Intrusive EU legislation to retain citizen data for up to two years has been voted down in a landmark court ruling but what will the next move be from Brussels and member states – asks Javier Ruiz Diaz
The Court of Justice of the European Union has struck down the European Union Data Retention Directive, declaring it invalid with immediate effect. The directive had a convoluted history. It ordered that the data on all users of communications systems was to be retained for between six months and two years. Human rights campaigners have long argued about the intrusiveness of such measures and the court has finally agreed:
Those data sets, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained – such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.
The court found that data retention was “likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance”. This is serious interference with the fundamental rights of “practically the entire European population”, notably the right to privacy and family life, and the right to protection of personal data. Such interference, the court argued, could be necessary for protecting the right to public security including fighting serious crime and terrorism. But as laid out in the directive, it was found to be disproportionate.
The directive was too broad and ordered the collection of data on people who had not even remote links to threats to public security, without any “differentiation, limitation or exception”. The blanket retention terms did not provide any objective consideration for each type of data set. The court took particular issue with the lack of provisions for those legally bound to professional secrecy such as lawyers and doctors. Besides criticising crude bulk collection there were problems with the undefined criteria for access and subsequent use, which also lacked independent oversight.
Another set of problems with the directive centred on its failure to impose good data protection measures such as integrity and confidentiality, ensuring the data remains within the EU and safe destruction when the information was no longer needed. This ruling is a “landmark judgement” in the words of the European data protection supervisor and the culmination of a long campaign by many groups and individuals. The European Commission, member states and communications companies must now carefully consider the implications.
The invalidity of the directive means that countries now have the option to implement data retention but not an obligation. The commission has made a case for data retention to continue in member states under the EU E-Privacy Directive. However, the same issues of compliance with fundamental rights would remain in any current or new legislation.
European Home Affairs Commissioner Cecilia Malmström has admitted that the EU had been aware of problems with the data retention directive since 2011, but did not act. It remains unclear as to what will happen next in the EU. Most observers expected the commission to rewrite a new directive from scratch, which complies with the ruling. But Malmström said in a recent interview that the EU would not follow this course. This would leave the situation to national governments.
The situation will be different in each country. Finland has already welcomed the ruling and already announced a full review of its compliance legislation. Only time will tell for the other member states.
Javier Ruiz Diaz is policy director at the Open Rights Group campaign group