The European Court of Justice (ECJ) has delivered a significant victory to privacy advocates after it ruled that the EU’s Data Retention Directive, which requires member states and their phone / Internet providers to keep a basic access log of all website, email and phone call activity for up to 2 years, was now considered “invalid“.
The directive exists as a tool to help security and law enforcement agencies to prevent, investigate, detect and prosecute serious crimes including terrorism. The logs that are kept do NOT include the content of your communications (e.g. what you say or write) but many still fear that the activity goes too far. Similarly the United Kingdom has repeatedly tried and failed to push through even tougher rules and it looks like we might see a third attempt in the not too distant future (here).
Advertisement
But plans to extend the Data Retention powers have been dealt a significant blow today after the ECJ, which was acting upon a request from Ireland’s High Court and the Verfassungsgerichtshof (Constitutional Court, Austria) to examine the validity of the directive, has “declared the directive invalid” because it breaches the “fundamental right to respect for private life and the fundamental right to the protection of personal data” (i.e. Charter of Fundamental Rights of the EU).
The outcome follows last year’s OPINION by the Court of Justice’s Advocate General, Pedro Cruz Villalón, whom warned that the 7 year old directive was “as a whole incompatible with the requirement, laid down by the Charter of Fundamental Rights of the European Union, that any limitation on the exercise of a fundamental right must be provided for by law” (here).
“The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality. Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.”
Jim Killock, Open Rights Group Executive Director, said:
“Today’s ruling recognises that blanket data collection interferes with our privacy rights. We must now see the repeal of national legislation that obliges telecoms companies to collect data about our personal phone calls, text messages, emails and internet usage. This collection is indiscriminate and reverses the presumption of innocent until proven guilty.”
The ECJ goes on to pick apart the directive in various different ways, which means that the EU will now be forced to amend the existing legislation in order to reduce the period of retention and to soften how it is applied. The move could also have an impact upon the United Kingdom’s related Regulation of Investigatory Powers Act 2000 (RIPA) and will surely cause further problems for any plans to expand the existing powers.
Comments are closed