European Union: ECJ Declares Data Retention Directive Invalid

On 8 April 2014, the Court of Justice of the European Union ("ECJ") handed down a judgment on two references for a preliminary ruling from the High Court of Ireland (Case C-594/12) and the Constitutional Court of Austria (Case C-293/12) declaring Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (the "Data Retention Directive") to be invalid. The ECJ held that the Data Retention Directive interfered in a unjustified manner with the fundamental rights to respect for private life and protection of personal data (Articles 7 and 8 of the EU Charter of Fundamental Rights).

The Data Retention Directive sought to harmonise Member States' provisions concerning the retention of specific data (traffic and location data as well as related data necessary to identify the subscriber or user, but not the content of the communication or of information consulted) which are generated or processed by providers of publicly available electronic communications services or of public communications networks, in order to make them available for the purpose of the prevention, investigation, detection and prosecution of serious crime. The Data Retention Directive was implemented in Belgium on 30 July 2013 (see, VBB on Belgian Business Law, Volume 2013, No. 7, p.6-7; and Volume 2013, No. 8, p.11, available at www.vbb.com).

In its judgment, the ECJ first examined the interference with the rights to respect for private life and to the protection of personal data. The ECJ concluded that the Data Retention Directive interferes in a serious manner with these fundamental rights by requiring the retention of the data and by allowing the competent national authorities to access those data. Furthermore, the ECJ considered that the retention and use of the data without informing the subscriber or registered user can give the individuals concerned the feeling that their private lives are the subject of constant surveillance.

The ECJ then examined whether such an interference with the fundamental rights at issue could be justified. On this aspect, the ECJ decided that the retention of data required by the Data Retention Directive is not such as to affect adversely the essence of the fundamental rights in question and that the possible transmission of the data to the competent national authorities genuinely satisfies an objective of general interest, i.e., the fight against serious crime and, ultimately, public security.

However, the ECJ added that by adopting the Data Retention Directive, the EU legislature exceeded the limits imposed by the principle of proportionality. In particular, the ECJ noted that, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by the Data Retention Directive, the EU legislature's discretion is limited.

Therefore, the ECJ held that, although the Data Retention Directive may be considered to be appropriate for attaining the objective pursued by it, the interference is not sufficiently detailed to ensure that it was actually limited to what is strictly necessary.

In particular, the ECJ considered that the Data Retention Directive does not define adequately: (i) the individuals, the means of electronic communication and the data concerned (in particular the Data Retention Directive does not make any differentiation, limitation or exception in the light of the objective of fighting against serious crimes); (ii) the objective criteria for determining the serious crimes which may justify an interference and the criteria as regards the conditions under which the competent national authorities may have access to the data and subsequently use them; and (iii) the objective criteria on the basis of which the data retention period must be determined.

Finally, the ECJ found that the Data Retention Directive does not provide for sufficient safeguards against abuse and unlawful access and use of the data (in particular, the Data Retention Directive does not require that the data be retained within the EU).

Importantly, the judgment delivered by the ECJ does not automatically affect the existence and validity of national legislation that has been adopted implementing the (now) invalid Data Retention Directive. Nevertheless, Belgian courts could take into account the ECJ judgment when applying the relevant rules under Belgian law. Hence, electronic communication service and network providers are likely to face a period of uncertainty about their ongoing obligations.

The European Commission has already stated that it will carefully assess the judgment and its impact. The European Commission is likely to propose amendments to the Data Retention Directive to bring it in line with the ECJ judgment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.