On April 8, 2014, the highest court in the European Union invalidated an EU law that required telephone and electronic communications providers to retain user data for up to two years.1
The law at issue was Directive 2006/24, which obligated telephone and electronic communications providers to retain data "for the purposes of making them accessible, if necessary, to the competent national authorities."2 The Court noted that the law covered all persons and all means of electronic communications "without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime."3
The Court found that data retention is justified in the prevention of serious crime, but that the Directive was so broad in scope as to "generate in the persons concerned a feeling that their private lives are the subject of constant surveillance."4
The Court noted that the Directive did not contain substantive or procedural conditions relating to the access of the competent authorities to the data and its subsequent use.5 Access to the retained data was not dependent on prior review by a court or independent administrative body that could limit access and use based on findings as to what was strictly necessary for the state's legitimate objectives.6
Based on these findings, the Court held that the Directive violated Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which pertain to the "respect for private life and communications" and the "protection of personal data."7
"We are pleased that the court has ruled that the retention of communications data should have been duly specified and the EU legislator should also have ensured that such data can only be used in very specific contexts," the European Data Protection Supervisor, the EU's data protection watchdog, said in a statement. "The retention of communications data for the purposes of the combat of crime should always be precisely defined and clearly limited. The EU cannot leave the full responsibility for the use of the data with the member states."8
The European Commission is assessing the ruling, stating that there needs to be a proper balance between security and fundamental rights.9
The Court's ruling echoes recent decisions in the United States. On December 16, 2013, a federal judge for the District of Columbia issued an injunction prohibiting the U.S. government from collecting telephonic metadata as part of a National Security Agency ("NSA") surveillance program.10 The District Court found that the "almost-Orwellian technology that enables the Government to store and analyze the phone metadata of every telephone user in the United States" almost certainly violates the plaintiffs' reasonable expectation of privacy.11 Other U.S. District Courts have disagreed, ruling the NSA surveillance programs constitutional.12 Should the split endure, the U.S. Supreme Court is likely to step in.
1 - Digital Rights Ireland Ltd. v. Minister for Commc'ns, Marine and Natural Resources, C-293/12 and C-594/12, slip op. at I-26 (EU Grand Chamber April 8, 2014).
2 - Id. at I-18.
3 - Id. at I-23.
4 - Id. at I-20.
5 - Id. at I-24.
6 - Id.
7 - Id.
8 - Adnrew Scurria, EU High Court Voids Data Retention Law Over Privacy Worries, Law 360 (Apr. 8, 2014), available at http://www.law360.com/articles/526024.
9 - Top EU Court Rejects EU-Wide Data Retention Law, BBC News (Apr. 8, 2014), available at http://www.bbc.com/news/world-europe-26935096.
10 - Klayman v. Obama, No. 13-0851, slip op. at 67 (D.D.C. Dec. 16, 2013).
11 - Id. at 49.
12 - See, e.g., A.C.L.U. v. Clapper, No. 13 Civ. 3994 (S.D.N.Y. Dec. 27, 2013).