The European Court of Justice* today issued a judgement declaring a 2006 Directive (.pdf) requiring the retention of call data by telcos to be too broad so that it contravenes the Rights to respect to private life and protection of personal data enshrined in the EU Charter of Fundamental Rights (.pdf). The Court therefore declared the Directive invalid and this is retrospective to its introduction.
*The European Court of Justice (ECJ) is an EU body and should not be confused with any similarly named bodies, especially the European Court of Human Rights which is part of the Council of Europe (a wider grouping that includes non-EU countries including Russia). Its function is to arbitrate disputes between EU countries or, as in this case, advise national courts on EU Directives. Directives are, in effect, the central EU law which set out the scope and extent of national laws or regulations which should be put in place to comply with them. They are passed by both the European Parliament and the Council of Ministers (the Heads of Government of the countries).
At the time of writing, the full judgement is not yet on the Curia web site so I will rely on the Press Release (.pdf) to the quotes which of course are not copyright restricted.
Two national supreme courts, the Irish High Court and the Austrian Verfassungsgerichtshof or Constitutional Court had asked the ECJ to rule on the validity of the Directive in the light of the possible breach of the two Rights. The Irish High Court was being asked to decide a dispute between the national authorities and a company, Digital Rights Ireland. The Verfassungsgerichtshof was dealing with a large number of challenges seeking annulment the consequent Austrian law from 11,200 individuals and the Kärntner Landesregierung (Government of the Province of Carinthia).
The Directive allows storage of data on a person's identity, the time of that person's communication, the place from which the communication took place and the frequency of that person's communications. Currently a new law is being examined on communications data and you may recall diaries here where the decisions on data privacy have been praised. This judgement in effect declares all current procedures on the retention of call and other data for between 6 months and 2 years illegal. As reported in the Press Release:
The Court observes first of all that the data to be retained make it possible, in particular, (1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means, (2) to identify the time of the communication as well as the place from which that communication took place and (3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.
The Court then examines whether such an interference with the fundamental rights at issue is justified.
It states that the retention of data required by the directive is not such as to adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data. The directive does not permit the acquisition of knowledge of the content of the electronic communications as such and provides that service or network providers must respect certain principles of data protection and data security.
Furthermore, the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.
However, the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.
In that context, the Court observes that, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by the directive, the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict.
Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.
Firstly, the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
Secondly, the directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference. On the contrary, the directive simply refers in a general manner to ‘serious crime’ as defined by each Member State in its national law. In addition, the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.
Thirdly, so far as concerns the data retention period, the directive imposes a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued. Furthermore, that period is set at between a minimum of six months and a maximum of 24 months, but the directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary.
The Court also finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. It notes, inter alia, that the directive permits service providers to have regard to economic considerations when determining the level of security which they apply (particularly as regards the costs of implementing security measures) and that it does not ensure the irreversible destruction of the data at the end of their retention period.
The immediate effect will be that the Irish and Austrian courts will take the advisory judgement and rule in favour of the applicants. There are different detailed arrangements in the 28 member countries to deal with this position. In most it will take a challenge based on the breaches of the EU Charter to be taken through the national courts system. Some will strike down the national law and others, like the UK, require that the national legislature revisit the law so it complies. In cases where changes are not made there would be individual applications to the European Court of Human Rights for redress.
It should be noted that the Directive required the retention of these data by telcos (both phone companies and internet service providers.) Coincidentally today the UK's Interception of Communications Commissioner laid before Parliament his report which criticized the way in which data held by telcos had been accessed by the authorities.
Police may be overusing their power to gather people's communications data, the Commissioner for Interception says.
In 2013, there were 514,608 requests - such as who owns a phone and who have they called - which Sir Anthony May said "has the feel of being too many".
But he clears UK intelligence agency GCHQ of breaking the law or any rules - an accusation levelled by US whistleblower Edward Snowden.
http://www.bbc.co.uk/...
Interestingly the BBC report states that Sir Anthony "found no evidence" of GCHQ circumventing UK law by using data supplied by the NSA. He made no comments about the reverse of course.