The European Court of Justice (ECJ) has ruled[1] that the eight year-old EU Data Retention Directive is invalid. In other words, it never should have been approved.
This represents a major win for privacy in Europe. It is an important ruling, not only within Europe, but also more broadly, as the world debates the motives and limits of data collection and access for law enforcement and national security objectives, in light of the Snowden disclosures. This ruling will serve as a beacon for reinforcing privacy and data protection rights.
Exactly what this ruling means for investigations and prosecutions that have made use of data retained pursuant to national laws implementing the Directive remains to be seen. But, it is clear that Europe needs to rethink its approach to data retention. This ruling also paves the way for other jurisdictions to reflect on their own legislative approaches to data retention, access and use.
Why did the EU Directive fail?
The EU Data Retention Directive failed, principally, because it did not satisfy the principle of proportionality – one of the core values required by Article 52(1) of the Charter of Fundamental Rights of the European Union.
- Too broad: The Directive applies comprehensively to “all persons and all means of electronic communication as well as traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime”. Additionally, it provides no exceptions for communications that are subject to obligations of professional secrecy (e.g. between doctors and patients, lawyers and clients).
- No relationship between data and the objective: The Directive does not require any relationship between the data and a threat to public security. In particular, data retention is not restricted in time, by geography, or to persons likely to be involved in a serious crime, or whose data could contribute to the prevention, detection or prosecution of serious offences.
- Insufficient limitations, conditions and safeguards: The Directive:
- fails to prescribe any objective criteria to limit competent national authorities’ access to, and use of, the data;
- does not contain substantive and procedural conditions on competent national authorities’ access to, and use of the data. In particular, the Directive does not expressly provide that the access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing, detecting and prosecuting precisely defined serious offences;
- does not prescribe any objective criteria to limit the number of persons authorised to access and use the data to what is strictly necessary;
- does not make access by competent national authorities dependent on a prior review carried out by a court or an independent administrative body;
- does not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse or any unlawful access and use of the data;
- does not ensure that providers employ a high level of data security;
- does not ensure the irreversible destruction of the data at the end of the data retention period.
- Insufficient guidance on the retention period: The retention period is set between a minimum of 6 months and a maximum of 24 months, but the Directive does not state that the determination of the period of retention must be based on objective criteria to ensure that it is limited to what is strictly necessary. Further, a minimum retention period of 6 months is specified without any distinction between the various categories of data and their possible usefulness.
- Data not required to be retained in Europe: The Directive does not require the data to be retained within the European Union, such that the control required by Article 8(3) of the Charter cannot be fully ensured.
Are Data Retention Laws Dead?
Probably not.
First, the ECJ found that the Directive has an objective of general interest (i.e. public safety), namely, the purpose of allowing competent national authorities to have possible access to the retained data for the prevention, detection and prosecution of serious crime.
Second, while the ECJ found that the Directive constitutes a wide-ranging and serious interference with fundamental rights, the Court did not find that the Directive adversely affects the “essence of those rights” (per Article 52(1) of the Charter) because the Directive “does not permit the acquisition of knowledge of the content of the electronic communications as such”. However, research and experience have demonstrated that metadata alone can be sufficient to reveal tangible information about an individual’s connections[2], their preferences and interests[3], their likely place of residence or work, and even to “identify” a user[4] such that he or she could be singled out and treated differently.
A harder question, and one which the ECJ did not need to answer, is:
What would have satisfied the principle of proportionality?
Proportionality is at the heart of many discussions on data collection, access, use and retention for the purposes of law enforcement and national security, particularly in the context of the revelations of pervasive surveillance. This ruling offers some guidance as to what is not acceptable, but we, as a global community, need to carefully consider what is the appropriate balance.
Please share your views with us.
What should be the balance between privacy and public safety?
[1] A preliminary ruling of the Grand Chamber of the European Court of Justice in joined cases C-293/12 and C-594/12
[2] See, for example, Immersion https://immersion.media.mit.edu/
[3] Browsing history is a commonly used for targeted advertising
[4] See, for example, Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns, Authors: Łukasz Olejnik, Claude Castelluccia, Artur Janc, https://www.petsymposium.org/2012/papers/hotpets12-4-johnny.pdf and Unique in the Crowd: The privacy bounds of human mobility, Authors: Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen and Vincent D. Blondel http://www.nature.com/srep/2013/130325/srep01376/pdf/srep01376.pdf