ECJ's Invalidation of EU Data Retention Directive Creates Confusion Over Telecommunications Service Providers’ Data Retention Obligations
Total Page:16
File Type:pdf, Size:1020Kb
Reproduced with permission from Privacy Law Watch, (May 13, 2014). Copyright 2014 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com May 13, 2014 ECJ's Invalidation of EU Data Retention Directive Creates Confusion Over Telecommunications Service Providers’ Data Retention Obligations By Claire François EU Data Retention The opinion of the European Court of Justice invalidating the EU Data Retention Directive (2006/24/EC) immediately raises questions for telecommunications service providers of whether and how they should continue collecting and retaining data, the author writes. On April 8 the Court of Justice of the European Union (the ECJ) ruled that the EU Data Retention Directive (2006/24/EC) (the Data Retention Directive)1 is invalid2(68 PRA, 4/9/14). Not surprisingly, the ECJ followed the December 2013 opinion of Advocate General Pedro Cruz Villalón (the Opinion),3 who found the Data Retention Directive incompatible with the Charter of Fundamental Rights of the European Union (the EU Charter)4. However, contrary to what the Advocate General recommended, the effect of the ECJ's finding applies with immediate and even retroactive effect. For telecommunications service providers, this raises the important question of whether and how they should continue collecting and retaining data. This article discusses the judgment of the ECJ and the context in which it was delivered, and considers its potential implications for telecommunications service providers. Background By way of brief background, the Data Retention Directive requires EU Member States to ensure that providers of publicly available electronic communications services or public communications networks (telecommunications service providers) collect and retain traffic and location data specified in the Data Retention Directive for the purpose of investigating, detecting and prosecuting serious crimes as defined by national law.5 The data must be retained for a minimum of six months and a maximum of two years.6 The validity of the Data Retention Directive has been much debated7 until the High Court of Ireland and Austria's Constitutional Court referred questions about the Directive to the ECJ for a preliminary ruling. The Advocate General delivered his Opinion in December 2013, considering that the collection and retention, in large databases, of traffic and location data constitute a serious interference with the right to privacy contained in the EU Charter. In light of this serious interference, the Advocate General found that the Data Retention Directive should have defined a series of guarantees, at least in the form of principles, to regulate access to the data and their use, instead of assigning the task of defining and establishing those guarantees to the EU Member States. In the absence of such guarantees in the Data Retention Directive, the Advocate General took the view that the Directive does not comply with the requirement, laid down by the EU Charter, that any limitation on the exercise of a fundamental right must be provided for by law. The Advocate General also found that the Data Retention Directive is incompatible with the principle of proportionality, as laid down in the EU Charter, in that it requires EU Member States to ensure that the data are retained for a maximum period of two years, instead of limiting the retention period to less than one year. The Advocate General concluded that the Data Retention Directive is invalid, but recommended suspending the temporal effects of that finding until the EU legislature adopts, within a reasonable time period, the measures necessary to remedy the invalidity. Judgment of the ECJ In its judgment, the ECJ agreed with the Advocate General that the obligations imposed on telecommunications service providers to retain traffic and location data and the access of the competent national authorities to such data constitute a “wide-ranging and particularly serious interference” with the rights to privacy and the protection of personal data guaranteed by the EU Charter. In particular, the ECJ noted that the data retained by telecommunications service providers make it possible to know the identity of the person with whom a subscriber or registered user has communicated and by what means, the time of the communication, the place from which that communication took place, as well as the frequency of communications of the subscriber or registered user with certain persons during a given period. According to the ECJ, this may allow very precise conclusions to be drawn concerning the individuals' private lives, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. The ECJ recognized that the Data Retention Directive serves a legitimate objective of general interest (i.e. the fight against serious crime and, ultimately, the maintenance of public security). However, the ECJ found that the interference with the rights to privacy and the protection of personal data are not proportionate and, thus, that the Data Retention Directive is unlawful for the following reasons: • It applies to all individuals, means of electronic communications and traffic data without differentiation, limitation or exception. • It does not contain substantive and procedural conditions relating to access of the competent national authorities to the data retained and to their subsequent use, and, in particular, it does not subject such access to a prior judicial/independent review. • It requires that data be retained for a minimum of six months without any distinction being made between the categories of data, their usefulness or the individuals concerned. • It does not provide for sufficient safeguards to protect data against potential abuse and unlawful access and use of that data, and does not ensure irreversible destruction of the data upon expiry of the retention period. In this respect, the ECJ did not go as far as the Advocate General by suggesting that this retention period should expire in less than one year. However, like the Advocate General, the ECJ noted that the Data Retention Directive does not require the data to be retained within the EU. In light of the foregoing, the ECJ declared the Data Retention Directive invalid. This declaration of invalidity took effect from the date on which the Directive entered into force, as if it never existed. Impact on Telecommunications Service Providers’ Data Retention Obligations The ECJ's judgment raises the important question for telecommunications service providers subject to national laws implementing the Data Retention Directive as to whether they should still collect and retain data in accordance with these laws. While some telecommunications service providers immediately asked for clarification from their national governments,8 others took a more radical position, like the Swedish Internet service provider Bahnhof AB, which ordered its technicians to stop retaining traffic data and to erase existing data.9 In anticipation of these questions, the European Commission published Frequently Asked Questions (FAQ)10 on the same day as the ECJ judgment was issued, explaining that national implementing laws need to be amended, but “only with regard to aspects that become contrary to EU law after a judgment” by the ECJ. Further, the European Commission stated that “a finding of invalidity of the Directive does not cancel the ability for Member States under the e- Privacy Directive (2002/58/EC) to oblige retention of data.” In short, it is up to EU Member States to assess whether their legislation is compliant, and, unless such legislation is successfully challenged in national courts, data retention obligations will remain in force. EU Member States have responded in different ways (80 PRA, 4/25/14). The Swedish Post and Telecom Authority announced that it will not enforce the existing Swedish data retention law. Luxembourg's Minister of Justice, Félix Braz, confirmed that telecommunications service providers must continue to retain data, pending review of the national law. Similarly, the Dutch Radio communications Agency indicated that it will keep enforcing the law while the Dutch government reviews the ECJ judgment. The U.K. Home Office took a similar view: A spokesperson said that Home Office officials “are considering the judgment and its implications carefully. The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security. In Belgium, the spokesman of the Minister of Telecommunications went further, stating: “Even in the absence of the Data Retention Directive, [the government] can develop a data retention law.” Indeed, as the European Commission stated in its FAQ, the finding of invalidity of the Data Retention Directive does not cancel the ability of EU Member States under the e-Privacy Directive (2002/58/EC)11 to require telecommunications service providers to retain data. In Germany, where the Constitutional Court found the law transposing the Data Retention Directive to be unconstitutional, the Federal Commissioner for Data Protection expressly suggested waiting to see how the EU legislator will respond to the ECJ judgment. It is expected that the European Commission will adopt a new directive in an effort to prevent EU Member States from keeping or imposing legal obligations