CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland and Others (Joined Cases)

From GDPRhub
CJEU - Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Others
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 3 Directive 2006/24/EC
Article 7 Charter of Fundamental Rights of the European Union
Article 8
Paragraph 102a Telecommunications Act 2003
Part 7 Criminal Justice (Terrorist Offences) Act 2005
145562
Decided: 08.04.2014
Parties: Digital Rights Ireland Ltd
Minister for Communications, Marine and Natural Resources
Minister for Justice, Equality and Law Reform
Commissioner of the Garda Síochána
Ireland
Kärntner Landesregierung
Christof Tschohl and others
Attorney General
Michael Seitlinger
Case Number/Name: Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Others
European Case Law Identifier: ecli:EU:C:2014:238
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Annkathrin.a.dix


The Court of Justice of the European Union held that the Data Retention Directive is invalid as it infringes upon the right to privacy and the right to the protection of personal data.

English Summary

Facts

The European Union adopted Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (i.e. Data Retention Directive) in 2006.

The legislation imposed an obligation on Member States to store telecommunications data for a certain period to combat serious crime and terrorism by granting law enforcement authorities access to such data. Under Article 3 of said Directive, providers of publicly available electronic communications services/networks were obliged to retain metadata for the purpose of making them accessible, if necessary, to relevant national authorities. Metadata refers to information about a communication as opposed to its contents (e.g. traffic and location data).

On 11 August 2006, Digital Rights (DRI), a privacy advocacy group, challenged the legality of legislative measures concerning the retention of data relating to electronic communications before the High Court on grounds related to the right to privacy and protection of personal data, as enshrined in Article 7 and 8 of the Charter of Fundamental Rights of the European Union (i.e. the Charter). In particular, the applicants sought to declare the Data Retention Directive and Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 which require telephone communications service providers to retain traffic and location data relating to those providers for a prescribed time period to prevent, detect, investigate, and prosecute crime (and ensure security of the State).

The High Court decided to halt proceedings and refer the matter to the Court of Justice of the European Union for a preliminary ruling. Kärntner Landesregierung, Mr. Seitlinger, Mr Tschohl and 11.128 other applicants brought proceedings before the Verfassungsgerichtshof to annul paragraph 102a of the Telekommunikationsgesetz (Law on Telecommunications) which transposed the Data Retention Directive into Austrian national law. The applicants argued that the provision infringes upon the right to the protection of data, as codified in Article 8 of the Charter.

Holding

The Court had the task to examine the validity of the Data Retention Directive in light of Articles 7 and 8 of the Charter. It firstly acknowledged that this obligation constituted an interference with private life and the protection of personal data, thereby falling under the realm of both Article 7 and 8 of the Charter.

The CJEU then had to determine whether the provision was a justified interference on these rights in accordance with Article 52(1) of the Charter. The Court held that the essence of both rights are not affected by the Directive as the contents of electronic communications are not retained and providers of such services/networks must still adhere to certain principles of data protection and security. It then determined that the Directive satisfies an objective of general interest, namely allowing national authorities to have (possible) access to such data to investigate, detect, and prosecute serious crime as prescribed in Article 1(1) thereof.

The Court subsequently assessed the proportionality of the interference. It firstly argued that the retention of such data can be considered to be appropriate for attaining the objectives pursued as the intention of such data is a valuable tool for (criminal) investigations. In terms of necessity, the Court emphasized that the obligation under Article 3 of the Data Retention Directive requires the retention of all traffic data in a generalized manner—of all persons and all means of (electronic) communication without any distinction, limitation or excepting being made. It therefore also extended to individuals where no evidence suggested that they may be involved with a serious crime and persons whose communications were subject to the obligation of professional secrecy.

The CJEU therefore held that due to the broad scope of data retention provided for, the Data Retention Directive went beyond what was strictly necessary for the aim of combating serious crime (and terrorism). The Court also assessed whether sufficient safeguards had been set in place to effectively protect the personal data of users against the risk of abuse and unlawful access and/or use of that data. It noted that the Directive failed to outline substantive and procedural conditions relating to the access of relevant national authorities to the data and use thereof. Thus, access would not be subject to a prior review by a court or an independent administrative body to be limited to what is strictly necessary. Moreover, there were no requirements for data access and/or retention to be based on objective criteria within the EU. Therefore, the CJEU found that the Data Retention Directive lacked safeguards to ensure the protection of retained data against unauthorized access and misuse by authorities.

The Court rendered the Data Retention Directive invalid because it did not provide adequate safeguards and failed to strike a fair balance between the aim of combating serious crime and the fundamental rights of individuals, particularly the right to privacy and the protection of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!