By Peter Schaar
(translated by Douwe Korff)
The judgment of the CJEU on compulsory data retention is remarkable for two reasons.
First, the Court essentially agrees with the critics of data retention: The general, suspicion-less retention of telecommunication data is incompatible with both the fundamental right to respect for private life, and with the fundamental right to data protection.
The second, broader message is that the CJEU sees itself as the guardian of the civil and political rights enshrined in the EU Charter of Fundamental Rights, and will correct the European legislator if the latter exceeds the limits set by the Charter.
The Court does not deny that it is in the public interest to fight against serious crime, in particular organised crime and terrorism. However:
such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 [the Data Retention Directive] being considered to be necessary for the purpose of that fight. (para. 51)
As the Court puts it, with reference to its settled case-law:
derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary. (para. 52)
So far, one could think that the Court – like the German Constitutional Court – felt that all-encompassing data retention is not fundamentally contrary to human rights.
However, the Luxembourg Court goes further than that, when it notes that:
Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. …
Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation
(i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or
(ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offenses. (paras. 58 – 59, emphasis added)
In the above, the Court clearly rejects suspicion-less mass retention of data “just in case” they may be useful in future. By contrast, the judgment does not reject the possibility of limited, targeted retention of data.
This corresponds to a green light for the “quick-freeze” model of data retention, under which judicial court orders can be issued to retain specific categories of relevant data for specified, limited periods, when there are concrete indications that a serious crime is being planned or in process.
The Court points to a series of other serious defects in the Data Retention Directive, that had also already been noted by the German Constitutional Court: lack of clarity in the definition of “serious crime”; unclear, insufficiently precise rules on the access to and use of the retained data; and a lack of rules on technical and organisatorial measures needed to ensure the security of the data.
The Directive also failed to contain provisions to protect data that are subject to special rules on confidentiality, such as attorney – client communications.
The judgment of the CJEU dramatically changes the legal landscape: all of a sudden Germany is the only EU Member State with national legal rules that meet the European requirements, simply because the German rules do not allow for “just in case” data retention (Vorratsdatenspeicherung).
Hopefully, the EU institutions will draw the right conclusions from the message of the Court.
The judgment points the way for other measures that would also lead to massive, suspicionless data retention “just in case”: the planned European Passenger Name Records (PNR)- and Entering-Leaving Registers should be scrapped, as should the introduction of suspicionless mass data retention, envisaged in the German Grand Coalition Agreement.
BVerfG, 1 BvR 256/08 vom 2.3.2010, available here.
See Peter Schaar: “Quick Freeze” instead of data retention, Federal Commissioner for Data Protection and Freedom of Information, 15 June 2010, here.
The German Government endorsed this suggestion but it was highhandedly rejected by the European Commission. See here.
On 10 April 2014, a Swedish ISP announced it had deleted all retained customer data in response to the CJEU judgment; and the relevant Swedish regulatory authority informed the government that it will not take action against the ISP for non-compliance with the Swedish law implementing the Directive – thus effectively suspending the application of the law. See here and here.