The EU directive imposing data retention obligations on electronic communications services, such as telecoms operators or Internet access providers, is no longer valid, said the European Court of Justice in a landmark ruling.
The directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary,” reads a note of the Court, issued after the ruling yesterday (8 April).
The Luxembourg-based judges made it clear that with this ruling, “the Court declares the directive invalid”.
What’s more, the Court underlined that “the declaration of invalidity takes effect from the date on which the directive entered into force,” and not simply from the moment the judgement was made. The directive was adopted in November 2006.
This opens the way for a period of legal uncertainty, with possible negative consequences for the work of European security agencies, which rely extensively on data collected and stored by electronic communications providers.
The directive obliges telecoms and ISPs to retain traffic, location data and other information for a period between six months and two years. Service subscribers’ names, and other personal data is not recorded. Neither is the content of the communications. However, the identity of interlocutors is retained.
For the Court, this data, although not directly considerable as personal, “taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.”
A legacy of September 11
The European Union considers privacy a fundamental right of EU citizens, while in other legislation, it has a much lower weight. In the United States, for instance, it is a right mainly related to consumers, rather than citizens.
The directive was conceived in the period following the September 11 terror attacks to the United States. A long debate in Europe about the importance of keeping data to fight terrorism brought no results until the terror attacks in Madrid in 2004, and in London in 2005.
Then, public opinion shifted in favour of higher security, despite the potential implications for privacy.
The directive was proposed in 2005, and adopted the following year, in a very quick legislative process, in contrast to normally lengthy EU procedures.
Since the beginning, though, complaints were harsh. An unlikely coalition of civil rights groups, and big telecoms operators, has since voiced its opposition to the new rules. The latest complaint focused on the high costs of keeping massive amounts of information in databases, while privacy groups emphasized the rights of citizens.
Reasons were different, but they shared the same objective of changing or shelving the directive.
Pressure forced EU Home Affairs commissioner Cecilia Mamström to launch an assessment of the directive in 2011, but the process brought no changes, as law enforcement agencies made it clear that the provisions of the directive were useful in fighting crime.
Now, the Court ruling revolutionises the situation. The Luxembourg judges recognised that the directive served the purpose of guaranteeing public security, but it did so in a disproportionate way.
“The directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime,” the Court says, opening the way for a review of the rules to make them more targeted.
The judges also condemned the fact that the directive allows law enforcement agencies to use personal data without the need of clearly specifying that they can be used “only for the purposes of prevention, detection or criminal prosecutions offences that may be considered to be sufficiently serious to justify such an interference.” In other words, there are no sufficient safeguards against possible abuses.
The Court also laments the fact that the directive does not include provisions to prevent personal data of EU citizens from being used by third countries – a clear reference to the ongoing debate sparked by Edward Snowden’s revelations of the spying activities of the US National Security Agency.
“The Court states that the directive does not require that the data be retained within the EU. Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is explicitly required by the Charter” of fundamental rights, concludes the Court.
"The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission's evaluation report of 2011 on the implementation of the data retention directive," said Cecilia Malmström, Commissioner for Home Affairs.
"The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework," added Malmström.
I am "glad that the EU Court of Justice confirmed we need independent data protection authorities to uphold fundamental right to EU data," commented EU Justice commissioner Viviane Reding on Twitter.
The President of the European Parliament Martin Schulz stated: The Court "judgment must be carefully examined and the Commission will have to make a proposal which strikes the right balance between the legitimate interests at stake."
"Any new proposal must respect in every detail the guarantees laid down in the Charter of Fundamental Rights. It should in particular enshrine a high level of data protection - which is all the more essential in the digital age - thus avoiding disproportionate interferences with the private lives of citizens," he said.
The European data protection supervisor (EDPS), Peter Hustinx, welcomed the ruling of the Court. "We consider this a landmark judgment that limits the blanket government surveillance of communications data (telephone, texts, email, internet connections etc.) permitted under the Directive," he said in a note.
"We anticipate that the Commission, taking into account the Court's judgment, will now reflect on the need for a new directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive," added Hustinx.
S&D Group president Hannes Swoboda said: "The European Court of Justice has done more for citizens' privacy in a single ruling than the European Council, which has consistently blocked efficient data-protection legislation at European level, has done in years. It is high time for the Council to bring forward good legislation on data protection, as adopted by the European Parliament last month.”
"Surveillance must always be the exception, not the rule. Mass collection of data, be it from governments, service providers or companies, cannot be accepted and police access to citizens' data must be targeted and authorised by a judge," he argued.
ALDE Group President Guy Verhofstadt said: “We Liberals and Democrats believe it to be essential that personal freedoms are safeguarded. The fight against terrorism is clearly very important but should not undermine our fundamental rights. It is vital that these rights are defended. It was clear that this directive did not achieve this balance”.
Jan Philipp Albrecht, justice and home affairs spokesperson for the Greens/EFA group, stated: "The blanket, unjustified collection and retention of telecommunications data in the EU must now stop! The European Court of Justice’s verdict on the incompatibility of the Data Retention Directive with the EU Charter of Fundamental Rights is a major victory for civil rights in Europe".
"The evidence clearly shows that indiscriminate, highly intrusive data collection not only infringes human rights to privacy and data protection but has also totally failed to lead to any noticeable improvement in law enforcement. The Directive is therefore completely disproportionate and has rightly been scrapped by the Court," he added.
“We will be reviewing the ruling in depth and we look forward to further discussions as to what implications this ruling will have. Our companies are committed to protect users’ data and to fulfil all the legal obligations in this field," said Luigi Gambardella, head of ETNO, the association of the main telecoms operators in Europe.
"ETNO members have been very active in this debate since the beginning and raised the shortcomings of a generalized data retention obligation, even before the adoption of the Directive. Such a broad obligation needs to be proportionate and strictly necessary in a democratic society for the protection of legitimate aims. Furthermore, the lack of harmonized rules on access to and use of the retained data has raised special concerns also for industry, which has been confronted by divergent rules in different Member States,” he added.
"After eight years, this affront to the fundamental rights of European citizens has finally been declared illegal. Eight years of abuses of personal data and eight years of reassurances from EU Member States and the Commission that the measure was legal," said Joe McNamee, Executive Director of European Digital Data Rights, an association which gathers European civil rights groups.
Data retention refers to the storage of traffic and location data resulting from electronic communications.
The main legislative instrument at EU level governing this field is the Data Retention Directive, which was adopted in November 2006 after long debates on its scope. These resulted in a text which gave room for different applications at national level and which did not guarantee a sufficient level of harmonisation.
Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002, although it has been slightly revised in 2009.