The EU directive imposing data retention obligations on electronic communications services, such as telecoms operators or Internet access providers, is no longer valid, said the European Court of Justice in a landmark ruling.
The directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary,” reads a note of the Court, issued after the ruling yesterday (8 April).
The Luxembourg-based judges made it clear that with this ruling, “the Court declares the directive invalid”.
What’s more, the Court underlined that “the declaration of invalidity takes effect from the date on which the directive entered into force,” and not simply from the moment the judgement was made. The directive was adopted in November 2006.
This opens the way for a period of legal uncertainty, with possible negative consequences for the work of European security agencies, which rely extensively on data collected and stored by electronic communications providers.
The directive obliges telecoms and ISPs to retain traffic, location data and other information for a period between six months and two years. Service subscribers’ names, and other personal data is not recorded. Neither is the content of the communications. However, the identity of interlocutors is retained.
For the Court, this data, although not directly considerable as personal, “taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.”
A legacy of September 11
The European Union considers privacy a fundamental right of EU citizens, while in other legislation, it has a much lower weight. In the United States, for instance, it is a right mainly related to consumers, rather than citizens.
The directive was conceived in the period following the September 11 terror attacks to the United States. A long debate in Europe about the importance of keeping data to fight terrorism brought no results until the terror attacks in Madrid in 2004, and in London in 2005.
Then, public opinion shifted in favour of higher security, despite the potential implications for privacy.
The directive was proposed in 2005, and adopted the following year, in a very quick legislative process, in contrast to normally lengthy EU procedures.
Since the beginning, though, complaints were harsh. An unlikely coalition of civil rights groups, and big telecoms operators, has since voiced its opposition to the new rules. The latest complaint focused on the high costs of keeping massive amounts of information in databases, while privacy groups emphasized the rights of citizens.
Reasons were different, but they shared the same objective of changing or shelving the directive.
Pressure forced EU Home Affairs commissioner Cecilia Mamström to launch an assessment of the directive in 2011, but the process brought no changes, as law enforcement agencies made it clear that the provisions of the directive were useful in fighting crime.
Now, the Court ruling revolutionises the situation. The Luxembourg judges recognised that the directive served the purpose of guaranteeing public security, but it did so in a disproportionate way.
“The directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime,” the Court says, opening the way for a review of the rules to make them more targeted.
The judges also condemned the fact that the directive allows law enforcement agencies to use personal data without the need of clearly specifying that they can be used “only for the purposes of prevention, detection or criminal prosecutions offences that may be considered to be sufficiently serious to justify such an interference.” In other words, there are no sufficient safeguards against possible abuses.
The Court also laments the fact that the directive does not include provisions to prevent personal data of EU citizens from being used by third countries – a clear reference to the ongoing debate sparked by Edward Snowden’s revelations of the spying activities of the US National Security Agency.
“The Court states that the directive does not require that the data be retained within the EU. Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is explicitly required by the Charter” of fundamental rights, concludes the Court.