DATA PROTECTION
According to the EU Advocate General the Data Retention Directive is incompatible with the Charter of Fundamental Rights.
In his Opinion Advocate General Pedro Cruz Villalón, takes the view that the Data Retention Directive is as a whole incompatible with the requirement, laid down by the Charter of Fundamental Rights of the European Union, that any limitation on the exercise of a fundamental right must be provided for by law.
He proposes, however, that the effects of the finding of invalidity should be suspended in order to enable the EU legislature to adopt, within a reasonable period, the measures necessary to remedy the invalidity found to exist.
According to the Advocate General, the Directive constitutes a serious interference with the fundamental right of citizens to privacy, by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications. The Advocate General points out, in this regard, that the use of those data may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.
There is, moreover, an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious. Indeed, the data are not retained by the public authorities, or even under their direct control, but by the providers of electronic communications services themselves. Nor does the Directive provide that the data must be retained in the territory of a Member State.
They can therefore be accumulated at indeterminate locations in cyberspace. In the light of that serious interference, the Directive should, first of all, have defined the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use. However, the Directive – which indeed regulates neither access to the data collected and retained nor their use – assigns the task of defining and establishing those guarantees to the Member States. Accordingly, the Directive does not comply with the requirement, laid down by the Charter, that any limitation on the exercise of a fundamental right must be provided for by law, as that requirement is more than just a purely formal one. Thus, when the European Union legislature adopts, as in the case of the Data Retention Directive, an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, it must assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of the necessary guarantees. It is this very regulation which makes it possible to assess the scope of what the interference with the fundamental right entails in practical terms and which may, therefore, determine whether or not the interference is constitutionally acceptable.
Advocate General Cruz Villálon finds, next, that the Data Retention Directive is incompatible with the principle of proportionality in that it requires Member States to ensure that the data are retained for a period whose upper limit6 is set at two years.
He considers that the Directive pursues an ultimate objective that is perfectly legitimate, that is to say, the objective of ensuring that the data collected and retained are available for the purpose of the investigation, detection and prosecution of serious crime, and may be regarded as appropriate and even, subject to the guarantees with which it should be coupled, as necessary for achieving that objective. However, the Advocate General has not found, in the various views submitted to the Court of Justice defending the proportionality of the data retention period, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year.
So far as concerns the temporal effects of the finding of invalidity, the Advocate General proposes, after weighing up the various competing interests, that the effects of a finding that the Directive is invalid should be suspended pending adoption by the EU legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period. He observes, in this regard, that the relevance and even urgency of the ultimate objectives of the limitation on fundamental rights at issue are, on the one hand, not in doubt.
The findings of invalidity, on the other hand, are of a very particular nature. First, the Directive is invalid as a result of the absence of sufficient regulation of the guarantees governing access to the data collected and retained and their use (quality of the law), an absence which nevertheless may have been corrected in the implementing measures adopted by the Member States. Secondly, the Member States have, in general, as is apparent from the information provided to the Court, exercised their powers with moderation with respect to the maximum period of data retention.
Today’s Opinion is delivered in proceedings relating to two references for a preliminary ruling, made by the High Court of Ireland and the Verfassungsgerichtshof (Constitutional Court, Austria) respectively. The High Court must decide a case between Digital Rights Ireland Ltd – a limited liability company whose statutes specify that its object is to promote and protect civil rights and human rights, in particular in the field of modern communication technologies – and the Irish authorities. In that case, Digital Rights, which states that it is the owner of a mobile phone, submits that the Irish authorities have unlawfully processed, retained and exercised control over data related to its communications.
(Source: EU Court of Justice web site - Press Release no. 157/2013 - Ownership: EU Court of Justice).
He proposes, however, that the effects of the finding of invalidity should be suspended in order to enable the EU legislature to adopt, within a reasonable period, the measures necessary to remedy the invalidity found to exist.
According to the Advocate General, the Directive constitutes a serious interference with the fundamental right of citizens to privacy, by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications. The Advocate General points out, in this regard, that the use of those data may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.
There is, moreover, an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious. Indeed, the data are not retained by the public authorities, or even under their direct control, but by the providers of electronic communications services themselves. Nor does the Directive provide that the data must be retained in the territory of a Member State.
They can therefore be accumulated at indeterminate locations in cyberspace. In the light of that serious interference, the Directive should, first of all, have defined the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use. However, the Directive – which indeed regulates neither access to the data collected and retained nor their use – assigns the task of defining and establishing those guarantees to the Member States. Accordingly, the Directive does not comply with the requirement, laid down by the Charter, that any limitation on the exercise of a fundamental right must be provided for by law, as that requirement is more than just a purely formal one. Thus, when the European Union legislature adopts, as in the case of the Data Retention Directive, an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, it must assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of the necessary guarantees. It is this very regulation which makes it possible to assess the scope of what the interference with the fundamental right entails in practical terms and which may, therefore, determine whether or not the interference is constitutionally acceptable.
Advocate General Cruz Villálon finds, next, that the Data Retention Directive is incompatible with the principle of proportionality in that it requires Member States to ensure that the data are retained for a period whose upper limit6 is set at two years.
He considers that the Directive pursues an ultimate objective that is perfectly legitimate, that is to say, the objective of ensuring that the data collected and retained are available for the purpose of the investigation, detection and prosecution of serious crime, and may be regarded as appropriate and even, subject to the guarantees with which it should be coupled, as necessary for achieving that objective. However, the Advocate General has not found, in the various views submitted to the Court of Justice defending the proportionality of the data retention period, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year.
So far as concerns the temporal effects of the finding of invalidity, the Advocate General proposes, after weighing up the various competing interests, that the effects of a finding that the Directive is invalid should be suspended pending adoption by the EU legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period. He observes, in this regard, that the relevance and even urgency of the ultimate objectives of the limitation on fundamental rights at issue are, on the one hand, not in doubt.
The findings of invalidity, on the other hand, are of a very particular nature. First, the Directive is invalid as a result of the absence of sufficient regulation of the guarantees governing access to the data collected and retained and their use (quality of the law), an absence which nevertheless may have been corrected in the implementing measures adopted by the Member States. Secondly, the Member States have, in general, as is apparent from the information provided to the Court, exercised their powers with moderation with respect to the maximum period of data retention.
Today’s Opinion is delivered in proceedings relating to two references for a preliminary ruling, made by the High Court of Ireland and the Verfassungsgerichtshof (Constitutional Court, Austria) respectively. The High Court must decide a case between Digital Rights Ireland Ltd – a limited liability company whose statutes specify that its object is to promote and protect civil rights and human rights, in particular in the field of modern communication technologies – and the Irish authorities. In that case, Digital Rights, which states that it is the owner of a mobile phone, submits that the Irish authorities have unlawfully processed, retained and exercised control over data related to its communications.
(Source: EU Court of Justice web site - Press Release no. 157/2013 - Ownership: EU Court of Justice).
