Although this decision invalidating the EU Data Retention Directive of 2006 (Directive 2006/24/EC) does not specifically address surveillance by the NSA or GCHQ, it raises severe doubts about the legality of these agencies’ acquisition and use of EU citizens’ telecommunications.
Under Directive 2006/24/EC, EU member states were required to enact laws requiring telecommunications providers to store location and traffic data, but not content, on all communications for a period of six months to two years, and to make the data available to the government for the investigation and prosecution of serious crime, including terrorism and organized crime. In its April 8 decision, the European Court of Justice (“CJEU”) invalidated the Directive on the ground that it violated the rights to privacy in Article 7 and to the protection of personal data in Article 8 of the Charter of Fundamental Rights of the European Union (“the Charter”).
In its opinion, the CJEU reasoned that, even though the contents of communications were outside the scope of the Directive, data on the location and timing of Internet and telephone communications and on who uses which facilities to communicate with whom can reveal extensive details about people’s lives. “Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.” (Para. 27). Even though the rights to privacy and to the protection of personal data in the Charter are not absolute, the principle of proportionality in Article 52(1) of the Charter could countenance the Directive’s interferences with those rights only if they were “strictly necessary” to the Directive’s stated purpose of combatting serious crime. (Para.52). According to the CJEU, the Directive’s provisions for the retention of data were too indiscriminate to satisfy the requirement of strict necessity. “[T]he directive requires the retention of all traffic data containing fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. … [It therefore] affects, in a comprehensive manner, all persons using electronic communications services … even … persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.” (Paras. 56 and 58).
With regard to access to data, the CJEU reasoned that the Directive left too much discretion to Member States for the requirement of strict necessity to be met. Despite referencing the purpose of combatting “serious crime,” the Directive left the definition of “serious crime” up to each Member State and did not even require States to limit their access and subsequent use of retained data to preventing, detecting, or prosecuting what they defined as “serious crime.” Member States were also left free to require telecommunications providers to retain data for six months, two years, or any period they wished in between, and no limits were imposed on the numbers of persons whom States could authorize to access and subsequently use data. The CJEU emphasized that the Directive did not even require Member States to establish mechanisms for prior, independent review of government decisions to access and use data. “Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what strictly necessary for the purpose of obtaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions.” (Para. 62).
In addition to disproportionately interfering with the right to privacy and to data protection in Articles 7 and 8 of the Charter, the ECJ found that the Directive also violated Article 8 by not mandating effective protection of the retained data. The Court found that “specific [rules] adapted to (i) the vast quantity of data whose retention is required …, (ii) the sensitive nature of that data, and (iii) the risk of unlawful access to that data …” were needed (Para. 66), and that it was necessary to “require the data in question to be retained within the European Union” (Para. 68).
A table on data retention laws in individual EU countries as of July 28, 2015 is available here