Never did I imagine that the Snowden revelations and recent snooping
scandals triggered by democratic governments would have such an impact on the
judicial thinking within the European Court of Justice.
Earlier this month, in the joined cases Digital Rights Ireland and Seitlinger and Others (C-293/12 and
C-594/12) the European Court of Justice, the highest court in the European
Union declared the Data Retention Directive (Directive 2006/24/EC) to be
invalid, finally deciding on a piece of legislation that has been causing
controversy for at least ten years.
The main scope behind the Data Retention Directive was to
provide a basis for the harmonisation within EU Member States of laws regarding
the retention of data collected and processed by companies providing publicly
available electronic communications services and public communications
networks. Typical examples of such providers are mobile telephony operators and
internet service providers. This Directive, as transposed into Maltese law by
virtue of Legal Notice 98 of 2008, required these service providers to retain certain
categories of data and make such data accessible to law enforcement agencies
for the purpose of the prevention, investigation, detection and prosecution of
serious crimes.
Under the provisions of Legal Notice 98 of 2008, telecom
operators are obliged to store communications relating to internet access and
internet email for six months whilst communications data relating to fixed and
mobile telephony, including location and subscriber information for one year. Through
this legal notice, law enforcement agencies cannot obtain details regarding the
actual contents of the communications in question.
The data protection landscape at the turn of the century was
very much different than the one we live in today. It has been claimed several
times that one of the reasons why the 9/11 terrorist attack was successful was
the inability by security agencies to gather and process information. European
Data Protection Commissioners had immediately in 2003 showed their disapproval
to any legislative effort aimed at introducing powers to law enforcement
agencies to electronic communications data. Following the London and Madrid
bombings however, public opinion had changed and Directive 2006/24/EC made it
through.
In some countries, the question as to the legality of the
Data Retention Directive was put to the test. In 2009, the Romanian
Constitutional Court declared the Directive as violating constitutional rights
but following the initiation of a case by the European Commission against Romania
for non-implementing the Directive, the Romanian parliament passed a new law
(nicknamed ‘Big Brother’) in June 2012. Only Germany remained defiant. In March 2010,
the German Constitutional Court declared the law unconstitutional.
Following requests by the High Court of Ireland and the
Constitutional Court in Austria, the European Court of Justice was tasked to
examine whether the Data Retention Directive was an overkill, particularly
whether the provisions contained therein went against fundamental rights found
under the EU Charter of Fundamental Rights including the right to private life
and the right to the protection of personal data.
The decision of the ECJ was clear. The Court rules that this
Directive “entails a wide-ranging and particularly serious interference with
the fundamental rights to respect private life and to the protection of
personal data, without that interference being limited to what is strictly
necessary.”
The ECJ further added that “by adopting the Data Retention
Directive, the EU legislature has exceeded the limits imposed by compliance
with the principle of proportionality” and held that the Directive is not sufficiently
circumscribed to ensure that any interference to our fundamental rights to
privacy are limited to what is strictly necessary. The Court referred to the
fact that the definition of “serious crime”, as contained in the Directive, has
not been harmonized across its Member States leaving the national substantive
and procedural provisions regarding access to data by the authorities uneven
across the European Union. The Court also made reference to the fact that the
present Directive fails to provide for sufficient safeguards so that risk of
abuse of the data processed is removed.
One has also to note that since the ECJ did not limit the
temporal effect of the judgement, the declaration of invalidity should take
effect on the date on which the Directive entered into force and not just from the
date of the ECJ judgement. This essentially means that any action taken and personal
data collected pursuant to the provisions of the Directive can be challenged in
Court. This also means that the provisions contained in our own Legal Notice 98
of 2008, as well as any information obtained under such Legal Notice, can be
directly challenged in front of the Maltese courts which will be obliged to
respect the binding nature of the decision of the ECJ.
Any data protection law strives to create a balance between the fundamental rights and freedoms of individuals and the rights of the State to process such personal data regarding its subjects. Such balance is in constant flux however. Whilst in 2008 there was consensus that additional powers had to be given to law enforcement authorities in their effort to combat serious crime, following the Snowden saga, such balance is again shifting and the latest ECJ’s pronunciation is clear evidence of that. It will be interesting to see how the local legislative and judicial landscapes will react to the ever changing balance of proportionality when personal data is processed.
Related stories:
No comments:
Post a Comment