Privacy & Information Security Law Blog

On December 12, 2013, Advocate-General Cruz Villalón of the European Court of Justice (“ECJ”) issued his Opinion on the compatibility of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) with the Charter of Fundamental Rights of the European Union (the “EU Charter”).

Background
The Data Retention Directive requires EU Member States to ensure that telecommunications service providers collect and retain traffic and location data (but not the substantive content of those communications) for purposes of investigating, detecting and prosecuting serious crimes as defined by national law. The data must be retained for a minimum of six months and a maximum of two years.

The Advocate-General delivered his Opinion in connection with four national cases, one brought by Digital Rights Ireland against the Irish authorities and three cases pending before Austria’s constitutional court.

Opinion of the Advocate-General
In his Opinion, the Advocate-General considered that the collection and the retention, in large databases, of these data constitute a serious interference with the right to privacy contained in the EU Charter. The Advocate-General emphasized that the data could be used to reconstruct a large portion of a person’s conduct, or even a complete and accurate picture of his or her private identity. According to the Advocate-General, the risk that the data might be used for unlawful purposes is increased by the following factors:

• the data are not retained by national public authorities, or even under their direct control, but by the telecommunications service providers; and
• the data may be stored at indeterminate locations in cyberspace since the Data Retention Directive does not require the data to be stored in the territory of a EU Member State.

In the light of this serious interference with the right to privacy, the Advocate-General ruled that the Data Retention Directive should have defined the necessary principles for governing the guarantees needed to regulate access to the data and their use, instead of assigning the task of defining and establishing those guarantees to the EU Member States. The Advocate-General concluded that the Data Retention Directive does not comply with the requirement, laid down by the EU Charter, that any limitation on the exercise of a fundamental right must be provided for by law.

Further, the Advocate-General found no reason why the Data Retention Directive requires EU Member States to ensure that the data are retained for a maximum of two years instead of limiting the retention period to less than one year.

In the Opinion, the Advocate-General proposes to suspend the effects of a finding that the Data Retention Directive is invalid in order to enable the EU legislature to adopt, within a reasonable time period, the measures necessary to remedy the invalidity.