The European Court of Human Rights decided on June 22, 2017 that France’s DNA database for convicted criminals disproportionately interferes with individuals’ privacy rights because of its one-size-fits-all retention period and the failure to include a procedure to request erasure.
In discussing its conclusion, the European Court of Human Rights noted that France applied a single retention period of 40 years for DNA data, regardless of the type of criminal offence involved. According to the court, a one-size-fits-all retention period does not satisfy the proportionality test imposed by the European Convention on Human Rights. (This is consistent with the European Court of Justice’s holding in Digital Rights Ireland, which reached the same conclusion under the proportionality test of the European Charter of Fundamental Rights.) Second, France did not provide for a procedure allowing a convicted individual whose DNA data are included in the database to ask for erasure before expiration of the single retention period. The lack of any such procedure deprives the individual of his or her rights to request erasure when circumstances so warrant – a form of right to be forgotten. These two defects make the French law incompatible with article 8 of the European Convention on Human Rights, which requires that any interference with privacy be limited to what is strictly necessary in a democratic society to achieve the public interest objective – in this case, the objective of public security.
The apparent contradiction between the wide powers granted to French intelligence agencies and the strict rules imposed by the CJEU in relation to government surveillance is not new. As evidenced in the CJEU’s Tele2 Sverige case, European governments do not always implement the principles that flow from European case law on fundamental rights, particularly where national security is at stake. This can create a double standard: The practices of third countries, such as the United States, are judged against the standard of European case law on fundamental rights, whereas some European member states do not themselves respect these standards. Understanding how governments in Europe balance national security and privacy in their own countries will help when reviewing the adequacy of the US-EU Privacy Shield.