The current Data Retention Directive is “incompatible” with the Charter of Fundamental Right, according to the court of justice of the European Union.
According to a statement by the Advocate General, Mr Cruz Villalón, the Directive is invalid due to the absence of sufficient regulation of the guarantees governing access to the data collected and retained, and because member states have exercised their powers with moderation with respect to the maximum period of data retention.
He called for the directive to be suspended in order to enable the EU legislature to adopt the measures necessary. Villalón said that it is wholly “incompatible with the requirement laid down by the Charter of Fundamental Rights of the European Union that any limitation on the exercise of a fundamental right must be provided for by law”.
He also claimed that the directive “constitutes a serious interference with the fundamental right of citizens to privacy”, particularly by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications.
The Advocate General points out, in this regard, that the use of such data may make it possible to create a both faithful and exhaustive map of person’s activity, or even a complete and accurate picture of his private identity, or an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious.
He also claimed that “in the light of that serious interference”, the directive should have defined the fundamental principles, which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use.
“However, the Directive – which indeed regulates neither access to the data collected and retained nor their use – assigns the task of defining and establishing those guarantees to the member states. Accordingly, the Directive does not comply with the requirement, laid down by the Charter, that any limitation on the exercise of a fundamental right must be provided for by law, as that requirement is more than just a purely formal one,” he said.
“Thus, when the European Union legislature adopts, as in the case of the Data Retention Directive, an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, it must assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of the necessary guarantees.”
It was this regulation that makes it possible to assess the scope of what the interference with the fundamental right entails in practical terms and which may, therefore, determine whether or not the interference is constitutionally acceptable.
Villalón also commented that the directive does not provide instruction on how long the data must be retained in the territory of a Member State, and there was no guidance or any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year.
Stewart Room, partner at Field Fisher Waterhouse, said: “This interim decision on the Data Retention Directive is interesting, but there’s still some way to go before the legal points are finalised.
“If the interim decision
is upheld, it will underscore the point that the European Commission can get framework data protection legislation seriously wrong. That would provide support to many critics of the current Data Protection Regulation reform agenda, who have argued that the Commission have got many platform issues in the draft Regulation wrong, such as the one stop shop, consent and breach notification. In other words, this draft decision suggests that data protection lawmakers may not be infallible.”