(see the national developments here)
Today the European Court of Justice has declared invalid the European data retention directive (Directive 2006/24/EC), i.e. the entire set of rules obliging in Europe ISPs and telcos to retain data and information about citizens using electronic communications networks.
The Court has recognised that retention of personal data for purpose of investigations is per se compatible with the European framework, although it may potentially interfere with basic fundamental rights such as privacy. However, the Court also found that the set of obligation laid down by current directive is disproportionate and contrary to some fundamental rights protected by the Charter of Fundamental Rights, in particular to the principle of privacy, because “the wide ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary” (NB: since the entry into force of the Lisbon Treaty in December 2009, the Charter of Fundamental Rights has the same value as the EU treaties, thereby forming part of the EU primary law). In particular, the Court challenges the following:
- the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime;
- the directive fails to circumscribe, from both procedural and substantial point of view, the notion of “serious crime” and opens risks to potential abuses in the Member States;
- also the data retention period (from 6 to 24 months) is too generic and should be adapted to the specific objectives (crimes to be fought) to be pursued.
Interestingly, the question is what will happen with the current national legislations which have been enacted as transposiiton of the invalid directive.
Although one could think that also these legislations have become invalid, this is not an automatic effect from the annulment judgment. My comments hereinbelow.
- The effects of invalidity ruling of a EC directive over the implementing national provisions
Neither the EC Treaties nor the precedent of the European court give clear guidance to this purpose.
According to art. 249 of the Treaty: “A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods”.
This means that, in case of the annulment of a directive, it is up to the Member State to evaluate how to proceed. For the time being, we can see 2 main scenarios:
- in case of national provisions transposing EC rules declared void because they conflict with other prevailing EC rules (preeminence of privacy, for instance, as in the present case), the Member State has very little discretion. The national provisions must be abrogated quickly: if not, apart from a potential risk of infringement procedure by the European Commission, national courts and administrations shall dis-apply them immediately from now. In other words, following a well-established jurisprudence, such national provision remain formally in force but without effects vis-à-vis individuals;
- to the opposite, if a directive is annulled because of a procedural reason, or if some of their provisions are not incompatible with the EU ruling, then Member States could make the necessary adjustments and maintain the national legislation in force. It will be a case-by-case evaluation, which may be complicated in practical circumstances. Fact is, some valid provisions can make sense only with other provisions which, however, have been maybe declared incompatible with EU law.
- The consequences for Member States
Thus, in the present data retention case, Member States seem to have the alternative between:
1. abrogating the entire national data retention legislation; or:
2. modify that legislation in order to meet the “proportionality concern” of the European Court.
If a Member State does not act quickly, it will be potentially subject to an infringement procedure by the European Commission. This will be quite paradoxical, because the Commission imposed fines on Member States for not complying with the directive. Some countries refused to implement the directive because of internal constitutional reasons (Germany, Romania, Czech, and in part also Cyprus and Bulgaria). For the European Commission is an embarrassing situation.
- The consequences for the operators
In the meanwhile, if an operator claims that the national data retention cannot applied against it, it has an interesting case to defend. As stated above, the national data retention provisions have not been abrogated by the European Court, however they have become ineffective as far as they do not pass the “proportionality test” indicated in the judgement. In my opinion, most of the national data retention legislation enacted in Europe after the 2006 directive do not pass that test. As a consequence, these data retention obligations are still in force but not effective anymore. What will happen in practice? While the central government will wait time before taking a decision, at local level law enforcement and public prosecution services might still order the retention of data under the cybercrime convention regulation and defend their point until a court declare that such provisions are not applicable any longer. As a result, if ISPs refuse to enforce the (ineffective but non abrogated) data retention local legislation they might be fined and required to challenge in court the punishment.
On the other side, the same operators are in a messy situation, because individuals could argue that the retention of their personals data on the operators’ servers is now illegal. One should remind that until the 2006 data retention directive came into force, retaining data was a voluntary or administrative practice aimed at some limited scopes like billing. However, with the annulment of the data retention directive such practice may be seen as an infringement of European privacy rules, that would amount to a criminal liability in some countries. In order to avoid such risks, operators could better decide to delete all the traffic data currently recorded on their servers.
- Next steps (UPDATE 11 APRIL 2014)
On Friday 11, 2014 a meeting between Commission, privacy authority and stakeholders took place in Brussels in order to discuss the consequences of the judgement. In the reality, the meeting had been scheduled since time in order to monitor the implementation of the data retention directive, however following the judicial annulment of the same the agenda was adapted accordingly. As far as I know, the European Commission informally declared the following:
1. the national legislations are still valid despite the annulment judgement. MY COMMENT: this is debatable, because most of the national legislation have implemented the annulled directive without changes and modifications; a legal mess is now emerging because individuals may challenge the retention of data by ISP and use of that by public authorities;
2. The European Commission will not adopt guidelines in relation to the consequence of the annulment. MY COMMENT: this is disappointing. The Commission created a problem (and costs for the ISPs) and now they do not see the reason for intervening to limit damages.
Most probably, it will up to the national data protection authorities to intervene in order to provide some certainty, if possible.
In the meanwhile, some Swedish operators have announced that they will stop the data retention activity following the annulment of the directive,
Commissioner Malstrom, competent for Hoime affairs, has declared the following: “The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive. The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework“.
Also the President of the European Parliament, Schulz, intervened with a statement urging the Commission for a new proposal: “Today’s judgment must be carefully examined and the Commission will have to make a proposal which strikes the right balance between the legitimate interests at stake. Any new proposal must respect in every detail the guarantees laid down in the Charter of Fundamental Rights. It should in particular enshrine a high level of data protection – which is all the more essential in the digital age – thus avoiding disproportionate interferences with the private lives of citizens. It is only by upholding the highest standards at home on such issues that we can project our common values to the outside world.”
EDPS, the European Data Protection Authority, stressed that new directive should this time be complying with privacy rules:
“The EDPS welcomes the ruling of the Court of Justice of the EU in Digital Rights Ireland and Seitlinger and Others (Joined cases C-293/12, C-594/12) on the invalidity of the Data Retention Directive (Directive 2006/24/EC). It follows the input given by the EDPS in these proceedings.
We consider this a landmark judgment that limits the blanket government surveillance of communications data (telephone, texts, email, internet connections etc.) permitted under the Directive. It highlights the value placed on the protection of fundamental rights at the core of EU policy in this critical area.
We are particularly satisfied that the Court has underlined that the Data Retention Directive constitutes a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights. When an act imposes obligations which constitute such interference, the EU legislature should provide for the necessary guarantees rather than leaving this responsibility to the member states.
We are pleased that the Court has ruled that the retention of communications data should have been duly specified and the EU legislator should also have ensured that such data can only be used in very specific contexts.
The retention of communications data for the purposes of the combat of crime should always be precisely defined and clearly limited. The EU cannot leave the full responsibility for the use of the data with the member states.
Among other things, the concept of serious crimes should have been more precisely described in the Directive and at the very least, basic principles governing access to and the use of the retained data should have been set out.
We anticipate that the Commission, taking into account the Court’s judgment, will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive.
The judgment also means that the EU should take a firm position in discussions with third countries, particularly the U.S.A. on the access and use of communications data of EU residents“.