The European Court of Justice took a decision on 8 April declaring the Data Retention Directive to be invalid. The Court finds that the directive entails a serious interference with the fundamental rights to respect for private life and the protection of personal data and that such interference is not inevitably necessary.
The directive that has been in force since 2006 was intended to ensure the availability of data for the purpose of the prevention, investigation, detection and prosecution of serious crime, in particular organised crime and terrorism. We asked Kari Käsper, Executive Director of the Estonian Human Rights Centre and Lecturer in European Union Law of Tallinn University of Technology to explain the substance of the court decision.
How did the lawsuit come about?
The lawsuit started out with two civil initiative litigations. First, an Irish human rights organisation Digital Rights Ireland contested the national legislation that was based on 2006 Data Retention Directive; and secondly, similar action was taken by over 10 000 private persons in Austria. As questions were raised on the validity and interpretation of the Data Retention Directive, Irish and Austrian courts in charge of the legal proceedings both turned to the European Court of Justice for advice. The decision at hand is the response of the European Court of Justice to the respective courts concluding that the Data Retention Directive is invalid since its entry into force.
It’s worth noting that the Data Retention Directive was adopted in only three months (normally the EU legislative procedure takes much longer) after terrorist attacks in London and Madrid that claimed many lives.
Which data exactly does the directive allow to retain what does it mean for ordinary people?
The directive requested that telecommunications service providers retain so-called metadata for a period of not less than six months and not more than two years. Metadata includes for example the information on the date, time, duration, location and recipient of mobile or landline calls, connection to the Internet or e-mail service provider. All telecommunications service providers e.g. mobile operators and Internet service providers were obliged to retain this data about every user.
The directive did not allow retaining the content of messages. These days, however, it’s possible to collect enough information about people that seriously interferes with their fundamental rights simply by analysing the metadata.
What was the Court’s argumentation that led to the decision of deeming the directive invalid?
The Court found that the directive violates in its entirety the Charter of Fundamental Rights of the EU, as it interferes disproportionally with the right to privacy. The Court noted that the obligation to retain data may well be one of the possible measures for combating terrorism and serious crime, but the way it has been regulated with the directive does not guarantee sufficient protection of the fundamental rights of the people. The Court found it unnecessary to retain data in this manner, since:
1. the directive called for data retention on everyone, regardless of the person being a potential criminal or not i.e. in the opinion of the Court total surveillance of all EU residents was not justified for the sake of combating crime;
2. the directive failed to lay down rules, which authorities and on which conditions may be granted access to retained data (a permit from a court or independent authority was not required). It was also not quite clear, what may be considered as “serious crimes” that warrant using retained data;
3. the directive did not provide sufficient safeguards against the risk of abuse including: not distinguishing between the types of data (all data was retained in a uniform manner and for the same period), no obligation to delete data after the period of retention had lapsed, no obligation to retain data on the EU territory.
Does the Estonian legislation, which is based on the directive deemed invalid, therefore violate the fundamental rights?
Estonia has implemented the directive by including paragraph 111 prim in the Electronic Communications Act. Some of the issues raised by the Court have already been resolved in Estonia, such as the requirement to retain data on the EU territory. Other problems, however, that were outlined can also be found in the Estonian legislation: data of all people is retained, various types of data are not distinguished and retained data can be used for a wide range of purposes. The data may be transmitted in addition to investigation and intelligence agencies, the Prosecutor’s Office and courts also to the Data Protection Inspectorate, the Financial Supervision Authority, the Environmental Inspectorate and the Tax and Customs Board. Therefore, it seems prima facie, that the respective Estonian legislation may disproportionately infringe the right to privacy and violate the Charter of Fundamental Rights of the EU, the European Convention on Human Rights and other international human rights conventions as well as the Estonian Constitution.
The Estonian Minister of the Interior should immediately start the analysis on how to secure the respect for fundamental rights in the law and present the draft amendment to the Parliament of Estonia as soon as possible. The Finnish Minister of Education and Communications Krista Kiuru has already announced that the data retention rules will be reviewed in accordance with the ruling. Anyone who thinks that their right to privacy has been violated by retaining their data may file a complaint to the administrative court; there is also the possibility to appeal to the Chancellor of Justice to initiate proceedings of constitutional review to verify the conformity of the law with the fundamental rights.
Telecommunications providers ought to consider, whether to continue data retention and take the risk of being sued by people, whose data they have been retaining potentially illegally. Swedish Internet service provider Bahnhof, for example, deleted yesterday all users’ data that they were supposed to retain according to the directive.
What is the broader impact of such explicit decision by the Court?
The broader impact of the decision should be considered in the context of Edward Snowden’s revelations on mass surveillance. Although it has taken quite a while, it’s becoming clearer that not every measure in combat against terrorism and crime is permissible. Mass surveillance as such seems to be disproportionate based on the ruling of the European Court of Justice. For the European Court of Justice it was an excellent opportunity to show that the protection of human rights takes first priority in the Court. The ruling will surely affect the negotiations on data protection reform, pushing for greater protection of privacy, which gives cause for everyone but to rejoice. The assessment of the broader impact of the case may perhaps be left for posterity, but I think that in 20 years time this decision will be seen as an important milestone in the development of the whole EU.
Press release of the European Court of Justice: http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf
Judgement of the Court: http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=req&docid=150642&occ=first&dir=&cid=462325
Since you are here...
It is important to protect everyone’s human rights, because it helps to keep stability and peace in the society. There are many challenges for protection of human rights in Estonia: intolerance has really come out of the closet. Bad things happen when good people are too passive, but together we can make a change.
Estonian Human Rights Centre is the competent, accountable and impactful independent human rights organisation in Estonia. Your recurring or one-time donation helps to stand up for human rights everywhere: in courts, in the media, in schools, in the workplace, on the streets and in governmental venues.
Donating is easy, and you can use your credit card if donating from abroad.
Donate now