In December 2013, Advocate-General Pedro Cruz Villalón delivered his opinion in a highly publicised case before the Court of Justice of the EU (CJEU) concerning the Data Retention Directive. This has reignited the debate over this controversial measure, described by the European Data Protection Supervisor as “the most privacy-invasive instrument ever adopted by the EU”.
The adoption and implementation of the Directive
The Data Retention Directive (Directive 2006/24/EC) was adopted in March 2006. It requires internet service providers and telephone companies to retain traffic and location data for a period of between six months and two years, for the purpose of investigating, detecting and prosecuting serious crime. This obligation does not extend to the content of communications, but relates to data indicating the source, destination, date, time, duration and type of communication, as well as the communication equipment used and the location of mobile communications equipment.
The Member States (MS) were supposed to transpose the Directive by September 2007, but could postpone its application to the retention of data relating to internet access, e-mail and telephony until March 2009. The implementing laws differ considerably across the EU (e.g. as regards the seriousness of crime that can trigger a data request), as does the extent to which retained data are requested by competent authorities. The Constitutional Courts of Romania, Germany and the Czech Republic annulled the relevant national legislation (respectively in 2009, 2010 and 2011) on various grounds related mainly to privacy and the protection of personal data concerns. New transposition measures have yet to be adopted by the three MS. In 2012, the Commission referredGermany to the CJEU for failure to transpose the Directive.
Points of contention
The Directive sparked a heated debate, as illustrated by a 2010 joint letter sent by 106 civil society and professional organisations to the three European Commissioners in charge of digital-rights-related portfolios. The recent CPDP2014 conference in Brussels, showed that the very idea of blanket data retention still has strong opposition among civil society groups and academics. The instrument is widely seen as disproportionate, unnecessary and unbalanced, given the extent to which it impedes on fundamental rights, while arguably of limited use for law enforcement (e.g. due to criminals easily circumventing its provisions, using anonymous SIM cards). Many commentators favour so-called data preservation (‘quick freeze’) provided for by the Council of Europe Convention on Cybercrime. This more limited investigative tool requires data concerning specific criminal suspects to be retained only from the date of the court order.
However, the Commission which evaluated the Directive in 2011 concluded that data retention should continue, though within a revised EU framework. It pointed to evidence presented by some MS supporting the claim that the tool is valuable, if not indispensable, for preventing and combating crime.
In joint cases C-293/12 and C-594/12 the CJEU is considering references for preliminary rulings from Irish and Austrian courts concerning the Directive’s validity. In his recent opinion, Cruz Villalón took the view that the Directive is incompatible with Articles 52(1) and 7 of the EU Charter of Fundamental Rights. This is because it interferes seriously with the right to privacy, without offering appropriate guarantees on the regulation of access to retained data and its use. Moreover, he found that setting the upper limit of data retention at two years (which in his view should be less than one year) is excessive. Nonetheless, he proposes the Court should allow data retention to continue until new EU instruments can be adopted. His opinion is not binding on the CJEU whose judgment is awaited.