the joined cases of C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others the Irish and Austrian courts asked the court to examine the validity of Directive 2006/24/EC (“the Data Retention Directive”).
The court observed that the Directive requires the retention of data which make it possible to:
(1) identify the individual with whom a subscriber or registered user has communicated and by what means;
(2) identify the time and place of the communication, and;
(3) know the frequency of communications between the subscriber or registered user with certain persons during a given period.
Taken together these data may provide very precise information about an individual’s daily habits and relationships. Requiring the retention of this data and allowing national authorities to access it “interferes in a particularly serious manner” with the fundamental rights to respect for private life and protection of personal data.
The court accepted that public security and the fight against crime were legitimate aims, and that the retention of data is not such as to adversely affect the essence of the fundamental rights in play. However, the wide-ranging and particularly serious nature of the interference with fundamental rights was not sufficiently circumscribed by the Directive to ensure that it is limited to what is strictly necessary. In short, the Directive is a disproportionate measure without adequate provisions to ensure that only the necessary data is retained and accessed.
The court in particular noticed the absence of:
(1) differentiation or limitation criteria as to the individuals and means of communication to be covered by the Directive;
(2) objective criteria as to when the national authorities can access the data, and to ensure that they only use the data for the purposes of crime prevention, detection and prosecution;
(3) firm criteria in relation to the period for which the data should be retained;
(4) sufficient safeguards to ensure against the risk of abuse and unlawful access to the data;
(5) safeguards that ensure the irreversible destruction of the data at the end of the retention period; and
(6) a requirement that the data be retained within the EU – an essential component of the protection of individuals’ personal data.
The press release of the CJEU can be found here, with the full judgment to follow on the court’s website shortly.
EU Commissioner for Home Affairs Statement on the Judgment.
Irish Times – European court declares data retention directive invalid