The Data Retention Directive has always been controversial. Born as it was after the tragedies of the 2004 Madrid and 2005 London bombings, it has faced considerable criticism concerning its scope and lengthy debate over whether it is a measured response to the perceived threat. It is therefore no surprise that over the years a number of constitutional courts in EU Member States have struck down the implementing legislation in their local law as unconstitutional (e.g. Romania and Germany). But now the ECJ, having considered references from Irish and Austrian courts, has ruled that the Directive is invalid since it is disproportionate in scope and incompatible with the rights to privacy and data protection under the EU Charter of Fundamental Rights.
What did the ECJ object to?
The ECJ's analysis focused on the extent of the Directive's interference with the fundamental rights under Article 7 (right to privacy) and Article 8 (right to data protection) of the Charter. Any limitation of fundamental rights must be provided for by law, be proportionate, necessary and genuinely meet objectives of general interest. The ECJ considered that the Directive's interference was 'wide-ranging and…particularly serious'. Yet the ECJ conceded that the interference did not extend to obtaining knowledge of the content of communications and that its material objective - the fight against serious crime - was an objective of general interest. Consequently the key issue was whether the measures under the Directive were proportionate and necessary to fulfil the objective.
For the ECJ, the requirements under the Directive do not fulfil the strictly necessary test. In particular, the ECJ emphasised the ubiquitous nature of the retention – all data, all means, all subscribers and registered users. The requirements affect individuals indiscriminately without exception. Furthermore, there are no objective criteria determining the limits of national authorities to access and use the data. All in all the interference is not limited to what is strictly necessary and consequently the interference is disproportionate.
Of particular importance given the on-going EU-US debate about Safe Harbor and US authorities' access to EU data, is that the ECJ was also worried that the Directive did not require the retained data to be held within the EU. This suggests that the ECJ expects global companies to devise locally based EU data retention systems regardless of the cost or inconvenience.
What are the implications of the ECJ judgment?
This is a hugely significant decision coming as it does after the revelations prompted by Edward Snowden about the access by western law enforcement agencies to masses of data concerning individuals’ use of electronic resources. Although the Advocate General in his opinion last year suggested that an invalidity ruling on the Directive be suspended to allow the EU time to amend the legislation, the ECJ has not adopted this approach. Therefore, to all intents and purposes, the Directive is no longer EU law.
This ECJ judgment effectively overrules any implementing legislation such as the UK’s Data Retention Regulations. This does not mean that UK ISP's and Telco's won’t continue to collect and retain communications data for billing and other legitimate business purposes as permitted under the UK's DPA and PEC Regs. But they no longer have to do so in compliance with the UK Data Retention Regulations. Indeed there could be a risk that continuing to hold data in compliance with the retention periods under the Regulations is actually a breach of the data protection principle not to retain personal data for longer than is necessary.
What does this mean for Telco's/ ISPs?
It has been reported that the UK Government has already responded to the ECJ decision by saying that it is imperative that companies continue to retain data. Clearly the UK and other EU Governments would become very nervous if companies suddenly started deleting copious amounts of data due to the impact this could have on intelligence gathering to deal with detecting and preventing serious crime. And in any event, in spite of what has happened at the ECJ, Telco's and ISP's are still required to comply with law enforcement disclosure requests concerning the communications data they retain.
Significantly, the ECJ did not rule that this kind of data collection and retention is never warranted. One of the main criticisms of the ECJ was that the Directive did not include clear and precise rules governing the scope and application of measures and did not include minimum safeguards. This suggests that the Directive could be redrafted (and relaunched) in a form that includes these rules and safeguards when requiring companies to retain communications data. Of course, this is likely to take some time. In the meantime UK companies could consider reverting to the retention periods set out in the voluntary code introduced under the Anti-terrorism, Crime and Security Act 2001.