How did the decision come about?
European law permits national courts to submit questions to the Court on the interpretation of EU legislation. The Irish High Court referred questions from a case taken by Digital Rights Ireland, an organisation dedicated to defending civil, human and legal rights in a digital context.
The questions concerned the validity of the 2006 Data Retention Directive, which obliged Member States to introduce laws compelling the storage of telecommunications data. The Directive required the collection and retention of traffic and location data by companies, such as mobile and broadband providers for a period of up to two years. However, content data, including email or SMS content, did not need to be retained.
What did the Court decide?
The Court indicated that the retention of such a broad range of data provided an opportunity to construct a picture of a person’s private life. This meant that information of someone’s habits, activities, daily movements or social relationships could be assembled. As a result, the Court found the Directive incompatible with the fundamental right to privacy.
The Court turned to consider whether there was any justification for the interference with these rights. While the Directive aimed to tackle an important issue – the fight against serious crime – the Court considered that European lawmakers had gone beyond what was proportionate.
A number of issues were highlighted by the Court. The Directive did not limit the restriction of privacy rights to what was strictly necessary. Instead, it was broad and far-reaching, and did not specify or limit categories of individuals, methods of communication or the types of traffic data that were collected. The term ‘serious crime’ was also left to Member States to define, resulting in varying descriptions at national level.
There was a notable absence of specific procedures or sufficient restrictions for access to and use of the data by national authorities. Similarly, there were no principles set out in the Directive to determine appropriate periods for retention. Finally, the Court drew attention to the risk of abuse or unauthorised access due to the lack of guidelines on data security and deletion measures.
What effect will this have?
The ruling will have a notable impact on the outcomes of the Austrian and Irish cases. The decision fundamentally calls into question the status of legislation, such as Ireland’s Communications (Retention of Data) Act 2011, introduced on foot of the Directive.
The judgment demonstrates the Court’s willingness to invoke the Charter of Fundamental Rights in reviewing and invalidating European legislation and shows a robust interpretation of the right to privacy and data protection. The decision appears to show the Court’s concern about the blanket collection and retention of data in the absence of sufficient safeguards and harmonised and proportionate boundaries. This was reflected in the Court’s willingness to invalidate EU laws based on a finding that these laws are, in substance, a disproportionate infringement of fundamental rights contained in the Charter. However, while seeking to balance competing rights and interests, the Court does not appear to have adopted an overly restrictive approach to data protection.
For more information, please contact a member of the Mason Hayes & Curran Commercial team. Mason Hayes & Curran is an EACCNY Member.
In this context see our seminar on “Transatlantic Privacy Update: US vs. EU Privacy Regulations: A Comparison” – More info & to register click here