“Lisbonisation” of EUROJUST : on the right track, however…..

An Overall Analysis of the Proposal for a Regulation on Eurojust


by Prof. Dr. Anne Weyembergh (*)

As explicitly mentioned in the Treaty of Nice,1 and preceded by a provisional unit (“pro-Eurojust”),2 Eurojust was established through a Decision of 28 February 2002.3 The latter was amended by the Decision of 16 December 2008 on the strengthening of Eurojust.4 Shortly after the celebration of its 10th birthday in 2012, Eurojust became the subject of a new reform. On the 17th of July 2013, the Commission presented a proposal for a Regulation on the European Union Agency for Criminal Justice Cooperation (Eurojust), based on Art. 85 of the Treaty on the Functioning of the EU (TFEU).5 This initiative was introduced at the same time as the proposal for a Regulation establishing the European Public Prosecutor’s Of-fce (EPPO).6

As stated in the title of this article, this analysis aims to give an overall review of the proposal for a Regulation on the European Union Agency for Criminal Justice Cooperation (Eurojust). It will be divided into two parts. The frst part will be devoted to the main innovative features of the initiative and to the main improvements it brings (I). The second part will highlight some disappointing features or sources of concern (II). Continue reading ““Lisbonisation” of EUROJUST : on the right track, however…..”

Data Retention: a landmark Court of Justice’s ruling.(6) Are national data retention laws within the scope of the Charter?


Sunday, 20 April 2014

By Steve Peers

Following the annulment of the EU’s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons why they are.

The starting point for this analysis is Article 51 of the EU’s Charter of Fundamental Rights, which states that the Charter applies to the EU institutions and other EU bodies, but to the EU’s Member States ‘only’ when they are ‘implementing’ EU law. What does that mean?

On the narrowest interpretation, Member States ceased to be implementing EU law on data retention from the moment that the data retention Directive became invalid. After all, from that point, there was no EU data retention law to implement. However, it is arguable that Member States can still be regarded as ‘implementing’ EU law where their national legislation was introduced to implement an EU obligation. It’s a novel point, because it’s rare for the CJEU to annul EU laws on substantive grounds. And where the Court has done so, it has more often annulled only a small part of those EU laws (in the Test-Achats judgment, for instance).

But that is merely an alternative argument that the EU Charter continues to apply to national data retention law. The main argument is based on solidly established case law of the CJEU regarding the scope of EU human rights protection where Member States derogate from EU law.

EU human rights rules and national derogations from EU law Continue reading “Data Retention: a landmark Court of Justice’s ruling.(6) Are national data retention laws within the scope of the Charter?”

From STATEWATCH : EU Justice and Home affairs legislation under the 2009-14 term of the European Parliament

By Steve Peers
Professor of Law, Law School, University of Essex

The latest term of the European Parliament has just come to an end. For most of this term, the Treaty of Lisbon was in force, meaning that the ‘ordinary legislative procedure’ applied to the adoption of the vast majority of Justice and Home Affairs legislation.

This analysis presents a brief summary of the JHA legislation adopted during this parliamentary term. It can be seen that under the most recent legislature, the EU adopted laws concerning:
– the second phase of the Common European Asylum System;
– amendments to the rules on visa requirements, internal border checks, internal border controls, and Frontex;
– various aspects of legal migration, but nothing significant on irregular migration;
– revised or new rules concerning aspects of civil jurisdiction, conflict of laws and enforcement of judgments;
– rules for the first time on criminal suspects’ rights;
– revised rules on some areas of substantive criminal law;
– revised rules on investigation orders (previously known as mutual assistance), but not on any other aspects of mutual recognition.
– revised rules on victims’ rights and confiscation of criminal assets, and new rules on protection orders.

Proposed EU legislation does not lapse when the European Parliament’s term ends. This leaves two categories of measures which have not been adopted yet.

First of all, some legislation was agreed in principle, but has not yet been formally adopted. These measures will likely all be formally adopted in the spring by the Council.

Secondly, some legislation was not agreed at all during the EP’s term, either because it was proposed very late in the term (for instance, new visa rules and further measures on criminal suspects), or because either the EP and/or the Council could not agree its position. In one case (EU fraud), both institutions agreed their position, but the EP agreed it too late to negotiate.

For these measures, where the Council has not yet agreed its position, negotiations will continue under the current Greek Presidency to agree it (negotiations for Council positions are currently furthest advanced as regards the Europol Regulation and the Directive on child criminal suspects).

Where both the EP and the Council have agreed their positions, negotiations with the EP will get underway when the EP resumes its normal business in September.

The following lists present in turn
(a) legislation formally adopted during the 2009-14 term;
(b) legislation agreed in principle, which will be adopted in spring; and
(c) legislation which was not agreed.

(a) Adopted legislation


• Regulation 439/2010 establishing a European Asylum Support Office (OJ 2010 L 132/11)
• Decision amending European Refugee Fund (OJ 2010 L 129/1)
• Directive 2011/95 on qualification and content of international protection (OJ 2011 L 337/9)
• Decision amending European Refugee Fund as regards resettlement (OJ 2012 L 92/1)
• Decision 258/2013 amending asylum and migration funding legislation (OJ 2013 L 82/1)
• Directive 2013/33 on reception conditions for asylum-seekers (OJ 2013 L 180/96)
• Regulation 604/2013 on responsibility for asylum applications (OJ 2013 L 180/31)
• Directive 2013/32 on international protection procedures (OJ 2013 L 180/60)
• Regulation 603/2013 on Eurodac (OJ 2013 L 180/1)
• Regulation establishing the asylum and migration Fund (not yet published)
• Regulation laying down general provisions on the Asylum and Migration Fund and on the instrument for financial support for police cooperation, preventing and combating crime, and crisis management (not yet published)

Visas and borders

• Regulation 1244/2009 amending Regulation establishing EC visa list (OJ 2009 L 336/1)
• Regulation 265/2010 on long-stay visas (OJ 2010 L 85/1)
• Reg 541/2010 amending Reg 1104/2008 on migration from SIS to SIS II (OJ 2010 L 155/19)
• Reg 1091/2010 amending visa list to waive visa requirement for Albania, Bosnia-Herzegovina (OJ 2010 L 329/1)
• Reg 1211/2010 amending visa list (OJ 2010 L 339/6)
• Regulation 1077/2011 establishing agency to manage VIS, SIS and Eurodac (OJ 2011 L 286/1)
• Decision drawing up list of travel documents (OJ 2011 L 287/9)
• Reg. 1168/2011 amending Reg 2007/2004 establishing Frontex (OJ 2011 L 304/1)
• Regulation 1342/2011 amending border traffic Regulation (OJ 2011 L 347/41)
• Regulation 154/2012 amending visa code (OJ 2012 L 58/3)
• Regulation 1273/2012 on migration from SIS to SIS II (OJ 2012 L 359/32)
• Decision 259/2013 amending borders fund (OJ 2013 L 82/6)
• Regulation 610/2013 amending Borders Code regulation (OJ 2013 L 182/1)
• Regulation 1053/2013 on Schengen evaluation process (OJ 2013 L 295/13)
• Regulation 1051/2013 amending borders code (OJ 2013 L 295/1)
• Regulation 1052/2013 establishing Eurosur (OJ 2013 L 295/11)
• Regulation 1289/2013 amending visa list (OJ 2013 L 347/74)
• Regulation 259/2014 amending visa list to waive visa requirements for Moldova (OJ 2014 L 105/9)
• Regulation establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa (not yet published)


• Regulation 493/2011 amending Regulation on immigration liaison officers (OJ 2011 L 141/13)
• Regulation 1231/2010 extending Regulation 883/2004 on social security for EU citizens to third-country nationals who move within the EU (OJ 2010 L 344/1)
• Directive 2011/51 applying long-term residents’ Directive to refugees and beneficiaries of subsidiary protection (OJ 2011 L 132/1)
• Directive 2011/98 on a single application procedure for a single permit for third-country nationals to reside and work in the territory of a Member State and on a common set of rights for third-country workers legally residing in a Member State (single permit Directive) (OJ 2011 L 343/1)
• Directive 2014/36 on admission of seasonal workers (OJ 2014 L 94/375)

Civil Cooperation

• ‘Rome III’ Regulation 1259/2010 on choice of law in divorce proceedings (OJ 2010 L 343/10)- Nb: special legislative procedure and enhanced cooperation applied

Regulation 650/2012 on choice of law and jurisdiction in succession proceedings (OJ 2012 L 201/107)

• Regulation 1215/2012 on civil and commercial jurisdiction (OJ 2012 L 351/1)
• Regulation 606/2013 on civil law enforcement of protection orders (OJ 2013 L 181/4)

Criminal law and policing

• Directive 2010/64 on the right to interpretation and translation in the framework of criminal proceedings (OJ 2010 L 280/1)
• Directive 2011/36 on trafficking in persons (OJ 2011 L 101/1)
• Directive 2011/82 on exchange of information on traffic offences (OJ 2011 L 288/1)- Nb legal challenge to validity: CJEU will give ruling on 6 May 2014
• Directive 2011/92 on sexual exploitation of children (OJ 2011 L 335/1)
• Directive 2011/99 on European protection order (OJ 2011 L 338/2)
• Directive 2012/13 on the right to information on criminal proceedings (OJ 2012 L 142/1)
• Directive 2012/29 on crime victims’ rights (OJ 2012 L 315/57)
• Directive 2013/40 on attacks on information systems (OJ 2013 L 218/8)
• Directive 2013/48 on access to lawyer and communication rights (OJ 2013 L 294/1)
• Directive on European investigation order (not yet published)
• Directive on freezing and confiscation of criminal proceeds (not yet published)
• Directive on criminal sanctions against market abuse (not yet published)
• Regulation 542/2010 amending Decision on migration of third-pillar SIS to SIS II (OJ 2010 L 155/23)
• Regulation 1272/2012 on migration from SIS to SIS II (OJ 2012 L 359/21)
• Regulation establishing a Justice Programme (OJ 2013 L 354/73)
• Regulation on the instrument for financial support for police cooperation, preventing and combating crime, and crisis management (not yet published)

(b) Agreed proposals

Immigration and asylum

Regulation amending visa list Regulation (COM (2012) 650, 7 Nov. 2012)
Regulation on maritime surveillance operations (COM (2013) 197, 16 April 2013)
Decision on transit as regards Croatia and Cyprus (COM (2013) 441, 21 June 2013)
Directive on admission of intra-corporate transferees (COM (2010) 378, 13 July 2010)

Civil cooperation

Regulation on European account preservation orders (COM (2011) 445, 25 July 2011)
Regulation amending civil jurisdiction Regulation (COM (2013) 554, 26 July 2013)

Criminal law and policing

• Directive on counterfeiting currency (COM (2013) 42, 5 Feb. 2013)
• Amendment to Decision on European Police College (Council doc. 16378/13, 18 Nov. 2013)

(c) Legislation not agreed

Immigration and asylum

No EP or Council position yet :
• Regulation establishing entry-exit system (COM (2013) 95, 27 Feb. 2013)
• Regulation amending borders code (COM (2013) 96, 27 Feb. 2013)
• Regulation establishing registered traveller programme (COM (2013) 97, 27 Feb. 2013)
• Regulation recasting visa code (March 2014)
• Regulation creating a touring visa (March 2014)

• Directive on admission of students, researchers and others (COM (2013) 151, 25 March 2013) EP agreed its position, Council has not.

Civil cooperation

• Regulation on choice of law and jurisdiction on matrimonial property (COM (2011) 126, 16 Mar. 2011) EP agreed its position, Council has not; special legislative procedure
• Regulation on choice of law and jurisdiction on registered partnerships (COM (2011) 127, 16 Mar. 2011) EP agreed its position, Council has not; special legislative procedure
• Regulation amending insolvency Regulation (COM (2012) 744, 12 Dec. 2012)- EP agreed its position, Council has not
• Regulation amending prior legislation regarding implementing measures (COM (2013) 452, 27 June 2013) – EP agreed its position, Council has not
• Regulation amending small claims and order for payment Regulations (COM (2013)794, 19 Nov. 2013)- no EP or Council position yet

Criminal law and policing

• Directive on passenger name records (COM (2011) 32, 2 Feb. 2011)- EP in effect rejected; Council agreed position
• Directive on protection of EU financial interests (COM (2012) 363, 11 July 2012) – EP has agreed position; Council has also; negotiations did not start yet
• Directive to amend Framework Decision on drug trafficking (COM (2013) 618, 17
• Sep. 2013) – EP has agreed position; Council has not
• Directive on presumption of innocence (COM (2013) 821, 27 Nov. 2013) – no EP or Council position yet
• Directive on childrens’ rights as suspects (COM (2013) 822, 27 Nov. 2013) – no EP or Council position yet
• Directive on provisional legal aid (COM (2013) 824, 27 Nov. 2013) – no EP or Council position yet
• Regulation on Europol (COM (2013) 173, 27 March 2013) – EP has agreed position; Council has not
• Regulation on European Public Prosecutor’s Office (COM (2013) 534, 17 July 2013) – EP adopted interim report; no Council position yet
• Regulation on Eurojust (COM (2013) 535, 17 July 2013) – no EP or Council position yet
• April 2014

© Statewatch ISSN 1756-851X. Personal usage as private individuals/”fair dealing” is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.

April 8th 2014 : A dawn of a new european data protection era ?

Réseau universitaire européen dédié à l’étude du droit de l’Espace de liberté, sécurité et justice(ELSJ)

La Cour de justice et la protection des données : quand le juge européen des droits fondamentaux prend ses responsabilités
9 AVRIL 2014
par Henri Labayle, CDRE

(English translation will follow)

C’est par deux grandes décisions que la Cour de justice aura marqué de son empreinte le droit de la protection des données à caractère personnel. Rendus le même jour en grande chambre, le 8 avril 2014, ces deux arrêts méritent d’être rapprochés : ils témoignent à tous égards de la volonté de la Cour de marquer un coup d’arrêt en assumant pleinement ses responsabilités de juge des droits fondamentaux.
Le premier d’entre eux pouvait paraître anecdotique par ses circonstances, sinon par son contexte. Frappant un Etat membre, sa décision Commission c. Hongrie (C 288/12) lui permet cependant de rappeler la nécessaire indépendance de ceux qui, dans les Etats membres, veillent au respect de la directive 95/46 relative à la protection des données.
Le second, éclatant et retenant à ce titre l’attention de tous, la conduit à prononcer de manière inusitée par sa généralité l’invalidité de la directive 2006/24 relative à la conservation des données, dans les affaires jointes Digital Rights Ireland (C 293/12) et Seitlinger (C-594/12).
Calée sur son office de protection des droits fondamentaux, prenant pour référence quasi-exclusive la Charte des droits fondamentaux et pour méthode de raisonnement celle qui est de mise à Strasbourg, la Cour de justice s’avère alors un garant résolu des droits individuels.

1 – De la nécessaire indépendance des organes nationaux de protection des données à caractère personnel

Le premier ministre Viktor Orban n’a guère eu le temps de savourer sa victoire aux législatives, deux jours avant l’arrêt de la Cour. Celles-ci étaient observées avec attention en Europe, au vu de la tendance fâcheuse des autorités hongroises à prendre l’Union et ses valeurs pour « un paillasson » ainsi que Daniel Cohn Bendit l’avait vertement indiqué à Viktor Orban au Parlement européen en janvier 2012.
Parmi les mesures reprochées au régime hongrois en matière de droits fondamentaux (voir le rapport Ruiz Tavares A7-0229:2013 au Parlement européen), de sa modification constitutionnelle à ses atteintes à l’indépendance des juges, sa décision de mettre brutalement fin aux fonctions du commissaire hongrois à la protection des données était passée relativement inaperçue des non spécialistes.
Avec le Parlement, la Commission en avait fait cependant l’un des griefs justifiant l’engagement de trois procédures en constatation de manquement en mars 2012. La Cour avait donc à en connaître.
Les faits ne prêtaient guère à discussion : la directive 95/46 sur la protection des données à caractère personnel fait obligation aux Etats membres de désigner une ou plusieurs autorités chargées de veiller à son respect. Elle précise dans son considérant 62 que « l’institution, dans les États membres, d’autorités de contrôle exerçant en toute indépendance leurs fonctions est un élément essentiel de la protection des personnes à l’égard du traitement des données à caractère personnel », ce que traduit son article 28 §1 en ces termes : « ces autorités exercent en toute indépendance les missions dont elles sont investies ».
En Hongrie, un commissaire à la protection des données élu en 2008 pour une durée de six ans jouait ce rôle. Au prétexte de réformer ce système, le Parlement hongrois avait décidé de remplacer cette institution par une nouvelle autorité chargée de la protection des données et de la liberté de l’information, d’où la cessation des fonctions du commissaire en question, M. Iori, et son remplacement pour un nouveau président de ladite autorité, pour neuf ans.
Ajoutée à l’évidente ingérence de l’exécutif hongrois dans cette nouvelle autorité, cette cessation forcée du mandat du commissaire hongrois justifiait donc la saisine de la Cour de justice par la Commission, appuyée par le Contrôleur européen de la protection des données.
Sans remettre en cause le droit souverain de l’Etat hongrois de modifier sa législation interne et son système de contrôle de la protection des données, la Commission refusait à la fois d’avaliser le fait que cette réforme aboutisse à la cessation du commissaire en poste mais aussi qu’elle puisse ne pas garantir l’indépendance totale de l’autorité exerçant ce contrôle. Celle-ci va au-delà de la simple indépendance fonctionnelle et prohibe toute forme de sujétion, qu’elle soit de nature institutionnelle, personnelle ou matérielle.
La jurisprudence a du reste eu l’occasion de trancher la question sur ce point (CJUE, 9 mars 2010, Commission c. Allemagne, C-518/07; 16 octobre 2012, Commission c. Autriche, C-614/10), particulièrement attentive à la condition d’un exercice des fonctions en « toute » indépendance, figurant dans la directive 95/46.
L’affaire était jugée suffisamment sérieuse pour que l’avocat général Melchior Wathelet, dans ses conclusions, ajoute « qu’un arrêt de la Cour constatant le manquement dans la présente affaire aurait une très grande importance non seulement pour les autorités créées en application de l’article 28 §1 de la directive, mais aussi pour toute autre autorité indépendante instaurée en application du droit de l’Union. En assurant ces autorités indépendantes de l’inamovibilité de leur mandat jusqu’à l’échéance prévue, sauf raisons graves préétablies par la loi et objectivement vérifiables, cet arrêt aurait pour effet de limiter considérablement le risque nuisible d’«obéissance anticipée» à des acteurs externes, publics ou privés. Un tel arrêt écarterait «l’épée de Damoclès» que représente le risque paralysant de cessation anticipée de leur mandat » (point 83).
C’est bien ainsi que la Cour l’entend, manifestement.
A « titre liminaire », et outre la directive, elle relie expressément et très utilement l’exigence d’un contrôle par une autorité indépendante du respect des règles de l’Union relatives à la protection des personnes physiques à l’égard du traitement des données à caractère personnel au droit primaire de l’Union et plus particulièrement à l’article 8 §3 de la Charte des droits fondamentaux de l’Union européenne et de l’article 16 §2 TFUE.
On conçoit alors qu’elle fasse de cette exigence un « élément essentiel » de ce droit à la protection.
Elle a déjà jugé dans les affaires précitées que le seul risque que les autorités de tutelle de l’État puissent exercer une influence politique sur les décisions des autorités de contrôle suffit pour entraver l’exercice indépendant des missions de celles-ci. En effet, d’une part, il pourrait en résulter une «obéissance anticipée» de ces autorités eu égard à la pratique décisionnelle de l’autorité de tutelle et, d’autre part, « considérant le rôle de gardiennes du droit à la vie privée qu’assument les autorités de contrôle » (point 53), leurs décisions comme elles-mêmes doivent être au-dessus de tout soupçon de partialité.
Il restait à cerner l’étendue de l’obligation pesant sur les Etats membres concernant le respect de la durée du mandat de ces autorités jusqu’à leur terme. Elle ne s’y dérobe pas.
Leur accorder le droit de mettre fin au mandat d’une autorité de contrôle avant son terme sans respecter les règles et les garanties préétablies à cette fin par la législation applicable constituerait, de son point de vue une menace potentielle qui « planerait alors sur cette autorité tout au long de l’exercice de son mandat » et pourrait conduire à une forme d’obéissance de celle-ci au pouvoir politique, incompatible avec ladite exigence d’indépendance. Que la fin anticipée du mandat résulte d’une restructuration ou d’un changement de modèle n’y changerait rien.
Elle délivre alors son interprétation : l’exigence d’indépendance mentionnée par la directive 95/46 doit être « nécessairement être interprétée comme incluant l’obligation de respecter la durée du mandat des autorités de contrôle jusqu’à son échéance et de n’y mettre fin de manière anticipée que dans le respect des règles et des garanties de la législation applicable » (point 55). Le droit de l’Union en pouvait raisonnablement être compris comme autorisant la Hongrie à adopter un comportement différent.
D’où la constatation du manquement commis par les autorités hongroises à leurs obligations, que la Cour de justice n’accepte pas d’atténuer en faisant droit à la demande la Hongrie de limiter dans le temps les effets de son arrêt.

2 – De la proportionnalité de l’ingérence des pouvoirs publics dans la conservation des données

L’arrêt rendu dans les affaires jointes Digital Rights Ireland et Seitlinger (C-293/12 et 594/12) est d’une importance plus grande encore. Par la radicalité de la solution de la Cour, l’invalidation entière d’une directive, comme par le raisonnement mené pour y parvenir et par l’impact de sa solution sur les pratiques nationales, il doit être salué. A une question de principe, la Cour apporte sans se dérober une réponse de même nature.

Une question de principe

C’est par la voie préjudicielle que la High Court Irlandaise, d’une part, et la Cour constitutionnelle autrichienne, d’autre part, interrogeaient la Cour de justice sur la validité de la directive 2006/24 sur la conservation des données générées ou traitées dans le cadre de la fourniture de services de communications électroniques accessibles au public ou de réseaux publics de communications. La première, à l’occasion de litiges nationaux concernant son application tandis que l’autre devait trancher une série impressionnante de contestations prenant la forme de recours en constitutionnalité faisant suite à la transposition de la directive en droit interne.
Etait principalement en cause l’obligation faite aux opérateurs économiques de collecter, conserver et rendre disponibles pendant un temps déterminé un nombre considérable de données à caractère personnel recueillies lors des communications individuelles dans l’ensemble de l’Union, ce afin de lutter contre des activités criminelles graves.
L’occasion était rêvée pour la Cour de justice de se prononcer sur les conditions dans lesquelles l’Union européenne peut juridiquement limiter l’exercice des droits fondamentaux, en l’espèce ceux du respect de la vie privée et de la protection des données à caractère personnel garantis par les articles 7 et 8 de la Charte des droits fondamentaux de l’Union.

L’article 52 §1 de cette dernière reprend en effet la logique qui anime les droits conditionnels de la Convention européenne des droits de l’Homme en affirmant que « toute limitation de l’exercice des droits et libertés reconnus par la présente Charte doit être prévue par la loi et respecter le contenu essentiel desdits droits et libertés. Dans le respect du principe de proportionnalité, des limitations ne peuvent être apportées que si elles sont nécessaires et répondent effectivement à des objectifs d’intérêt général reconnus par l’Union ou au besoin de protection des droits et libertés d’autrui ». Les « explications » accompagnant la Charte et son article 7, abondamment citées dans le prétoire du Kirchberg, soulignent cet équilibre nécessaire.

La Cour était donc invitée à ce calcul de proportionnalité, derrière les questions des juges irlandais et autrichiens, pour évaluer la validité de la directive 2006/24.

Pour y parvenir, plusieurs clarifications étaient nécessaires. Déterminer la pertinence de l’invocation de la Charte en la matière était la plus simple, tant il allait de soi que la collecte et la conservation par les autorités nationales de données aussi sensibles pour la vie privée relevaient de son champ d’application.
Cerner la fonctionnalité exacte de la directive 2006/24 posait en revanche une question plus sensible.
On sait à cet égard la propension grandissante des institutions, telles que la Commission par exemple à propos de la migration ou de la justice, à réduire le fonctionnement de l’Espace de liberté, sécurité et justice à un prolongement du marché intérieur, accompagnée en cela par une doctrine ignorante de sa genèse et de sa charge politique. Négligeant celle-ci en mettant en avant une logique économique, cette approche est contraire à la réalité de l’Union comme au droit issu d’un traité qui garantit la sécurité à ses citoyens.
L’avocat général Cruz Villalon s’en faisait l’écho dans ses conclusions, multipliant les explications relatives à la « dualité fonctionnelle » de la directive 2006/24, adoptée « dans l’objectif de protéger le bon fonctionnement du marché intérieur, de mettre un terme à l’évolution hétérogène des réglementations existantes, tout en y faisant obstacle pour le futur ». La Cour de justice, dans son arrêt Irlande c. Parlement et Conseil de 2009 (C-301/06), avait d’ailleurs expressément rejeté une contestation portant sur la base juridique de cette directive, l’article 95 TCE, prétendant que l’unique objectif de la directive était en fait celui de la lutte contre le terrorisme réglée dans le titre VI du TUE de l’époque.
La Cour de justice n’en reste pas à cette lecture formelle et, de manière éclatante, elle relie la problématique à la politique de sécurité intérieure de l’Union européenne.
Il lui fallait en effet, dans le premier terme de son raisonnement visant à établir la légalité de la directive, identifier l’existence d’un intérêt public susceptible de justifier l’intervention de l’Union dans la vie privée des citoyens de l’Union c’est-à-dire vérifier que ces ingérences éventuelles répondent effectivement à des objectifs d’intérêt général reconnus par l’Union ou au besoin de protection des droits et libertés d’autrui, en vertu de l’article 52 §1 de la Charte.
Sans démentir ses affirmations précédentes relatives au besoin d’harmonisation des droits nationaux en matière de conservation des données, elle y apporte néanmoins un bémol qui contraste avec sa jurisprudence péremptoire de 2009 : « l’objectif matériel de cette directive vise, ainsi qu’il découle de son article 1er, paragraphe 1, à garantir la disponibilité de ces données à des fins de recherche, de détection et de poursuite d’infractions graves telles qu’elles sont définies par chaque État membre dans son droit interne. L’objectif matériel de cette directive est, dès lors, de contribuer à la lutte contre la criminalité grave et ainsi, en fin de compte, à la sécurité publique » (point 41). Fermez le ban …

On sait en effet depuis la jurisprudence Kadi que la lutte contre le terrorisme constitue un « objectif d’intérêt général de l’Union » tout comme l’est la lutte contre la criminalité grave afin de garantir la sécurité publique (CJUE, Tsakouridis, C‑145/09). De façon intéressante, la Cour souligne ici du reste que l’article 6 de la Charte énonce le droit de toute personne non seulement à la liberté, mais également à la sûreté (point 42).
Apportant ainsi un fondement à la politique sécuritaire de l’Union, dans la logique du préambule de son traité et des articles 3 §2 TUE et 67 §3 TFUE, la Cour n’avait plus alors qu’à évaluer la proportionnalité de l’ingérence ainsi constatée.

Une réponse de principe

Constater l’existence d’une ingérence dans les droits fondamentaux consacrés par les articles 7 et 8 de la Charte n’était guère compliqué et la Cour se livre sans difficulté à cet examen. Tant l’obligation de conservation des données à caractère personnel que l’accès des autorités nationales à ces données ou leur traitement constituent une ingérence flagrante dans les droits fondamentaux des individus et la Cour souligne à la suite de son avocat général qu’elle « s’avère d’une vaste ampleur et qu’elle doit être considérée comme particulièrement grave » (point 37).
De plus, la conservation des données et l’utilisation ultérieure de celles-ci étant effectuées sans que l’abonné ou l’utilisateur inscrit en soient informés est « susceptible de générer dans l’esprit des personnes concernées, ainsi que l’a relevé M. l’avocat général aux points 52 et 72 de ses conclusions, le sentiment que leur vie privée fait l’objet d’une surveillance constante ».
La seule question posée consistait donc à trancher le point de sa proportionnalité.
Le contrôle juridictionnel du principe de proportionnalité n’est pas étranger à la Cour de justice, chacun le sait. Néanmoins, et elle appréciera ce coup de chapeau tardif, la Cour européenne des droits de l’Homme est passée maîtresse dans l’examen du jeu de la balance des intérêts en présence.
C’est donc très heureusement que la Cour de justice se réfère par analogie à l’article 8 CEDH et à la jurisprudence S. et Marper c. Royaume Uni, arrêt fondateur s’il en est, pour signifier que l’étendue du pouvoir d’appréciation du législateur de l’Union peut être strictement limitée en fonction d’un certain nombre d’éléments, parmi lesquels figurent, notamment, le domaine concerné, la nature du droit en cause garanti par la Charte, la nature et la gravité de l’ingérence ainsi que la finalité de celle-ci.

Elle délivre en fait ici sa grille de lecture.
Certes, les données conservées en application de la directive 2006/24 permettent aux autorités nationales compétentes en matière de poursuites pénales de disposer de possibilités supplémentaires d’élucidation des infractions graves. Elles constituent donc un instrument utile pour les enquêtes pénales et leur conservation de telles données peut être considérée comme apte à réaliser l’objectif poursuivi par ladite directive. Or, la lutte contre le terrorisme et la criminalité est d’une importance primordiale dont l’efficacité peut dépendre de l’utilisation de ces techniques modernes d’enquête.
Néanmoins, cet « objectif d’intérêt général, pour fondamental qu’il soit, ne saurait à lui seul justifier qu’une mesure de conservation telle que celle instaurée par la directive 2006/24 soit considérée comme nécessaire aux fins de ladite lutte ».
Prenant en considération, d’une part, le rôle important que joue la protection des données à caractère personnel au regard du droit fondamental au respect de la vie privée et, d’autre part, l’ampleur et de la gravité de l’ingérence dans ce droit que comporte la directive 2006/24, le pouvoir d’appréciation du législateur de l’Union ne saurait qu’être réduit et il appelle un contrôle juridictionnel strict.
Mentionnant la jurisprudence de la CEDH, la CJUE souligne que « la réglementation de l’Union en cause doit prévoir des règles claires et précises régissant la portée et l’application de la mesure en cause et imposant un minimum d’exigences de sorte que les personnes dont les données ont été conservées disposent de garanties suffisantes permettant de protéger efficacement leurs données à caractère personnel contre les risques d’abus ainsi que contre tout accès et toute utilisation illicites de ces données ».
Tel n’est manifestement pas le cas et la Cour parvient rapidement à une conclusion cruelle : « la directive 2006/24 ne prévoit pas de règles claires et précises régissant la portée de l’ingérence dans les droits fondamentaux consacrés aux articles 7 et 8 de la Charte. Force est donc de constater que cette directive comporte une ingérence dans ces droits fondamentaux d’une vaste ampleur et d’une gravité particulière dans l’ordre juridique de l’Union sans qu’une telle ingérence soit précisément encadrée par des dispositions permettant de garantir qu’elle est effectivement limitée au strict nécessaire ».

Comment ne pas la suivre ?

En premier lieu, la directive 2006/24 couvre de manière généralisée et indifférenciée l’ensemble des individus, des moyens de communication électronique et des données relatives au trafic, indépendamment de son objectif de lutte contre les infractions graves.
Deuxièmement, la directive ne prévoit aucun critère objectif permettant de garantir que les autorités nationales compétentes n’aient accès aux données et ne puissent les utiliser qu’aux fins qui leur sont assignées. Elle renvoie de manière générale aux « infractions graves » définies par chaque État membre dans son droit interne, sans précision procédurale ni contrôle préalable d’une juridiction ou d’une entité administrative indépendante.
Pire, la durée de conservation des données est d’au moins six mois et de 24 mois au maximum, sans encadrement des catégories de données en fonction des personnes concernées ou de l’utilité éventuelle des données par rapport à l’objectif poursuivi, ni critère objectif ni protection contre une utilisation abusive.
Enfin, et la précision est de taille au regard des échanges de données dans la lutte internationale contre la criminalité, la Cour met en cause le fait que la directive n’impose pas une conservation des données sur le territoire de l’Union.
Ainsi, la directive ne garantit pas pleinement le contrôle du respect des exigences de protection et de sécurité par une autorité indépendante, comme cela est pourtant explicitement exigé par la charte.
Or, un tel contrôle, effectué sur la base du droit de l’Union, constitue un élément essentiel du respect de la protection des personnes à l’égard du traitement des données à caractère personnel.
Dans un tel contexte, l’invalidation de la directive 2006/24 coulait de source, au détail près de son ampleur et de son effet dans le temps.
La Cour de justice n’y va pas par quatre chemins, négligeant toute opération de chirurgie juridique visant à sauvegarder certains pans de la législation ou la face de ses auteurs. Le texte est invalidé dans son ensemble, créant de ce fait un vide juridique considérable.

A cela, la Cour aurait pu répondre en suivant la suggestion de son avocat général l’incitant à faire usage de la faculté que lui offre l’article 264 TFUE de limiter dans le temps les effets de sa déclaration d’invalidité.

Ce dernier faisait état d’une prudence nécessaire : « la mise en balance des différents intérêts en présence doit faire l’objet d’une pondération très attentive ». Si la violation des droits fondamentaux ne souffrait pas de doute, les invalidités constatées relevaient d’un simple défaut d’encadrement et les États membres avaient « de façon générale, ainsi qu’il ressort des éléments fournis à la Cour, exercé leurs compétences avec modération pour ce qui est de la durée maximale de conservation des données » point 157).

La Cour s’y refuse, invitant de la sorte les institutions de l’Union à remédier au plus vite aux effets de leur inconséquence, terme faible s’il en est au vu des enjeux en cause.

Data Retention: a landmark Court of Justice’s ruling.(5) From now on, no more “just in case ” retention of data…

By Peter Schaar
(translated by Douwe Korff)

The judgment of the CJEU on compulsory data retention is remarkable for two reasons.
First, the Court essentially agrees with the critics of data retention: The general, suspicion-less retention of telecommunication data is incompatible with both the fundamental right to respect for private life, and with the fundamental right to data protection.
The second, broader message is that the CJEU sees itself as the guardian of the civil and political rights enshrined in the EU Charter of Fundamental Rights, and will correct the European legislator if the latter exceeds the limits set by the Charter.

The Court does not deny that it is in the public interest to fight against serious crime, in particular organised crime and terrorism. However:

such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 [the Data Retention Directive] being considered to be necessary for the purpose of that fight. (para. 51)

As the Court puts it, with reference to its settled case-law:

derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary. (para. 52)

So far, one could think that the Court – like the German Constitutional Court – felt that all-encompassing data retention is not fundamentally contrary to human rights.
However, the Luxembourg Court goes further than that, when it notes that:
Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. …

Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation
(i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or
(ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offenses. (paras. 58 – 59, emphasis added)

In the above, the Court clearly rejects suspicion-less mass retention of data “just in case” they may be useful in future. By contrast, the judgment does not reject the possibility of limited, targeted retention of data.
This corresponds to a green light for the “quick-freeze” model of data retention, under which judicial court orders can be issued to retain specific categories of relevant data for specified, limited periods, when there are concrete indications that a serious crime is being planned or in process.

The Court points to a series of other serious defects in the Data Retention Directive, that had also already been noted by the German Constitutional Court: lack of clarity in the definition of “serious crime”; unclear, insufficiently precise rules on the access to and use of the retained data; and a lack of rules on technical and organisatorial measures needed to ensure the security of the data.
The Directive also failed to contain provisions to protect data that are subject to special rules on confidentiality, such as attorney – client communications.

The judgment of the CJEU dramatically changes the legal landscape: all of a sudden Germany is the only EU Member State with national legal rules that meet the European requirements, simply because the German rules do not allow for “just in case” data retention (Vorratsdatenspeicherung).

Hopefully, the EU institutions will draw the right conclusions from the message of the Court.
The judgment points the way for other measures that would also lead to massive, suspicionless data retention “just in case”: the planned European Passenger Name Records (PNR)- and Entering-Leaving Registers should be scrapped, as should the introduction of suspicionless mass data retention, envisaged in the German Grand Coalition Agreement.

BVerfG, 1 BvR 256/08 vom 2.3.2010, available here.
See Peter Schaar: “Quick Freeze” instead of data retention, Federal Commissioner for Data Protection and Freedom of Information, 15 June 2010, here.
The German Government endorsed this suggestion but it was highhandedly rejected by the European Commission. See here.
On 10 April 2014, a Swedish ISP announced it had deleted all retained customer data in response to the CJEU judgment; and the relevant Swedish regulatory authority informed the government that it will not take action against the ISP for non-compliance with the Swedish law implementing the Directive – thus effectively suspending the application of the law. See here and here.

DATA RETENTION: A LANDMARK COURT OF JUSTICE’s RULING (4) .. will this saga continue and how ?..

by Professor Steve PEERS Tuesday, 8 April 2014

The data retention judgment: The CJEU prohibits mass surveillance

On July 7, 2005 a relative of mine started her journey to work on a London tube train. Within half an hour, bombs on that train left by terrorists exploded, in conjunction with three other bombs across London. Dozens of people died (although my relative was not injured).
Understandably, public concern about terrorist incidents, following on from the earlier outrages of 9/11 and the Madrid bombings, led to further EU anti-terrorist legislation.
In particular, the British Presidency of the EU Council made it a top priority to adopt legislation providing for retention of a large amount of communications data. But according to the Court of Justice of the European Union (CJEU), in a crucial judgment today, that legislation was essentially an over-reaction to these terrorist atrocities. The Court has effectively prohibited mass surveillance in the EU, and thus taken significant steps to entrench itself as the EU’s constitutional court.

Summary of the judgment

As discussed in detail by Chris Jones’ post on this blog (EUANALYSYSBLOG), the Directive requires Member States to require telecommunications service providers to retain significant amounts of data on the use of all forms of telecommunications by all individuals within the EU, for a period of between 6 months and 2 years. This data is collected for the use of law enforcement agencies as regards investigations into serious crime or terrorism, but there are no detailed rules in the Directive governing the access to and use of the data by those authorities.
The CJEU only found it necessary to address the question of the validity on the Directive in light of the Charter rights to privacy and data protection (Articles 7 and 8 of the Charter).

First of all, the Court unsurprisingly had no difficulty finding that the Directive interfered with the protection of those two rights. Its analysis focussed instead on whether such an interference could be justified.

The rules on justifying interferences with Charter rights are set out in Article 52 of the Charter. Any limitation upon Charter rights must be laid down by law, respect the essence of the right, and subject to the principle of proportionality, limit rights and freedoms only if it is necessary and genuinely meets public interest objectives and the rights and freedoms of others.
The Court easily found that there was a public interest justification (public safety) for the restriction of the Charter rights at issue.
It also found that the ‘essence’ of the rights was not affected, because (as regards the right to privacy) the content of communications was not recorded, and (as regards the right to data protection) certain data processing and data security rules had to be respected.

Therefore the key issues in the Court’s ruling were the proportionality of the interference with Charter rights.
The Court indicated that judicial review of the EU legislature’s discretion should be ‘strict’ in this case, applying factors such as the area of law concerned, the nature of the right, the nature and seriousness of the infringement and the objective pursued. Here, it followed from the nature of the right and the nature and seriousness of the infringement that the EU legislature’s discretion was reduced; the CJEU took no account expressly of the objective being pursued.

The first aspect of proportionality (the appropriateness of the interference with the right for obtaining the objective) was fulfilled, because the data concerned might be useful to investigations. However, the CJEU found that the Directive was problematic as regards the second facet: the necessity of the measure in question.
Crucially the Court ruled that the important objective of investigating serious crime and terrorism did ‘not, in itself’ justify data retention. So for the CJEU, the safety of the people is not the supreme law.
Its analysis proceeded by setting out the general importance of safeguards as regards the protection of privacy and data protection rights (building upon the case law of the European Court of Human Rights). These safeguards are even more necessary when data is processed automatically, with a risk of unlawful access.

Applying this test, the Court gave three reasons why the rules on data retention in the Directive were not strictly necessary.

First of all, the Directive had an extremely broad scope, given that it applied to all means of electronic communication, which have ‘widespread and growing importance’ in everyday life, without being sufficiently targeted.
Indeed, it ‘entails an interference with the fundamental rights of practically the entire European population’. In other words (the Court does not use the term), it amounts to mass surveillance.

Secondly, besides the ‘general absence of limits’ in the Directive, it failed to limit access to the data concerned by law enforcement authorities, and the subsequent use of that data, sufficiently precisely. In particular: it referred generally to ‘serious crime’ as defined in national law; it did not restrict the purpose of subsequent access to that data; it did not limit the number of persons who could access the data; and it did not control access to the data by means of a court or other independent administrative authority.

Thirdly, the Directive did not set out sufficient safeguards, as regards: the data retention period, for instance as regards the categories of data to be retained for the whole period; the protection of the data from unlawful access and use (here the CJEU criticises the possible limits on protection measures due to reasons of cost); the absence of an obligation to destroy the data; and the omission of a requirement to retain the data within the EU only.


The CJEU reached the same conclusion as the Advocate-General’s opinion, but for different reasons.
In the Advocate-General’s view, the Directive was invalid because it breached the ‘quality of law’ requirement applicable to interferences with Charter rights, having failed to establish sufficient safeguards relating to access to and use of the data. It also was disproportionate for failing to explain why storage periods of up to two years were necessary.
The Court’s ruling appears to go further, by ruling out mass surveillance in principle.

The opinion discussed some interesting and important issues that the Court does not directly address, in particular: the existence of a ‘quality of law’ requirement as regards breaches of the Charter; whether the EU or the Member States have responsibility for ensuring the satisfaction of that requirement in this case; and the complications of the ‘legal base’ issue, ie the awkward point that inserting safeguards relating to law enforcement authorities might go beyond the ‘internal market’ legal base of the legislation.
It might be deduced that the CJEU has a view on these issues: there is a ‘quality of law’ rule; the EU is responsible for upholding that requirement in this case; and the ‘legal base’ point is not a barrier to the EU adoption of rules regulating law enforcement authorities. But unfortunately, the Court did not expressly spell out its reasoning on these issues.
It is certainly peculiar that, having ruled previously that the Directive was validly based on EU internal market powers, the CJEU rules here that its interference with Charter rights is justified by the objective of public safety.

As for the reasoning which the Court did provide, as usual it was easy to find public interest objectives for the interference with rights.
The most important part of the reasoning is therefore the analysis of the interference with the ‘essence’ of the right, and of proportionality.
It is very significant that the Court makes clear that these are two different issues: even if the essence of a right is respected, legislation can be disproportionate. Earlier case law on restriction of rights often seemed to suggest that respecting the essence of rights was sufficient.

Another important aspect of the judgment is the development of a doctrine indicating when strict scrutiny of the EU legislature’s interference with fundamental rights should apply.
This is based upon Strasbourg case law, not the standards of national constitutional courts, which have of course addressed this issue in their own way.
Obvious questions arise as to whether the same standards should apply to national implementation of EU law, or to Charter rights not based upon the ECHR.

While many data protection specialists argue that there is a fundamental distinction between the right to privacy and the right to data protection, the Court’s judgment only reflects that distinction to a limited degree. It assesses separately whether there is an interference with Articles 7 and 8 of the Charter, and whether the essence of each right has been affected. However, it made no distinction between the rights when assessing the required intensity of judicial review, and linked the two rights together when assessing the proportionality of the interference with them.

Consequences of the judgment

First and foremost, the data retention Directive is entirely invalid.
The Court did not in any way rule that it could continue in force. So the immediate consequence is that we return to the status quo before 2005.
This means that Member States have an option, not an obligation, to retain data pursuant to the e-privacy Directive (see further Chris Jones’ post on the background to the data retention Directive). However, Member States’ exercise of this option will still be subject to the requirements set out in this judgment, since their actions will fall within the scope of the Charter, given that the e-privacy Directive regulates the issue of interference with telecommunications.

Would it be possible for the EU to adopt a new Directive on mandatory data retention? In other words, can the Directive in some way be ‘fixed’?

First of all, since the 2006 Directive is entirely invalid, the EU legislature has to start from scratch, rather than amend it.
Secondly, it is clear from the Court’s judgment that some form of mandatory data retention in order to combat serious crime and terrorism is acceptable from the perspective of the EU Charter.
How would such a new Directive differ from the measure the Court has just struck down?
The Court sets out unusually detailed guidelines for the legislature (and, in the meantime, for national legislature) in its judgment.

First of all, any new Directive would have to be in some sense targeted upon communication which has a particular link with serious crime and terrorism. Very simply, mass surveillance is an unjustifiable infringement of Charter rights.

Secondly, a new Directive would have to contain rules on: the definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; and control of access to the data by means of a court or other independent administrative authority.

Thirdly, the new Directive would have to include stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use. It would also have to contain rules on the absence of an obligation to destroy the data, and require that data be retained within the EU only. The Court did not rule on whether subsequent processing of the data in third States would be acceptable, but logically there must be some rules on this issue too.
Probably it would be simplest to extend the external processing rules in the main EU data protection legislation to this issue.

Depending on the timing of a proposal for a new Directive (assuming that there is one), it might possibly get mixed up with the conclusion of negotiations over main the main data protection package being negotiated by the EU institutions. Alternatively, if those negotiations have concluded, they will establish a template that the negotiation of the new Directive can take account of.

Final comments

The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance.
Its reference to the retention of data by third States is a thinly-disguised allusion to the spying scandals emanating from the United States.
It also responds, sotto voce, to the very great concerns of national constitutional courts about this Directive, discussed in detail in Chris Jones’ post on this issue.

More broadly, the CJEU has seized the chance to give an ‘iconic’ judgment on the protection of human rights in the EU legal order. Time will deal whether the Digital Rights judgment is seen as the EU’s equivalent of classic civil rights judgments of the US Supreme Court, on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). If the Charter ultimately contributes to the development of a ‘constitutional patriotism’ in the European Union, this judgment will be one of its foundations.


National legal challenges to the Data Retention Directive
by Chris Jones, Researcher for Statewatch

This post, which examines the numerous legal challenges against the EU’s Data Retention Directive at both national and EU level (not including today’s judgment), is the third post in a series examining the EU’s mandatory data retention legislation, which was struck down today by the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).

EU Court of Justice legal basis challenge

The first legal challenge to the Data Retention Directive came when Ireland, supported by Slovakia, asked the EU Court of Justice to annul the Directive on the grounds that it had the wrong legal basis. They argued that the correct legal basis for data retention resided “in the provisions of the EU Treaty concerning police and judicial cooperation in criminal matters,” rather than those on the internal market. The ECJ dismissed the case in February 2009, stating that:“Directive 2006/24… regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities… “It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of the service provides in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty”.


The first ruling on national laws transposing the Directive came from Bulgaria in proceedings launched by the NGO Access to Information Program. In December 2008 the country’s Supreme Administrative Court annulled an article of the transposing legislation permitting the Ministry of Interior “passive access through a computer terminal” to retained data, as well as providing access without judicial permission to “security services and other law enforcement bodies”. The court found that:“[T]he provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution. No mechanism was established for the respect of the constitutionally granted right of protection against unlawful interference in one’s private or family affairs and against encroachments on one’s honour, dignity and reputation.”The court also found the legislation failed to make reference to other relevant laws – the Penal Procedure Code, the Special Surveillance Means Act and the Personal Data Protection Act – “which specify conditions under which access to personal data shall be granted.”


In June 2008 the Hungarian Civil Liberties Union (HCLU or TASZ, Társaság a Szabadságjogkért) requested “the ex-post examination” by the Hungarian Constitutional Court of the amendment of Act C of 2003 on electronic communications, “for unconstitutionality and the annulment of the data retention provisions.”According to the HCLU, Act C “already comprised numerous restrictive data retention provisions prior to the directive. The only changes brought in by the amendments were the retention of Internet communications data and the elimination of the lax – but at least pre-defined – legal purposes of the data processing”. The HCLU argued that “the amendments completely disregarded the provisions of the directive [stating] that data should be ‘available for the purpose of investigation, detection and prosecution of serious crimes’.” Despite being filed in 2008, the case is yet to be heard. According to Fanny Hidvégi of the HCLU, this is because as of 1 January 2012 new restrictions were placed on submitting cases to the Constitutional Court, and “every pending case submitted by a person or institution which no longer has the right to do so were automatically terminated”. The HCLU has begun a new and lengthy procedure that requires the exhaustion of all other remedies before the Constitutional Court can examine the Hungarian data retention measures.


In October 2009, the Romanian Constitutional Court found that proposed national legislation implementing the Data Retention Directive violated Romanian constitutional provisions protecting freedom of movement; the right to intimate, private and family life; secrecy of correspondence; and freedom of expression. The court found that the government’s attempt to justify the mandatory retention of telecommunications data by invoking undefined “threats to national security” was unlawful. The Court also referred to the 1978 ECHR ruling in Klass v Germany, which stated that “taking surveillance measures without adequate and sufficient safeguards can lead to ‘destroying democracy on the ground of defending it’.”

In October 2011 the European Commission asked the Romanian government to bring forward new laws transposing the Directive, issuing a “reasoned opinion” under Article 258 of the TFEU, which carries the threat of full infringement proceedings at the European Court of Justice if the request is not met. A new law was duly drafted, but was rejected by the Romanian Senate. The law was heavily criticised in the media prior to the vote and the country’s Data Protection Authority had refused to endorse it, claiming that articles relating to the security services were “still vague”. Civil society organisations also opposed it and even the government refused to sponsor it, leaving the Minister of Communications and Information Society to propose it in his role as MP rather than minister. Strong support from the Minister of European Affairs fuelled criticism that it was motivated solely by the need to escape sanction by the European Court of Justice.

Ultimately the Senate vote was not decisive and the law continued its journey to the Chamber of Deputies, where at the end of May 2012 it was adopted with 197 votes for and 18 against, with many abstentions amongst the 332 deputies. There was no substantive discussion of fundamental rights issues in the Chamber of Deputies or the main two committees that debated the law and critics have argued that the provisions on access to retained data are even more problematic than the original statute. On 21 February 2013 the European Commission withdrew the infringement procedure that it had opened in 2011.


In February 2011 the Supreme Court of Cyprus ruled that aspects of the national transposing legislation breached the Cypriot constitution and case law on surveillance. The case was brought by individuals whose telecommunications data had been disclosed to the police in accordance with District Court orders. They argued that the laws underlying the orders were based (Articles 4 and 5 of Law 183(I) 2007, that sought to harmonise Cypriot law with the Directive), and therefore the District Court orders themselves violated their rights to privacy and confidentiality of communications. The Supreme Court found that petitioners had indeed been subject to a violation of their rights and annulled provisions it said went beyond the requirements of the Data Retention Directive. However, the legality of the Directive itself was not called into question.


Legislation transposing the Data Retention Directive into the Telecommunication Act and Code of Criminal Procedure was passed by the Bundestag on 9 November 2007 and entered into force on 1 January 2008. The day before, 31 December 2007, 35,000 German citizens (represented by the NGO AK Vorrat) filed a complaint against the legislation at the Federal Constitutional Court. On 2 March 2010 the Court ruled that the transposing provisions were a disproportionate interference with Article 10 (confidentiality of communications) of the Basic Law (Grundgesetz), and contravened legal standards on purpose limitation, data security, transparency and legal remedies.

However, the Court made no ruling on the actual Directive, stating that data retention is in principle proportionate to the aim of investigating serious crime and preventing imminent threats against life, body, freedom of persons, and the existence and security of the Federal Republic or one of its states. The Court found that the new domestic law failed to comply with legal standards on purpose limitation (restrictions on use of the retained data), data security, transparency and legal remedies.

In January 2011 the Ministry of Justice (MoJ) presented a paper proposing an alternative to data retention – a “quick freeze” system of limited data preservation for criminal investigations. The police and/or public prosecutors would issue a “quick freeze” order seeking access to metadata already held by telecommunications providers, for example for billing purposes. To actually access the “frozen”’ data would require the approval of a judge. In addition, the MoJ proposed an obligation for ISPs to store internet traffic data for seven days, allowing criminal investigators to identify persons behind (already known) IP addresses in particular in cases of child pornography. Criminal investigators would request the traffic and communications data via service providers without having direct access to these traffic data. This paper reflected proposals made in June 2010 by the Federal Commissioner for Data Protection, as well as the suggestions of more pragmatic privacy advocates.

More radical activists claim that any mandatory storage of communications data should be prohibited. The Interior Ministry rejected these proposals and insisted on full implementation of the Directive, arguing that the Constitutional Court had already shown that it is possible to implement the Directive and ensure individual privacy through high data security standards, including encryption and the “four eyes principle” (approval by at least two people) as prerequisite for accessing data and log files; strict purpose limitation; and the protection of professions whose confidentiality must be ensured.

The MoJ produced a “quick freeze” bill in April 2012 but continued opposition from the Interior Ministry meant that it was never tabled in Parliament. The Interior Ministry was unhappy with the length of the proposed freezing periods, demanding three months instead of the one month suggested by the Ministry of Justice. Moreover, the Interior Ministry wanted to include crimes such as fraud and hacking. The controversy continues and no new legislation has yet been introduced.

By this time the European Commission had initiated infringement proceedings and took its case to the European Court of Justice in July 2012. The Commission is seeking to impose a daily fine of €315,000.

Czech Republic

On 13 March 2011 the Czech Republic’s Constitutional Court declared national legislation implementing the Directive unconstitutional. It found that the retention period exceeded the requirements of the Directive, and that use of the data was not restricted to cases of serious crime and terrorism. “The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested.” As in Germany, the Court stated that it could not review the Directive itself, but noted there was nothing in principle preventing implementation in conformity with constitutional law.

A second Constitutional Court decision in December 2011 examined the procedures put in place for obtaining access to retained data and found the “procedure in question to be too vague, in breach of [the] proportionality rule (its second step) and thus unconstitutional due to interference with right to privacy and informational self-determination.” In the meantime the Czech government revised the implementing legislation with modifications that took account of the judgment.The NGO Iuridicum Remedium has lodged fresh proceedings against the revised legislation on the grounds that regulation remains inadequate and that the new decree could provide for the “monitoring of contents of Internet communications”.


In August 2012 a group of Slovakian MPs, supported by the European Information Society Institute, lodged a legal complaint against the legislation implementing the Data Directive. The complaint asks the Slovak Constitutional Court to examine whether the laws implementing the Directive and dealing with access by the authorities to retained data are compatible with constitutional provisions on proportionality, the rights to privacy and data protection, and the provision granting freedom of speech. It also argues that the measures infringe provisions guaranteeing privacy, data protection and freedom of expression in Slovakian human rights law, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. The complaint has not yet been resolved.


The European Commission has engaged in a lengthy battle to try to bring Sweden’s domestic legislation into line with the Directive. After the country missed the initial September 2007 deadline, the Commission brought infringement proceedings, with the European Court of Justice finding Sweden guilty of failing to fulfil its obligations in February 2010. A proposal for transposing legislation was put forward in December 2010 and adopted in March 2012. The new law should have taken effect in May 2012 but despite an overwhelming vote in favour of the new measures in the Swedish parliament (233 MPs voted in favour with 41 against and 19 abstaining), the Left Party and the Greens invoked a constitutional provision allowing the entry into force of new measures to be delayed by a motion of one sixth of the parliament’s members.

In May 2013, the European Court of Justice ordered Sweden to pay a €3 million fine for its delay in implementing the legislation. The Court rejected Swedish pleas regarding the domestic controversy over the implementation of the law:“As the Court has repeatedly emphasised, a Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under European Union law… The same is true of a decision, such as the one made by the Swedish Parliament, to which paragraph 8 of this judgment makes reference, to postpone for a year the adoption of the draft bill intended to transpose that directive.”

The Court of Justice of the European Union (CJEU)

The most serious challenge to the implementation of the Data Retention Directive has come from joined cases brought by the NGO Digital Rights and the plaintiffs in a case referred from the Austrian Constitutional Court. The Advocate General’s opinion on the case, published in December 2013 following a hearing in July, proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). The case focuses on the compatibility of the Directive with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Union Charter of Fundamental Rights. At the hearing the representatives of those who brought the cases argued that the Directive is fundamentally incompatible with the Charter and that there is still no evidence to demonstrate that its necessity or proportionality.

On behalf of Austrian privacy group AK Vorrat, Edward Scheucher argued that:“[T]he cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result [than] at the time when the German [Constitutional] Court took its decision [to annul certain provisions of German transposing legislation]. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the Data Retention Directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11,139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court.”

In response to requests for evidence demonstrating the necessity of the Directive, the Austrian and Irish governments presented new statistics on the use of retained data at the hearing. Also arguing in favour of the Directive were representatives of Italy, Spain and the UK, as well as the Commission, the Council and the Parliament. However, the Directive’s advocates still “had to acknowledge a lack of statistical evidence”, with the UK admitting that “there was no ‘scientific data’ to underpin the need” for data retention. Judge Thomas von Danwitz, the Court’s main rapporteur for the hearing, asked for information that had led to the adoption of the Directive in 2006, given that “the Commission in 2008 claimed not to have enough information for a sound review”. The Council’s lawyers, meanwhile, “implored the Court not to take away instruments from law enforcement”.

Ultimately, Advocate-General Cruz Villalón concluded that the Court answer the cases in the following way:“(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directivecontains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.“(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.”

Today’s Grand Chamber judgment, which is analysed in Steve Peers’ separate post, ultimately agreed with this recommendation. The EU has finally been forced to redraft its mandatory data retention rules.


Monday, 7 April 2014
Background to the EU Data Retention Directive
By Chris Jones, Researcher for Statewatch

As the fallout from the Snowden leaks rumbles on, the Court of Justice of the European Union (CJEU) will today decide a case (Digital Rights Ireland, Seitlinger and Others that could spell the end for the EU’s Data Retention Directive in its current form. The Directive mandates the mass storage by private companies of individuals’ telecommunications data, in case it is required by law enforcement authorities to investigate cases of serious crime or terrorism.

The judgment follows the handing down of a critical opinion by Advocate General Cruz Villalón in December 2013, which proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). This post, based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness), outlines the history of the 2006 Data Retention Directive; the key points of the legislation; and its problematic national implementation, which has been the subject of legal challenges across Europe. Two further posts will examine the implementation of the Directive and the challenges to it.

The Data Retention Directive: a brief overview

The 2006 Data Retention Directive obliges Member States to ensure that telecommunications and Internet Service Providers (ISPs) retain various types of data generated by individuals through the use of landline phones, fax machines, mobile phones, and the internet, “in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime”.The data that must be retained are:

The source of a communication;
The destination of a communication;
The date, time and duration of a communication;
The type of a communication;
Users’ communication equipment or what purports to be their equipment; and
The location of mobile communication equipment.

The retention period is a minimum of six months and a maximum of two years.
Member States decide exact duration as well as the conditions under which it may be accessed.

The European Data Protection Supervisor has called the Directive “without doubt the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects,” and it ranks among the most controversial pieces of counter-terrorism legislation the EU has ever adopted. Fierce debate as to its legitimacy and effectiveness has raged since the earliest stages of its drafting to the present day.

The policy-making process

According to the preamble of the Data Retention Directive, the terrorist attacks in Madrid in March 2004 and in London in July 2005 “reaffirmed… the need to adopt common measures on the retention of telecommunications data as soon as possible.” However, law enforcement agencies had been seeking data retention legislation long before the destruction of the World Trade Centre on 11 September 2001, and the Directive does not limit data retention to combating terrorism.

Demands for data retention can be traced back to the “International Law Enforcement and Telecommunications Seminars” (ILETS) held at the FBI academy in Quantico, Virginia, which commenced in 1993 with the aim of developing global “interception requirements” – standards for telephone-tapping by police and security agencies to be provided in all telephone networks.
Following the first ILETS meeting, the very first EU Council of Justice and Home Affairs (JHA) Ministers adopted a Resolution in November 1993 – which was not published – calling on experts to compare the needs of the EU vis-à-vis the interception of telecommunications “with those of the FBI”.

A second EU Resolution based on ILETS’ work was adopted in January 1995 and introduced obligations on telecommunications companies to cooperate with law enforcement agencies in the “real-time” surveillance of their customers. This was never actually discussed by the Council of Ministers. It was adopted instead by “written procedure” (where legislative texts are circulated among ministries and adopted if there are no objections). The Resolution, which was not published in any form until November 1996, formed the basis of the provisions on the interception of telecommunications in the EU Convention on Mutual Legal Assistance of 2000.
ILETS continued every year and in 1999 identified a new problem. Valuable “traffic data” – particularly mobile phone and internet usage records – were being erased by service providers after customers had been billed, a particularly acute issue in the EU because of the recently enacted EC Directive on privacy in telecommunications, which obliged service providers to delete traffic data after its use for billing purposes (usually within three months).
ILETS thus introduced the principle of mandatory data retention regimes that would oblige service providers to keep data for much longer periods. This demand then surfaced in other intergovernmental fora concerned with police and judicial cooperation, such as the G8. The American Civil Liberties Union, Privacy International and Statewatch would later dub this process “policy laundering”: “the use by governments of foreign and international forums as an indirect means of pushing policies unlikely to win direct approval through the regular domestic political process.”

In 2000 the EU decided to update the aforementioned 1997 Directive on privacy in telecommunications to take into account “new technologies” and proposed what would become known as the “e-Privacy” Directive. The draft Directive proposed scrapping the clause obliging service providers to delete traffic data after billing use. As a First Pillar matter (dealing with the functioning of the internal market), the European Parliament had what was then a rare vote on what was effectively a Justice and Home Affairs or Third Pillar issue (police surveillance). Following an extensive campaign by privacy advocates the proposal was rejected. However in 2002, with the events of 11 September 2001 providing a fresh justification, a left-right alliance of the European Socialist Party (PSE) and the European People’s Party (PPE) agreed the e-Privacy Directive and the “data retention amendment”, with the liberals, greens and left parties opposed. This paved the way for Member States to introduce their own optional national data retention regimes.
Yet no sooner was the ink dry on the e-Privacy Directive than a confidential draft Framework Decision on the compulsory retention of subscriber and traffic data for 12-24 months across the EU was circulated among Member States and leaked by Statewatch.
Following widespread criticism of the proposal in European media, the then-Danish presidency of the EU was moved to issue a statement saying that the proposal was “not on the table”.
If not ‘on the table’, the proposal appears to have remained close at hand – following the Madrid train bombings in March 2004, the ‘EU Declaration on combating terrorism’ endorsed the principle of mandatory data retention across the EU.
One month later the UK, France, Sweden and Ireland submitted a revised draft Framework Decision on data retention to the Council. By now, a majority of EU Member States had also introduced national data retention regimes. The EU proposal suffered another major setback when Statewatch published the confidential legal advice of the EU Council and Commission Legal Services, both of which had been withheld from MEPs and the public despite stating that the Framework Decision was unlawful because it had the wrong legal basis. Data retention, said the EU’s lawyers, was a First Pillar issue because it regulated the activities of service providers in the single market.

The European Commission, despite previously opposing data retention, redrafted the proposal as a Directive. This complicated things further. Whereas the European Parliament was only consulted on the draft Framework Decision, with the EU Council free to ignore its opinion, it would now enjoy full powers of “co-decision”. Moreover, during the consultation process on the Framework Decision, the Parliament had voted to reject mandatory data retention because it was “incompatible with Article 8” of the ECHR (protection of personal data).

However, between the defeat of the proposal for a Framework Decision and the publication of the proposal for a Directive, the July 2005 London tube bombings happened. These were used as a fresh justification for an EU data retention law, although the UK prime minister suggested at the time that “all the surveillance in the world” could not have prevented the attacks.

The UK then used its presidency of the EU Council to impose a deadline of the end of 2005 for the European Parliament to agree the measure, with Charles Clarke, UK Secretary of State, lecturing the EP on the need to adopt the proposal. Home Office officials were reported to have told MEPs in private that if parliament failed to do this they “would make sure the European Parliament would no longer have a say on any justice and home affairs matter.”
Led by Privacy International and the European Digital Rights Initiative, 90 NGOs and 80 telecommunications service providers wrote to MEPs, imploring them to reject the measure.
Despite their efforts, the EP finally agreed the measure on 14 December 2005, with another PSE-PPE alliance reversing the position on the draft Framework Decision that the parliament had taken just eight months earlier. The Directive completed its passage through parliament following a single reading, meeting the UK’s demands on the timeframe.
The Council of the EU adopted the legislation by qualified majority, with Ireland and the Slovakia voting against, and the Directive passed into law in March 2006.

Two further observations are relevant to any substantive consideration of the policy-making process.
The first concerns the role of the UK government, which took its attempts to enforce data retention to EU institutions after it had been prevented from a domestic mandatory data retention regime by the houses of parliament. In what appears to be a clear case of “policy laundering”, the subsequent EU Directive, championed by the UK government, was binding on the UK and implemented by statutory instrument, in the form of the Data Retention (EC Directive) Regulations 2007 and 2009.

The second observation concerns the role played by the US government in pushing for mandatory data retention in Europe, bilaterally in its discussions with the European Commission and EU Presidency, and in multilateral fora like the G8. This is noteworthy because at that time there were no corresponding powers in the USA, nor any intention to introduce them.
In place of blanket “data retention”, US law enforcement and security agencies are obliged to seek “preservation orders” from special surveillance courts.
However, recent leaks such as that of the FISA court order imposed on Verizon, demonstrate that US agencies and their special “surveillance court” have interpreted these principles so widely as to cover entire telephone networks and all of their users.

Nevertheless, a more principled implementation of such a regime would be more privacy-friendly than the EU’s current blanket approach.
Opposition to the Data Retention Directive in Europe included advocacy from civil society organisations for the development of this model as an alternative, with judicial supervision to try and ensure that access to private data is necessary and legitimate. This is still the preferred option of the Ministry of Justice in Germany, where implementation of the Directive has been highly controversial and the subject of a Constitutional Court ruling that demanded its redrafting.


Written by Orla Lynskey


In its eagerly anticipated judgment in the Digital Rights Ireland case, the European Court of Justice held that the EU legislature had exceeded the limits of the principle of proportionality in relation to certain provisions of the EU Charter (Articles 7, 8 and 52(1)) by adopting the Data Retention Directive. In this regard, the reasoning of the Court resembled that of its Advocate General (the facts of these proceedings and an analysis of the Advocate General’s Opinion have been the subject of a previous blog post). However, unlike the Advocate General, the Court deemed the Directive to be invalid without limiting the temporal effects of its finding. This post will consider the Court’s main findings before commenting on the good, the bad and the ugly in the judgment.

 The Court’s Findings

 In reaching this conclusion, the Court reasoned as follows. It first narrowed the multiple questions referred by the Irish and Austrian courts down to one over-arching issue, whether the Data Retention Directive is valid in light of Articles 7, 8 and 11 of the Charter (setting out the rights to privacy, data protection and freedom of expression respectively). It then conducted its assessment in three parts.

 First, it examined the relevance of these Charter provisions with regard to the validity of the Data Retention Directive. Although the Court recognised the potential impact of data retention on freedom of expression, it chose not to examine the validity of the Directive in light of Article 11 of the Charter. It noted that the Directive must be examined in light of Article 7 as it ‘directly and specifically affects private life’ and in light of Article 8 as it ‘constitutes the processing of personal data within the meaning of that article and, therefore necessarily has to satisfy the data protection requirements arising from that article’[29].

 Second, it considered whether there was an interference with the rights laid down in Articles 7 and 8 of the Charter. It noted that the Data Retention Directive derogates from the system of protection set out in the Data Protection Directive and the E-Privacy Directive [32]. It cited Rundfunk  as authority for the proposition that an interference with the right to privacy can be established irrespective of whether the information concerned is sensitive or whether the persons concerned have been inconvenienced in any way [33]. The Court therefore held that the obligations imposed by the Directive to retain data constitutes an interference with the right to privacy [34] as does the access of competent authorities to that data [35]. The Court also held that the Directive interferes with the right to data protection on the mystifyingly simplistic grounds that ‘it provides for processing of personal data’ [36]. It observed that these interferences were both wide-ranging and particularly serious [37].    

 The Court then, thirdly, assessed whether these interferences with the Charter rights to privacy and data protection were justified. According to Article 52(1) of the Charter, in order to be justified limitations on rights must fulfil three conditions: they must be provided for by law, respect the essence of the rights and, subject to the principle of proportionality, limitations must be genuinely necessary to meet objectives of general interest.
The Court held that the essence of the right to privacy was respected as the Directive does not permit the acquisition of content data [39] and the essence of the right to data protection was respected as the Directive requires Member States to ensure that ‘appropriate technical and organisational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of data’ [40].
With regard to whether the interference satisfies an objective of general interest, the Court distinguished between the Directive’s ‘aim’ and ‘material objective’: it noted that the aim of the Directive is to harmonise Member States’ provisions regarding data retention obligations while the ‘material objective’ of the Directive is to contribute to the fight against serious crime [41].
The Court observed that security is a right protected by the EU Charter and an objective promoted by EU jurisprudence [42]. It therefore held that the Data Retention Directive ‘genuinely satisfies an objective of general interest’ [44] and proceeded to analyse the proportionality of the Directive.

 The Court effectively adopted a two-pronged proportionality test, considering whether the measure was appropriate to achieve its objectives and did not go beyond what was necessary to achieve them [46].
Applying the ECtHR’s Marper judgment by analogy, it noted that factors such as the importance of personal data protection for privacy and the extent and seriousness of the interference meant the legislature’s discretion to interfere with fundamental rights was limited [47-48]. It held that the data retained pursuant to the Directive allow national authorities ‘to have additional opportunities to shed light on serious crime’ and are ‘a valuable tool for criminal investigations’ [49]. Therefore, it found that the Directive was suitable to achieve its purpose.

With regard to necessity, it noted that limitations to fundamental rights should only apply in so far as is strictly necessary [52] and that EU law must lay down clear and precise rules governing the scope of limitations and the safeguards for individuals [54]. It held that the Directive did not set out clear and precise rules regarding the extent of the interference [65]. It highlighted several elements of the Directive which fell short in this regard.
By applying to all traffic data of all users of all means of electronic communications the Directive entailed ‘an interference with the fundamental rights of practically the entire European population’ [56] and did not require a relationship between the data retained and serious crime or public security [58-59].
Moreover, no substantive conditions (such as objective criterion by which the number of persons authorised to access data can be limited) or procedural conditions (such as review by an administrative authority or a court prior to access) determined the limits of access and use to the data retained by competent national authorities [60-62]. Nor did the Directive determine the time period for which data are retained on the basis of objective criteria [64-65].

 The Court also held that the Directive did not set out clear safeguards for the protection of the retained data. This finding was supported by the Court’s observation that the rules in the Directive were not tailored to the vast quantity of sensitive data retained and to the risk of unlawful access to these data [66]. Rather, the Directive allowed providers to have regard to economic considerations when determining the technical and organisational means to secure these data [67]. Moreover, the Directive did not specify that the data must be retained within the EU and thus within the control of national Data Protection Authorities [68]. For these reasons, the Directive was declared invalid by the Court [69].

 The Good, the Bad and the Ugly

 The Good The judgment is to be welcomed for its end result – the invalidity of the Directive – as well as for many other reasons. It is a victory for grassroots civil liberties organisations and citizen movements: the preliminary references stemmed from actions taken by Digital Rights Ireland – an NGO – and just under 12,000 Austrian residents. More of these types of initiatives are needed in order to assure effective privacy and data protection. From a more substantive perspective, the judgment also recognises the dangers posed by aggregated meta-data – that it may ‘allow very precise conclusions to be drawn concerning the private lives’ of individuals [27] – and by data retention more generally – that it ‘is likely to generate in minds of the persons concerned the feeling that their private lives are the subject of constant surveillance’[37]. It also acknowledges that such data retention may have a chilling effect on individual freedom of expression [28].

 The Bad Nevertheless, some aspects of the judgment are less welcome. Most notably here, the Court glosses over the fact that it assesses the proportionality of the Directive in light of its ‘material objective’ – crime prevention – rather than its stated objective – market harmonisation. This sits uncomfortably with the Court’s finding in Ireland v Council that the Directive was enacted on the correct legal basis as its predominant purpose was to ensure the smooth functioning of the EU internal market. The Court also incorrectly applies Article 8 of the EU Charter. Not only does it consider that there is an interference with this right every time data are processed [36], it also fails to consider how the application of this right can be applied to a piece of legislation which pursues law enforcement objectives. The Data Protection Directive excludes data processing for law enforcement purposes from its scope (Article 3(2)) and the right to Data Protection should, pursuant to Articles 51(2) and 52(2) of the Charter, be interpreted in light of and reflect the scope of the Directive. This conundrum is conveniently overlooked by the Court.

 And the Ugly However, the most disappointing element of the judgment, like the Opinion of the Advocate General, is that it does not query the appropriateness of data retention as a tool to fight serious crime [49]. Given the prominence of this issue in both the EU and the US in the post-PRISM period, empirical evidence is needed to justify this claim.

Written by Orla Lynskey Posted in EU constitutional law, Fundamental rights, General, Internal Market, Proportionality and Subsidiarity Tagged with article 7 Charter, article 8 Charter, data retention directive, Directive 2002/58/EC, directive 2006/24/EC, Joined Cases C-293/12 and 594/12 Digital Rights Ireland ltd and Seitlinger and others, personal data, Privacy, proportionality, right to data protection
– See more at: http://europeanlawblog.eu/?p=2289#more-2289