OneTrust_Square Banner_300x250_DD_ROS_01_19
European Court Gives a Boost to EU Data Protection Reform

On April 8, the Court of Justice of the European Union invalidated the EU Data Retention Directive 2006/24. Beyond its significance for data retention, this judgment has important implications for EU data protection law in general and the proposed General Data Protection Regulation (GDPR) in particular.

The Data Retention Directive is designed to harmonise the legislation of EU member states concerning the retention of data by telecom service providers and ISPs, which are obliged by the directive to retain such data and make it available to European law enforcement authorities under certain circumstances.

Following court challenges brought by privacy advocates, the High Court in Ireland and the Austrian Constitutional Court referred to the court a number of questions concerning the compatibility of the directive with EU fundamental rights law and, in particular, the EU Charter of Fundamental Rights, which came into force in 2009 before the directive was enacted and prior to the Lisbon framework that strengthened fundamental rights in the EU's constitutional structure. One of the court's advocates-general had already recommended in December 2013 that the directive be invalidated.

Without going into a lot of detail, the court found that the directive allows a disproportionate interference with the rights to privacy and data protection—they are not exactly the same in European law! In particular, it found both flaws in the directive, which led it to conclude that the directive failed to meet the important test of proportionality under EU law. The court did leave some "wiggle room" for a data retention scheme to be structured legally but only under strict conditions.

While the exact implications of the judgment will only become clear in the coming weeks and months, I have the following initial reactions:

First, the judgment emphasises the firm legal foundation for fundamental rights under the framework of the Lisbon Treaty. It will thus strengthen the hand of those—like the European Parliament—who emphasise the key role that fundamental rights play in the proposed GDPR.

Second, the judgment may increase the likelihood of an agreement on the GDPR eventually being reached. Invalidation by the court of a key piece of legislation based solely on fundamental rights grounds may spur institutions engaged in negotiation of the GDPR to realise that the EU cannot continue with a data protection framework enacted in the pre-Lisbon era.

Third, any cooperation between the EU and U.S. regarding the sharing of data for law enforcement purposes just got harder, in particular because of language towards the end of the judgment criticizing the directive for not requiring data retained under it to be stored in the EU. This confirms that the transfer of personal data outside of the EU for law enforcement purposes will be subject to strict legal scrutiny.

Fourth, this same language regarding the storage of data in the EU may have implications for Safe Harbor, and may also act as a spur to initiatives to localize data storage in the territory of the EU.

Fifth, the case has implications for whatever system of data retention the U.S. may be considering. In a statement released on March 27, President Barack Obama announced that he plans to end the Section 215 bulk telephony metadata program and that such data should instead be retained by telecommunications companies, subject to disclosure to law enforcement authorities based on legal process. While the specific details of how such a system would work have not been released, the broad outlines seem to resemble the system used in the EU Data Retention Directive that has now been invalidated.

Finally, the judgment gives a taste of what is ahead for EU data protection law, namely a tighter control of legislation based on EU fundamental rights principles. This means that final agreement on the GDPR is not just a matter of power politics, but that it must meet EU fundamental rights standards if it is to withstand future court challenges.

Telecoms companies and ISPs that are currently subject to member state legislation implementing the directive will naturally wonder how they should cope with its invalidation. Besides the Data Retention Directive, the EU E-Privacy Directive contains a provision (Article 15) allowing member states to allow data retention for law enforcement purposes. However, it is difficult to imagine that this provision could provide a long-term and stable solution for widespread data retention.

The judgment of the European Court of Justice thus represents a milestone in EU data protection law, both with regard to the fundamental rights standards applicable to the collection and sharing of data for law enforcement purposes and more generally as well.

Written By

Christopher Kuner


If you want to comment on this post, you need to login.

  • Argel Apr 10, 2014

    It could be that this decision will give EU lawyers something (EU fundamental rights standards) to cite to counter the US lawyers who drone on constantly about the first amendment.
  • Worried citizen Apr 12, 2014

    The European Union certainly needs a strong law to fully protect their citizens not only against abusive retention of data by service providers and other Internet-based corporations but also against locks established on our public digital footprints by amoral corporations whose business market is our personal information.
    I would say the way our digital footprint is publicly exposed by corporations like Google, without allowing us to modify/remve this content, is even worse than abusive data retention by service providers in the sense these public profiles are available to anyone running a web browser while data gathered and retained by service providers is available only to a small set of authorized individuals.
    Protection against abusive data retention should include public profiles (what most people would call digital footprints) too.  It would be sad if this law is restricted to our navigation habits and other metadata gathered by means of cookies and logs parsing.  We truly need a law that protects us not only against abusive data collection by third parties but also allowing us to manage our own digital footprint.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»