European Court Gives a Boost to EU Data Protection Reform

On April 8, the Court of Justice of the European Union invalidated the EU Data Retention Directive 2006/24. Beyond its significance for data retention, this judgment has important implications for EU data protection law in general and the proposed General Data Protection Regulation (GDPR) in particular.

The Data Retention Directive is designed to harmonise the legislation of EU member states concerning the retention of data by telecom service providers and ISPs, which are obliged by the directive to retain such data and make it available to European law enforcement authorities under certain circumstances.

Following court challenges brought by privacy advocates, the High Court in Ireland and the Austrian Constitutional Court referred to the court a number of questions concerning the compatibility of the directive with EU fundamental rights law and, in particular, the EU Charter of Fundamental Rights, which came into force in 2009 before the directive was enacted and prior to the Lisbon framework that strengthened fundamental rights in the EU's constitutional structure. One of the court's advocates-general had already recommended in December 2013 that the directive be invalidated.

Without going into a lot of detail, the court found that the directive allows a disproportionate interference with the rights to privacy and data protection—they are not exactly the same in European law! In particular, it found both flaws in the directive, which led it to conclude that the directive failed to meet the important test of proportionality under EU law. The court did leave some "wiggle room" for a data retention scheme to be structured legally but only under strict conditions.

While the exact implications of the judgment will only become clear in the coming weeks and months, I have the following initial reactions:

First, the judgment emphasises the firm legal foundation for fundamental rights under the framework of the Lisbon Treaty. It will thus strengthen the hand of those—like the European Parliament—who emphasise the key role that fundamental rights play in the proposed GDPR.

Second, the judgment may increase the likelihood of an agreement on the GDPR eventually being reached. Invalidation by the court of a key piece of legislation based solely on fundamental rights grounds may spur institutions engaged in negotiation of the GDPR to realise that the EU cannot continue with a data protection framework enacted in the pre-Lisbon era.

Third, any cooperation between the EU and U.S. regarding the sharing of data for law enforcement purposes just got harder, in particular because of language towards the end of the judgment criticizing the directive for not requiring data retained under it to be stored in the EU. This confirms that the transfer of personal data outside of the EU for law enforcement purposes will be subject to strict legal scrutiny.

Fourth, this same language regarding the storage of data in the EU may have implications for Safe Harbor, and may also act as a spur to initiatives to localize data storage in the territory of the EU.

Fifth, the case has implications for whatever system of data retention the U.S. may be considering. In a statement released on March 27, President Barack Obama announced that he plans to end the Section 215 bulk telephony metadata program and that such data should instead be retained by telecommunications companies, subject to disclosure to law enforcement authorities based on legal process. While the specific details of how such a system would work have not been released, the broad outlines seem to resemble the system used in the EU Data Retention Directive that has now been invalidated.

Finally, the judgment gives a taste of what is ahead for EU data protection law, namely a tighter control of legislation based on EU fundamental rights principles. This means that final agreement on the GDPR is not just a matter of power politics, but that it must meet EU fundamental rights standards if it is to withstand future court challenges.

Telecoms companies and ISPs that are currently subject to member state legislation implementing the directive will naturally wonder how they should cope with its invalidation. Besides the Data Retention Directive, the EU E-Privacy Directive contains a provision (Article 15) allowing member states to allow data retention for law enforcement purposes. However, it is difficult to imagine that this provision could provide a long-term and stable solution for widespread data retention.

The judgment of the European Court of Justice thus represents a milestone in EU data protection law, both with regard to the fundamental rights standards applicable to the collection and sharing of data for law enforcement purposes and more generally as well.

Written By

Christopher Kuner


If you want to comment on this post, you need to login.
  • Argel Apr 10, 2014

    It could be that this decision will give EU lawyers something (EU fundamental rights standards) to cite to counter the US lawyers who drone on constantly about the first amendment.

  • Worried citizen Apr 12, 2014

    The European Union certainly needs a strong law to fully protect their citizens not only against abusive retention of data by service providers and other Internet-based corporations but also against locks established on our public digital footprints by amoral corporations whose business market is our personal information. I would say the way our digital footprint is publicly exposed by corporations like Google, without allowing us to modify/remve this content, is even worse than abusive data retention by service providers in the sense these public profiles are available to anyone running a web browser while data gathered and retained by service providers is available only to a small set of authorized individuals. Protection against abusive data retention should include public profiles (what most people would call digital footprints) too. It would be sad if this law is restricted to our navigation habits and other metadata gathered by means of cookies and logs parsing. We truly need a law that protects us not only against abusive data collection by third parties but also allowing us to manage our own digital footprint.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»