Data retention: The directive is out. Are national laws next?

From Regulation Watch – Feed of all News articles: Data retention: The directive is out. Are national laws next?

The European Court of Justice (ECJ) on April 8 declared the Data Retention Directive to be invalid. According to the judges, the directive is not in compliance with the principle of proportionality. The interference with the fundamental rights to respect for private life and to the protection of personal data is not limited to what is strictly necessary.

Directive not per se incompatible with fundamental rights – ECJ’s main arguments against the directive

This said, the ECJ also found the directive not to be per se incompatible with European fundamental rights. As the court states, data retention does not pertain to the essence of the related fundamental rights, as it firstly only permits the storage of meta-data, and secondly imposes certain obligations to protect and secure the stored data.

There are mainly three aspects, which make it disproportionate: first, the lack of any rules of differentiation, limitation and exception of the concerned individuals; second, the absence of any substantive and procedural conditions which national authorities need to fulfil to gain access to the stored data and; third, the general requirement to store without distinction the data for at least six months.

If all these points could be overcome by the EU legislator with the proposal of a new, more detailed directive, it would have to include a strong rationale justifying data retention. Linking stored data to a concrete threat to public security, albeit indirect, would for instance be necessary.

Besides, the Court also focusses on the risk of abuse of the stored data. The lack of sufficient obligations for the service providers to secure the data, not to mention the lack of an obligation to store the data within EU borders, are the main sources of risk. This finding will certainly enliven the recent debate concerning the setup of autonomous European data infrastructures in the aftermath of the Snowden revelations.

ECJ contradicts its own judgment of 2009

Interestingly, in 2009 the ECJ judged that the data retention directive could be based on the EU’s competence to harmonise the Common Market according to Art. 114 TFEU (former Art. 95 EC) only because it did not include any rules concerning the accession of the data (ECJ, C-301/06, §§ 79 et seq.). By demanding exactly such rules in the April 8 ruling (ECJ, C-293/12 and C-594/12, §§ 61, 62), the ECJ demands for a new directive to include criteria the EU has no competence for, at least not from Art. 114 TFEU, according to its own former ruling. Of course, this does not exclude the applicability of another EU competence. However, the Court does not even mention this issue. Therefore, it can be assumed that it does not see serious problems anymore as regards the competence of the EU to create such a new directive. Again, data retention does not seem to be dead.

What the ruling means for national laws that were triggered by the directive

Until a new directive stands, there is no legal obligation for the 28 European member states to introduce or uphold national data retention laws. However, it is not forbidden to do so either.

Already existing national data retention laws transposing the invalid directive remain in force, except where national constitutional law declares a transposition act to be automatically invalid when the European act is not in conformity with EU law. The ECJ is authorised to declare only EU legislation invalid, while member states remain the masters when it comes to declaring their national legislation invalid.

However, individuals can bring cases of data retention before their national courts. National data retention laws still need to be in conformity with their national fundamental rights on the one hand. On the other hand, it is questionable whether the general European data protection laws apply in addition. The data protection directive 95/46/EC covers most data processings in Europe but also states that it is not applicable to national measures concerning public security, Art. 3 para. 2. The aim of national data retention laws is public security.

Nevertheless, as an exception of the applicability of the data protection directive it could be interpreted in a restrictive manner: it is not enough to just declare a national measure to achieve the aim of public security. This is in conformity with the ECJ’s jurisdiction in similar cases where primary EU law aims at achieving the treaties (see ECJ C-300/11, para. 38). However, that approach could be applied on the level of secondary EU law and therefore on the level of the data protection directive as well, with the idea of achieving the aim of the directive: the harmonisation of national data protection laws in line with promotion of the Common Market. That assumed, the Court could also apply the proportionality principle and find that the exception clause of Art. 3 para. 2 of the data protection directive could not ‘justify’ those national data retention measures, which are identical to those demanded by the now invalid directive. Only these measures, which are absolutely necessary for guaranteeing public security would fall outside the scope of the directive. If that was not the case, then consequently the corresponding national transposition acts of the data protection directive and the directive itself would demand for any data processing to be proportionate in order to be in conformity with EU law. As the ECJ ruled on April 8, this is not the case regarding data retention in the concrete way it was demanded by the data retention directive. Therefore, if national data retention laws would just have transposed the rules of the data retention directive without the additional criteria the ECJ has set up, they might be in conformity with national constitutional law, but at the same time violate EU law. In case national constitutional law would be violated and EU law would not, the member state would nevertheless be obliged to transpose this EU law into national law. In order to comply with the latter, national courts then would either interpret the national laws in conformity with EU law, or declare the national laws invalid – either of the possibilities in the light of the ECJ’s April 8 judgment.

However, it also can be argued that national data retention laws fall outside the scope of the data protection directive in general. In that case, their validity would solely depend on the national constitutions.

To sum up, the ruling of the ECJ on the data retention directive is in any case a milestone for the protection of European fundamental rights on privacy and data protection. Hopefully, the judgment will also influence national courts and legislators regarding their evaluation of national data retention laws in view of fundamental rights and lead to a more measured dealing with private data in general.