The ECJ has just ruled that most of the EU’s data retention directive is not compatible with privacy rights. Innocenzo Genna, an Italian lawyer with expertise in European regulation and ICT policy, explains the decision and the consequences for countries that have implemented the Directive. 

The European Court of Justice has declared invalid the data retention directive (Directive 2006/24/EC), i.e. set of rules obliging ISPs and telcos to retain data and information of citizens using electronic communications networks.

The Court has recognised that retention of personal data for purpose of investigation is per se compatible with the European framework, although it may interfere with basic fundamental rights such as privacy. However the Court also found that the set of obligation laid down by current directive is disproportionate and contrary to the principle of privacy protection because:

the wide ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.

In particular, the Court challenges the following:

• the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime;
• the directive fails to circumscribe, from both procedural and substantial point of view, the notion of “serious crime” and opens risks to potential abuses in the Member States;
• also the data retention period (from 6 to 24 months) is too generic and should be adapted to the specific objectives (crimes to be fought) to be pursued.

Interestingly, the question is what will happen with the current national legislation which have been enacted as transposition of the invalid directive.

Although one could think that also these laws would become invalid, this is not an automatic effect from the annulment judgment. Neither the EC Treaties nor the precedent of the European court give clear guidance to this purpose. According to art. 249 of the Treaty: “A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods”.

This means that, in case of the annulment of a directive, it is up to the Member State to evaluate. In my opinion:

• There is no discretion with regard to the national provisions which are transposing EC rules declared void because they conflict with other prevailing EC rules (because of the pre-eminence of privacy, for instance, as in the present case). In such a case, even if an urgent abrogation by the Member States may be welcomed, national courts and administrations may dis-apply these national provisions immediately from now.
• To the opposite, if a directive is annulled because of a procedural reason, the Member States could decide to maintain the national legislation, because they continue to support the merits. The same goes for the provisions that are not contrasting with the prevailing EC rules indicated by the European court.

So, it is in general a case-by-case evaluation, while there is no automatic effect on national legislation. In the present case, Member States seem to have the alternative between:

1. abrogating the entire national data retention legislation; or:
2. modify that legislation in order to meet the “proportionality concern” of the court.

In the meanwhile, if an operator claims that the national data retention cannot be applied against it, it has a good case. On the other side, the same operators are in a messy situation, because individuals could argue that the retention of their personal data on the operators’ servers in an infringement of European privacy rules. This would amount to a criminal liability in some countries. In order to avoid such risks, operators could better decide to delete all the traffic data currently recorded on their servers.

The European Commission will likely intervene providing guidance or recommendations as to how to deal with the present scenario. A meeting with Member States and operators (already scheduled) will take place Friday 11, April in Brussels.

Commissioner Malstrom, competent for Home affairs, has declared the following:

The judgement of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive. The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework.

Also EDPS, the European Data Protection Supervisor, made a statement urging for a new directive, this time complying with privacy rules.

This post originally appeared on the author’s radiobruxelleslibero blog and is re-posted with permission and thanks.  This article gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics.