The Court of Justice of the European Union, the highest court in the EU, declared the EU’s 2006 Data Retention Directive invalid in a judgment issued on April 8, 2014. The directive, which has been implemented via national legislation by most EU member states, requires telecommunications and Internet providers to collect and retain traffic and location data regarding users’ calls and Internet activity for up to two years in order to assist law enforcement in the prevention of “serious crime” (such as organized crime and terrorism). The Court of Justice, however, determined that the directive interferes with European citizens’ fundamental rights to privacy.
A press release featuring a summary of the ruling is available here, while the full text of the Court’s judgment can be found here.
The Court acknowledged that the directive was intended to further an important public objective by aiding in the fight against international terrorism and organized crime. Nevertheless, the Court found that the directive went too far in achieving its objectives, especially since the directive requires the retention of all traffic via numerous means of communication, including fixed and mobile telephony, Internet access, email, and Internet telephony. The Court noted that the data retention authorized by the directive “entails an interference with the fundamental rights of practically the entire European population.”
The Court specified that the directive went beyond what was strictly necessary to achieve its aims in several ways: First, the directive covers all people, all means of electronic communication, and all traffic data without differentiating in any way between people linked to serious crime and everyone else. Second, the directive does not establish sufficient limitations on the access of national authorities to the collected data and on the purposes for which it can be used. Third, a six- to 24-month retention period is specified by the directive without any distinctions made between categories of data collected, and without any requirements that the actual retention period be set based on what is strictly necessary. Fourth, the directive does not include sufficient safeguards against unlawful access to or abuse of the data, nor does it ensure the irreversible destruction of the data beyond the retention period. And fifth, the directive has no requirements that the data must be retained within the EU.
The Court’s judgment is, technically speaking, an interpretation of EU law and does not automatically invalidate specific member state implementations of the directive. However, the ruling does have major ramifications for telecommunications and Internet providers as well as law enforcement authorities in Europe. Although member state laws implementing the directive will generally remain in place until struck down by courts in those countries, current data retention requirements are no longer sustainable and member state governments and the European Commission will move quickly to craft replacement legislation that is less privacy-intrusive and includes more safeguards on use of retained metadata.