Search This Blog

Friday, April 11, 2014

Farewell Data Retention

Never did I imagine that the Snowden revelations and recent snooping scandals triggered by democratic governments would have such an impact on the judicial thinking within the European Court of Justice.

Earlier this month, in the joined cases Digital Rights Ireland and Seitlinger and Others (C-293/12 and C-594/12) the European Court of Justice, the highest court in the European Union declared the Data Retention Directive (Directive 2006/24/EC) to be invalid, finally deciding on a piece of legislation that has been causing controversy for at least ten years.

The main scope behind the Data Retention Directive was to provide a basis for the harmonisation within EU Member States of laws regarding the retention of data collected and processed by companies providing publicly available electronic communications services and public communications networks. Typical examples of such providers are mobile telephony operators and internet service providers. This Directive, as transposed into Maltese law by virtue of Legal Notice 98 of 2008, required these service providers to retain certain categories of data and make such data accessible to law enforcement agencies for the purpose of the prevention, investigation, detection and prosecution of serious crimes.

Under the provisions of Legal Notice 98 of 2008, telecom operators are obliged to store communications relating to internet access and internet email for six months whilst communications data relating to fixed and mobile telephony, including location and subscriber information for one year. Through this legal notice, law enforcement agencies cannot obtain details regarding the actual contents of the communications in question.

The data protection landscape at the turn of the century was very much different than the one we live in today. It has been claimed several times that one of the reasons why the 9/11 terrorist attack was successful was the inability by security agencies to gather and process information. European Data Protection Commissioners had immediately in 2003 showed their disapproval to any legislative effort aimed at introducing powers to law enforcement agencies to electronic communications data. Following the London and Madrid bombings however, public opinion had changed and Directive 2006/24/EC made it through.

In some countries, the question as to the legality of the Data Retention Directive was put to the test. In 2009, the Romanian Constitutional Court declared the Directive as violating constitutional rights but following the initiation of a case by the European Commission against Romania for non-implementing the Directive, the Romanian parliament passed a new law (nicknamed ‘Big Brother’) in June 2012.   Only Germany remained defiant. In March 2010, the German Constitutional Court declared the law unconstitutional.

Following requests by the High Court of Ireland and the Constitutional Court in Austria, the European Court of Justice was tasked to examine whether the Data Retention Directive was an overkill, particularly whether the provisions contained therein went against fundamental rights found under the EU Charter of Fundamental Rights including the right to private life and the right to the protection of personal data.

The decision of the ECJ was clear. The Court rules that this Directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect private life and to the protection of personal data, without that interference being limited to what is strictly necessary.”

The ECJ further added that “by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality” and held that the Directive is not sufficiently circumscribed to ensure that any interference to our fundamental rights to privacy are limited to what is strictly necessary. The Court referred to the fact that the definition of “serious crime”, as contained in the Directive, has not been harmonized across its Member States leaving the national substantive and procedural provisions regarding access to data by the authorities uneven across the European Union. The Court also made reference to the fact that the present Directive fails to provide for sufficient safeguards so that risk of abuse of the data processed is removed.

One has also to note that since the ECJ did not limit the temporal effect of the judgement, the declaration of invalidity should take effect on the date on which the Directive entered into force and not just from the date of the ECJ judgement. This essentially means that any action taken and personal data collected pursuant to the provisions of the Directive can be challenged in Court. This also means that the provisions contained in our own Legal Notice 98 of 2008, as well as any information obtained under such Legal Notice, can be directly challenged in front of the Maltese courts which will be obliged to respect the binding nature of the decision of the ECJ.


Any data protection law strives to create a balance between the fundamental rights and freedoms of individuals and the rights of the State to process such personal data regarding its subjects. Such balance is in constant flux however. Whilst in 2008 there was consensus that additional powers had to be given to law enforcement authorities in their effort to combat serious crime, following the Snowden saga, such balance is again shifting and the latest ECJ’s pronunciation is clear evidence of that. It will be interesting to see how the local legislative and judicial landscapes will react to the ever changing balance of proportionality when personal data is processed.

Related stories: 


No comments:

Post a Comment