EU court rules on data retentionTuesday 08 April 2014 20.24
Europe's highest court has ruled that the obligation on telecoms and internet providers to store data for up to two years is invalid.
The case was referred to the Luxembourg Court by the High Court here following a complaint taken by Digital Rights Ireland over the issue of data retention.
In a ruling with significant implications for the European Union's half a billion citizen, the European Court of Justice has declared the relevant directive invalid.
The ruling will have significant implications for the entire European telecoms sector and for the efforts by EU governments to combat serious crime and terrorism.
Under the 2006 Data Retention Directive telecoms and network providers are obliged to retain certain categories of data for between six months and two years to make them available to police services investigating criminal activity.
The directive requires operators to retain certain categories of data for identifying users and details of phone calls made and emails sent.
The directive excludes the content of those communications.
In today's ruling, ECJ holds that the directive falls foul of the EU's Charter of Fundamental Rights because of the potential to restrict a person's privacy.
The court found that the data retained could allow the authorities to identify the person using the telecoms service, and how often they use it.
Furthermore, the data may provide "very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented".
As a result the directive "interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data."
The ruling continues: "The fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance."
The court acknowledges that the content of the communications is not scrutinised, and that the directive carries "certain principles of data protection and data security."
It also acknowledges the "general interest" in retaining data in order to fight serious crime and terrorism.
However, the Court ruled that the European Commission, in adopting the new directive had "exceeded the limits imposed by compliance with the principle of proportionality."
In particular the directive was indiscriminate in that it affected "all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime."
The court found that the directive lacked "any objective criterion" or procedural conditions which would ensure that data was only being used for preventing, detecting or prosecuting serious crime.
The court also found that the directive did not safeguard against the misuse of the data for unlawful purposes, and that it was vague as to which categories of data could be held the longest.
In a statement, the Data Protection Commissioner Billy Hawkes said he "has previously indicated that he is concerned at the level of State surveillance generally of individuals for law enforcement purposes.
"He has also consistently stressed that proportionality in relation to law enforcement/intelligence access is vital and had pointed out that there are serious issues to be addressed in the EU, notably in relation to the legal obligation on telecommunications companies under the Data Retention Directive to retain call data and disclose it on request to law enforcement authorities."