We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
29 April 2014
On April 8 2014 the European Court of Justice (ECJ) declared the EU Data Retention Directive,(1) which has been the subject of much debate, invalid. The directive requires telecommunications providers to retain certain categories of traffic and location data and to permit law enforcement authorities to access such data in order to prevent and prosecute (severe) crime and terrorism.
Eight years after the directive entered into force, the ECJ has declared the directive invalid. The ECJ held that the directive interferes with the fundamental rights to respect for private life and the protection of personal data (Articles 7 and 8 of the European Charter of Fundamental Rights of the European Union).(2) In its ruling, the ECJ stated that the data retention obligation provided for by the directive does not per se interfere with the cited fundamental rights, and that the obligation principally serves legitimate public interests. However, the ECJ viewed the directive as disproportionate, as the interference that it causes with these fundamental rights goes beyond the extent absolutely necessary to achieve its objectives.
The ECJ stated that the directive affects individuals, communications and related data in an all-embracing manner, without proper differentiation. The ECJ was primarily concerned that the directive insufficiently defines the severity of the crimes to be prosecuted by means of the retained data. The ECJ also highlighted that safeguards sufficient to ensure effective protection of the retained data are missing. In that respect, the ECJ criticised, among other things, the fact that a prior court order (or an order from an independent administrative body) is not a prerequisite for granting data access to law enforcement authorities. Further, the ECJ argued that the data retention period in the directive does not appropriately distinguish between the retained data and the potentially affected individuals in relation to the objectives pursued by the directive. Finally, but arguably most notably, the ECJ found the directive to be invalid because it does not require the data to be stored within the European Union. In the absence of such an obligation, data protection compliance cannot be safeguarded by an independent authority, as required by the European Charter of Fundamental Rights.
Given these considerations, the ECJ declared the directive invalid in its totality.
Initial media reactions to this ruling have been positive. However, a key aspect to consider is the ECJ's remark that the directive is illegitimate as it does not require the data necessarily to be retained within the European Union and, with this, that the data is not necessarily stored within the jurisdiction of an independent authority. This raises the reflexive question of whether the ECJ would regard any personal data that is stored outside the European Union (at least if it exceeds a certain degree of volume and intrusiveness) to be in breach of EU law, as it is stored within the jurisdiction of an authority that is not necessarily an independent authority within the understanding of the ECJ. In this respect, in its decision in C-614/10, the ECJ took a rather strict view on the authority's independence requirements by claiming that the authority must be not only functionally independent, but also established in a manner that ensures full organisational independence.
If this decision reflects the ECJ's general stance on the matter, it will have an impact that goes far beyond telecommunications data retention considerations. Such a stance would instead encompass all types of data processing scenarios, including international data transfers and international data storage (eg, cloud services). However, the ECJ's ruling does not address the details of this question.
For the time being, it appears from the ECJ's explicit territoriality considerations that the ECJ will take (at the very least) a somewhat critical view of personal data processing activities that take place outside the European Union.
For further information on this topic please contact Günther Leissler, Veronika Wolfbauer or Günther Grassl at Schoenherr by telephone (+43 1 5343 70), fax (+43 1 5343 76100) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Schoenherr website can be accessed at www.schoenherr.eu.
(1) Directive 2006/24/EC of the European Parliament and of the Council of March 15 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks, amending Directive 2002/58/EC (OJ 2006 L 105, page 54).
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.