The European Union is all too often portrayed as a creature defined by over-regulation – be it the infamous “bendy banana” rules or the great chocolate debate. It is easy (and sometimes politically convenient) to forget that the EU and CJEU can serve to protect individuals from overt (and covert) state regulation. As of a CJEU decision this week to annul the Data Retention Directive (2006/24/EC), it will be very difficult for the Home Secretary, Teresa May, to push through the Communications Data Bill (also known as the “Snooper’s Charter”).
The bill was abandoned in May 2013 following opposition from the Lib Dems, but has shown signs of resurfacing. The bill would give police and security services access, without a warrant, to details of all online communication in the UK – such as the time, duration, originator and recipient, and the location of the device from which it was made. The bill depends however, on operators being obliged to store customers’ details and records. The data retention directive obliged companies to retain data and information of citizens using electronic communications networks – but now that it has been annulled the responsibility of operators to retain data is far more ambiguous.
The CJEU decision resulted from proceedings taking place in Ireland and Austria – where challenges had been mounted regarding the legality of national legislative and administrative measures concerning the retention of data. The Court ruled on Wednesday that the purpose of the Data Retention Directive, i.e. ensuring that communications data was available in order to investigate and fight serious crime, was compatible with the European Rights framework. However, the Directive itself entailed a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data (Articles 7 and 8 of the CFREU), without that interference being limited to what was strictly necessary.
The Court noted that the data being retained enabled:
“very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them” [§27].
Given the potential conclusions the Court found that:
“The EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data” [§54].
The Directive lacked such precise rules and appropriate safeguards.
In particular the Court objected to the fact that the Directive did not discriminate between individuals. The Directive covers all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. The Directive also fails (somewhat surprisingly given its purpose) to define the notion of “serious crime”. The Court found that the data retention period (6 to 24 months) was too generic and that the Directive did not require that the data be retained within the EU itself. Continue reading