You are not logged in. LOG IN NOW >

EU Court Rejects Data Retention Law, But Data Retention Won't End Overnight

BY Jessica McKenzie | Wednesday, April 9 2014

The European Court of Justice in Luxembourg struck down a data retention law Tuesday that required telecoms to keep customers' communications data for up to two years, declaring it violated privacy rights. However, experts warn that the ruling will have no automatic effect on relevant laws in member states, which could lead to “messy consequences.”

The Data Retention Directive was adopted in 2006 as an antiterrorism initiative after the bombings in London and Madrid. It permitted the storage of user identity, and at the time, data and frequency of communications.

"By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the Luxembourg court ruled.

Although the judges acknowledged the necessity for some data retention to fight criminal or terrorism activity, they wrote that the requirements in the 2006 directive were disproportionate to needs.

Or, as Binoy Kampmark writes for Index on Censorship: “The judgment provides a relentless battering of a directive that should never left the drafter’s desk.”

Innocenzo Genna, an Italian lawyer and expert on European ICT policy, explains the effect (if any) the ruling will have on current law:

Interestingly, the question is what will happen with the current national legislation which have been enacted as transposition of the invalid directive.

Although one could think that also these laws would become invalid, this is not an automatic effect from the annulment judgment. Neither the EC Treaties nor the precedent of the European court give clear guidance to this purpose. According to art. 249 of the Treaty: “A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods”.

The Electronic Frontier Foundation applauds the ruling as a victory for human rights activists, especially those in Ireland and Austria who fought for this particular victory, and elaborates on what this means on the ground:

While the decision comprehensively rejects the current directive, some states may put up a fight to keep their laws, while others could take this opportunity to become champions of their citizens' privacy. The Finnish Minister of Communications, Krista Kiuru, has already declared a full review of Finnish law in the light of the decision, saying that "if [Finland] wants to be a model country in privacy issues, Finnish legislation has to respect fundamental rights and the rule of law." The German and Romanian data retention laws have already been declared unlawful by their national constitutional courts. Governments advocating retention, like the UK, may argue that they can still maintain their existing data retention laws, or there may even be an attempt to introduce a whole new data retention directive that would attempt to comply with the ECJ's decision.

Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.

For a round-up of our weekly stories, subscribe to the WeGov mailing list.