On April 8, the Court of Justice of the European Union invalidated the EU Data Retention Directive 2006/24. Beyond its significance for data retention, this judgment has important implications for EU data protection law in general and the proposed General Data Protection Regulation (GDPR) in particular.
The Data Retention Directive is designed to harmonise the legislation of EU member states concerning the retention of data by telecom service providers and ISPs, which are obliged by the directive to retain such data and make it available to European law enforcement authorities under certain circumstances.
Following court challenges brought by privacy advocates, the High Court in Ireland and the Austrian Constitutional Court referred to the court a number of questions concerning the compatibility of the directive with EU fundamental rights law and, in particular, the EU Charter of Fundamental Rights, which came into force in 2009 before the directive was enacted and prior to the Lisbon framework that strengthened fundamental rights in the EU's constitutional structure. One of the court's advocates-general had already recommended in December 2013 that the directive be invalidated.
Without going into a lot of detail, the court found that the directive allows a disproportionate interference with the rights to privacy and data protection—they are not exactly the same in European law! In particular, it found both flaws in the directive, which led it to conclude that the directive failed to meet the important test of proportionality under EU law. The court did leave some "wiggle room" for a data retention scheme to be structured legally but only under strict conditions.
While the exact implications of the judgment will only become clear in the coming weeks and months, I have the following initial reactions:
First, the judgment emphasises the firm legal foundation for fundamental rights under the framework of the Lisbon Treaty. It will thus strengthen the hand of those—like the European Parliament—who emphasise the key role that fundamental rights play in the proposed GDPR.
Second, the judgment may increase the likelihood of an agreement on the GDPR eventually being reached. Invalidation by the court of a key piece of legislation based solely on fundamental rights grounds may spur institutions engaged in negotiation of the GDPR to realise that the EU cannot continue with a data protection framework enacted in the pre-Lisbon era.
Third, any cooperation between the EU and U.S. regarding the sharing of data for law enforcement purposes just got harder, in particular because of language towards the end of the judgment criticizing the directive for not requiring data retained under it to be stored in the EU. This confirms that the transfer of personal data outside of the EU for law enforcement purposes will be subject to strict legal scrutiny.
Fourth, this same language regarding the storage of data in the EU may have implications for Safe Harbor, and may also act as a spur to initiatives to localize data storage in the territory of the EU.
Fifth, the case has implications for whatever system of data retention the U.S. may be considering. In a statement released on March 27, President Barack Obama announced that he plans to end the Section 215 bulk telephony metadata program and that such data should instead be retained by telecommunications companies, subject to disclosure to law enforcement authorities based on legal process. While the specific details of how such a system would work have not been released, the broad outlines seem to resemble the system used in the EU Data Retention Directive that has now been invalidated.
Finally, the judgment gives a taste of what is ahead for EU data protection law, namely a tighter control of legislation based on EU fundamental rights principles. This means that final agreement on the GDPR is not just a matter of power politics, but that it must meet EU fundamental rights standards if it is to withstand future court challenges.
Telecoms companies and ISPs that are currently subject to member state legislation implementing the directive will naturally wonder how they should cope with its invalidation. Besides the Data Retention Directive, the EU E-Privacy Directive contains a provision (Article 15) allowing member states to allow data retention for law enforcement purposes. However, it is difficult to imagine that this provision could provide a long-term and stable solution for widespread data retention.
The judgment of the European Court of Justice thus represents a milestone in EU data protection law, both with regard to the fundamental rights standards applicable to the collection and sharing of data for law enforcement purposes and more generally as well.