It’s a good thing that the European Union is working on a new Data Retention Directive, as the European Court of Justice (ECJ) has ruled on Tuesday that the one issued in 2006 is invalid.
“Digital Rights Ireland, who first launched a lawsuit against the Irish Government against their implementation of the Directive, and AK Vorrat Austria, who organized to reject data retention in Austria, both pursued the issue for many years in the face of concerted opposition from their own governments and officials,” noted EFF’s Danny O’Brien.
The issue was brought before the highest court in the European Union in matters of European Union law after the Ireland’s High Court and the Austrian Constitutional Court asked the ECJ to examine the validity of the directive and whether it clashed with the Charter of Fundamental Rights of the EU.
The 2006 Directive’s main goal was to “harmonise Member States’ provisions concerning the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks.”
This includes the retention of metadata – traffic, location, and additional user identification data – but not of the content fo the communication.
The ECJ, which is composed of one judge per member state, ruled that “by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”
“Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance,” the judges added.
While the Court believes that such an interference is justified, but that it must be more limited. The data retention periods are not limited to what is strictly necessary, there are insufficient safeguards to ensure that the data collected will not be abused, the criteria on which is decided that the data can be accessed by competent national authorities are not objective, and the Directive does not require that the data be retained within the EU, which clashes with compliance requirements.
“While the decision comprehensively rejects the current directive, some states may put up a fight to keep their laws, while others could take this opportunity to become champions of their citizens’ privacy,” O’Brien pointed out, adding that while the Finns have moved to review Finnish law in the light of the decision, and the German and Romanian data retention laws have already been declared unlawful by their national constitutional courts, “governments advocating retention, like the UK, may argue that they can still maintain their existing data retention laws, or there may even be an attempt to introduce a whole new data retention directive that would attempt to comply with the ECJ’s decision.”