Contact The Team


* indicates required

Data retention directive declared invalid by European Court of Justice

Friday, October 24, 2014

The decision of the European Court of Justice in the combined cases of Digital Rights Ireland v Minister for Communications, minister for Justice, Commissioner of the Garda Síochána, Ireland and the Attorney General (C-293/12) and Karntner Landesregierung, Michael Seitlinger, Christof Tschohl and others (C-594-12) that the Data Retention Directive (2006/24/EC) is invalid will require Member States to reconsider national laws transposing the Directive and may result in the introduction of new legislation to replace the invalidated Directive by the European Commission.

On 8 April 2014, the Grand Chamber of the European Court of Justice (the “ECJ”) ruled that the Data Retention Directive (2006/24/EC) was invalid, as it amounted to a disproportionate interference with the fundamental rights to respect for individual privacy and protection of personal data guaranteed by Articles 7 and 8 of the European Charter of Fundamental Rights (the “European Charter”).

The Data Retention Directive was introduced in an effort to harmonise Member State laws providing for the retention of traffic, location and subscriber data generated or processed by providers of publicly available electronic communications services or networks in providing their service (“CSPs”). The Directive provided for the retention of a wide range of communications data, for a period of between 6 and 24 months, with the retained data to remain available for the purposes of the investigation, detection and prosecution of “serious crime.” The Directive set out an exhaustive list of the kinds of data required to be retained by CSPs, which included: data necessary to trace and identify the source, recipient, date, time, duration and type of a communication; data necessary to identify users’ communication equipment and cell site data necessary to identify the location of mobile communication equipment. However, the Directive did not include a definition of “serious crime”, leaving it to Member States to determine the threshold for when data could be used. In addition, the Directive did not regulate the conditions for access to the retained data by public authorities and Member State law enforcement authorities.

Both the Directive and national laws implementing the Directive were often subject to criticism, on the grounds that the wholesale retention of communications data, without reasonable cause, constituted a disproportionate interference with the right to privacy.

In its decision, the ECJ agreed with the criticisms levelled at the Directive and held that although it pursued the legitimate aim of investigating and prosecuting serious crime, its provisions constituted a wholly disproportionate restriction on individual rights to privacy and data protection guaranteed by Articles 7 and 8 of the European Charter, with the result that it was contrary to EU law.

Case Details

The ECJ judgment arose out of two preliminary references: one from Ireland (arising from an application for judicial review taken by campaign group Digital Rights Ireland before the Irish High Court) and one from Austria (arising from an action brought before the Austrian Constitutional Court by the State Government of Carinthia and over 11,000 individual applicants), both of which raised a number of questions relating to the compatibility of the Directive with the rights provided by the European Charter.

The ECJ found that the retention of communications data pursuant to Articles 3 and 5 of the Directive directly affected the individual rights to privacy, protection of personal data and freedom of expression contained in Articles 7, 8 and 11 of the European Charter.

The ECJ held that although this interference pursued a legitimate objective, namely, the prevention and detection of serious crime, it did not comply with the principle of proportionality set out in Article 52(1) of the Charter, which provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be:

  • Provided by law;
  • Respect their essence; and
  • Adhere to the principle of proportionality.

In arriving at this conclusion, the ECJ criticized on the following aspects of the Directive:

  • The retention provisions affected virtually all citizens of the EU, without any temporal, geographic or other restrictions based on individuals’ behaviour. The retention of communications data applied to all individuals without exception and did not require evidence indicating a link between the behaviour of an individual with serious crime.
  • The Directive failed to lay down any objective criterion or substantive and procedural conditions governing national authorities’ access to the data or the parameters for subsequent use of the data by those authorities for the purposes of law enforcement and public security;
  • The Directive failed to make access to retained data dependent on a prior review carried out by a court or independent administrative body;
  • The Directive did not provide any indication as to how Member States should apply the wide range of possible retention periods to the retained data;
  • As the Directive did not require the retention of data within the EU, national authorities could not ensure compliance with data security requirements;
  • The Directive did not provide for sufficient safeguards to ensure effective protection against abuse, nor ensure the irreversible destruction of the data on expiry of the retention period.

European Commission Reaction

In a press release published the day that the judgment was issued, the European Commission stated that it would “carefully assess the verdict and its impacts.” However, it is not clear whether the Commission will draft new legislation to replace the invalidated Directive or whether it will form part of the suite of data protection legislative reform proposals emanating from Europe, including the draft General Data Protection Regulation.

In a statement issued on 9 September, the EU’s Article 29 Working Party called on the European Commission to provide, without further delay, clear guidance on the consequences of the Court’s judgment, both at European and at Member State level.

Impact of the Decision across Member States

While Member State national laws transposing the Directive are not directly affected by the ECJ ruling and will remain in force until repealed or amended by national legislators, in the recent statement issued by the Article 29 Working Party, the group reminded Member States that any national data retention laws must comply with the requirements of the E-Privacy Directive (2002/58/EC). Such comments indicate that, in light of the ECJ ruling, Member State national laws are likely to be regarded as incompatible with the EU law principles set down in the E-Privacy Directive and the European Charter. As a result, Member States will have to consider the future of national laws implementing the Data Retention Directive.

From an Irish perspective, the Directive was implemented by the Communications (Retention of Data) Act 2011 (the “CRDA”), the provisions of which are affected by the same fundamental defects criticised in the ECJ judgment, in that it provides for blanket retention periods applicable to all data without distinction on the basis of potential usefulness or the persons concerned and fails to lay down any objective criterion or substantive and procedural conditions, limiting authorities’ access to data. However, the Irish legislature has not indicated any intention to repeal or amend the CRDA and appears to be awaiting the outcome of the High Court proceedings, which fall to be determined following the ruling of the ECJ on the Request for Preliminary Reference made by the Court.

By contrast, in July 2014, the UK Parliament adopted a new Data Retention and Investigatory Powers Act 2014, to replace existing Regulations implementing the Data Retention Directive. The Parliament also introduced new Data Retention Regulations 2014, setting out detailed requirements in relation to the practical implementation of the provisions of the 2014 Act. A review of the area of retention of communications data will further be carried out, designed to enable a complete overhaul of the legislative regime by 2016. However, the new regime has been subject to criticism by rights campaigners Liberty and the Open Rights Group, who have announced proposals to mount legal challenges to the legislation.

In addition to legislative changes, the ECJ ruling is likely to have an impact on existing cases pending before national courts, concerning the legality of national laws implementing the Directive:

  • Austria and Ireland: The ruling will have a direct impact on the cases pending before the national courts of Austria and Ireland, as their requests for a preliminary ruling concerning the validity of Directive 2006/24/EC formed the basis of the ECJ ruling;
  • Belgium: On 24 February 2014, the Belgian “Liga voor Mensenrechten” and “Ligue des droits de l’Homme” together filed a complaint before the constitutional court in order to obtain cancellation of the Belgian law implementing the Directive. Since the ECJ ruling, some political parties have requested amendment of the current legislation;
  • Bulgaria: In 2008, the Bulgarian Constitutional Court declared that part of the national law implementing the Directive was incompatible with the right to privacy;
  • France: In 2006, the French Constitutional Court ruled that French law provisions similar to those provided for in the Directive were compatible with the Constitution. Subsequently, in December 2013, the French data protection authority (CNIL) opposed new legislation enabling certain ministries to access to data retained by telecommunications operators, internet and hosting service providers, without prior approval from a judge. The CNIL called for a national debate on surveillance issues which could be influenced by the ECJ ruling;
  • Germany: The German Constitutional Court already declared the German legislation implementing the Directive unconstitutional in 2010;
  • Romania: In 2009, the Romanian Constitutional Court declared the national law on data retention unconstitutional as breaching, among others the right to privacy and the secrecy of correspondence;
  • Slovakia: In 2012, a complaint was filed before the constitutional court in order to assess the conformity of national implementing legislation with the Constitution;
  • Spain: The Directive was implemented into national laws in 2007. The Spanish data protection authority (AEPD) requested the Government to accompany the implementation of these rules with measures curtailing the impact on data subjects’ privacy;
  • Sweden: In May 2013, Sweden was ordered to pay the European Commission 3 million EUR because Sweden had failed its obligation to timely implement the Directive;

The number of cases pending and the legislative changes required highlight that the ECJ ruling will continue to have an impact across Member States of the EU for some time to come.


Damien Young