Data Retention Directive is Dead

[ Written for Simon Says column on Computer World UK ]

In a decision issued yesterday, the European Court of Justice – CJEU – declared the Data Retention Directive to be in breach of Fundamental Rights of the European Union – namely: respect for private life (article 7) and protection of personal data (article 8).

The judgment comes following requests from the High Court of Ireland and the Constitutional Court of Austria. Adopted on March 15th 2006, the Data Retention Directive required members states to store citizens’ telecommunications data for six months to two years for the needs of the police and National security agencies.

Building on the 1995 Data Protection Directive and the 2002 Directive on Privacy and Electronic Communications, which the Data Retention Directive was supposed to complement, the Court observes that the Data Retention Directive makes it possible “(1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means, (2) to identify the time of the communication as well as the place from which that communication took place and (3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period.”

Which, according to the Court, are disproportionnate provisions with regards to the Directive’s objectives – and thus, in contradiction with the EU Proportionality Principle: “Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. […] Not only is there a general absence of limits […] but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use.”

The questions pending now: how will it go with regards to National regulations adopted pursuant to the directive? Can Telecom and Internet Service Providers still store personal data over six months or is it now definitelly to be considered as illegal, as digital rights defenders have been claiming for years? How about ongoing contracts and subventions from governments in favor of such data retention?

According to Open Rights Group Executive Director Jim Killock: “The companies need to think quickly about liability, retention and government payments; the government may need to legislate. If the government legislates it needs to take the ECJ judgement into account, to avoid having to rewrite the rules again if the EU introduces new data retention legislation. We’ve been given guidance to the limits of surveillance and data retention, including requirements to limit the uses and confine the retention to relevant data. It is essential that the UK takes notice of these requirements”.

Whatever the outcomes of this historical decision, it may well mark a turning point as for the way European legislations are handled at National scale.