European Union: Opinion Of Advocate General On Incompatibility Of Data Retention Directive With Charter Of Fundamental Rights

On 12 December 2013, Advocate General Villalón (the "AG") delivered an interesting opinion (the "Opinion") in cases C-293/12 Digital Rights Ireland and C-594/12 Seitlinger and Others. Both cases concern Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (the "Data Retention Directive"). The AG is of the opinion that the Data Retention Directive is incompatible with the Charter of Fundamental Rights (the "Charter").

The Data Retention Directive creates an obligation on telecommunications operators to collect and retain, for a specified time, a considerable amount of telecommunications data generated or processed by the citizens throughout the territory of the European Union. The purpose of this obligation under the Data Retention Directive is to ensure that these telecommunications data remain available for the purpose of the investigation, detection and prosecution of serious crimes.

The Opinion was delivered in the context of two separate requests for a preliminary ruling referred to the Court of Justice of the European Union ("ECJ") by the High Court of Ireland and the Verfassungsgerichtshof (the High Court of Austria).

The questions referred to the ECJ can be summarised as follows:

• Are data retention obligations compatible with Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter?
• If data retention obligations are seen as limitations to Articles 7 and 8 of the Charter, do they comply with Article 52 (1) of the Charter which provides, among others, that any limitation on the exercise of the rights and freedoms recognised by the Charter have to be proportionate within the meaning of Article 5 (4) of the Treaty on European Union?

Regarding the first issue, the AG found that the Data Retention Directive is incompatible with Articles 7 and 8 of the Charter as data retention "may make it possible to create a both faithful and exhaustive map of a large portion of a person's conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity." On top of that, there is, according to the AG, an increased risk that "the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious" as the data are not retained by the public authorities (or even by bodies under their control), but by private organisations.

The AG also criticised the European Union legislator for not having provided clear principles in order to govern access to the data collected. The AG recalled that Article 52 (1) of the Charter provides that any limitation on the exercise of the rights and freedoms recognised in the Charter has to be stipulated by law. As such, the European legislator cannot, "when adopting an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, entirely leave to the Member States the task of defining the guarantees capable of justifying that interference." The AG added that the European legislator has to "fully assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of those guarantees."

In particular, the AG argued that the European legislator should have provided clear indications regarding the categories of criminal activities for which authorities can access the data collected and retained. In addition, the European legislator should have limited the parties that can access the retained data, either exclusively to judicial authorities, or at least to independent authorities. Alternatively, the European legislator should have made any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access.

Regarding the second issue, the AG considered that despite the fact that the Data Retention Directive pursues a legitimate objective (i.e., ensuring that data remain available for the purpose of the investigation, detection and prosecution of serious crimes), it is incompatible with the principle of proportionality. In particular, the AG found that the requirement for Member States to ensure that the data are retained for a period not exceeding two years is excessive. The AG did not see "any sufficient justification for not limiting the data retention period [...] to less than one year." Therefore, the AG is of the opinion that the Data Retention Directive does not comply with Article 52 (1) of the Charter which provides that any limitation to the right to privacy has to be proportionate.

On this basis, the AG thus concluded that the Data Retention Directive is, as a whole, incompatible with the Charter. However, he proposed that the effects of this finding of invalidity should be suspended in order to enable the EU legislator to adopt, within a reasonable period, the measures necessary to remedy the invalidity.

The Opinion of the AG is not binding on the ECJ which is expected to hand down its judgment by the Summer of 2014.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.