Today the Court of Justice of the European Union (CJEU) declared the Data Retention Directive to be invalid, based on the fact that ‘the EU legislature has exceeded the limited imposed by compliance with the principle of proportionality’. How did the CJEU come to this decision, what are the governmental responses and what does this mean for harmonisation?
The Directive and the Question
The main objective of the Directive is, as reiterated by the CJEU:
To harmonise Member States’ provisions concerning the retention, by providers of publicly available electronic communications services or of public communications networks, of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as organised crime and terrorism, in compliance with the rights laid down in Articles 7 and 8 of the Charter.
The question posed to the CJEU, was whether the Directive was indeed in compliance with the right to respect for private life (Art. 7) and the right to the protection of personal data (Art. 8) of the Charter.
The Court of Justice Ruling
The Court takes the view that:
“by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”
It continued by stating that in this particular case, such interference is justified (paragraphs 41-44), however it is not proportional. The measures adopted exceeded the powers of the legislature in terms of proportionality for the following reasons:
The Directive is therefore declared invalid. It is also interesting to note that given the fact that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the Directive entered into force. Meaning, the Directive was never valid to begin with. Hence, all the references made to the Directive by implementing laws in the Member States, refer to a Directive that had never been valid. More interesting is that though the references to a invalid Directive are not necessarily a problem, the content of these implementing laws is. The reasons for the invalidity of the Directive, are codified in the national laws, which are now (or rather, have always been), contrary to EU law.
The Responses of Some Member States’ Officials
The invalidity of the national laws creates an immediate issue. What to do when you know your law is invalid? Well the responses have been diverse.
For those countries that have implemented the Directive there are two options, either they repeal the entire law they enacted to implement the Directive, or they very quickly amend the law. The latter is more likely, but creates its own set of problems. The EU itself can also take up the legislative process once more, and draft a new Directive which takes the issues of the CJEU into account. This however, would probably take up too much time for the national legislatures. Although, the President of the European Parliament already talks about the next proposal which the European Commission should work on.
More likely is the scenario in which the national legislature comes up with a very quick amendment to their national law on data retention. With the amendment the national law could become in accordance with EU law again, if the drafters follow the criticism of the CJEU and take the specific criticisms of the Directive into account in their amendment.
This would however, defeat the purpose of harmonisation. If 28 Member States either have none or differing laws as regards data retention, harmonisation is nowhere to be found. The service providers (internet, telephone and the like) that have to retain the data itself, do not necessarily operate within national borders, and will now be subjected to different rules depending on the specific Member State to an even greater extent. It reinvigorates the debate on privacy and security, and restarts the discussion on data retention in a time in which the Snowden-leaks are still making headlines.