Court declares Data Retention Directive to be invalid
The main objective of the Data Retention Directive (Directive 2006/24) was to harmonise Member States’ provisions concerning the retention of certain data which were generated or processed by providers of publicly available electronic communications services or of public communications networks. It therefore sought to ensure that the data were available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism. The directive for this reason provided that the providers must retain traffic and location data as well as related data necessary to identify the subscriber or user. By contrast, it did not permit the retention of the content of the communication or of information consulted.
The Irish High Courtand the Austrian Verfassungsgerichtshof (Constitutional Court) asked the Court to examine the validity of Directive 2006/24 in the light of Articles 7, 8 and 11 of the Charter of Fundamental Rights.
The Court however added that the obligation, under Article 3 of Directive 2006/24, on providers of publicly available electronic communications services or of public communications networks to retain the data listed in Article 5 of the directive for the purpose of making them accessible, if necessary, to the competent national authorities raised questions relating to respect for private life and communications under Article 7 of the Charter, the protection of personal data under Article 8 of the Charter and respect for freedom of expression under Article 11 of the Charter.
The Court found that even though, as is apparent from Article 1(2) and Article 5(2) of Directive 2006/24, the directive did not permit the retention of the content of the communication or of information consulted using an electronic communications network, it was not inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter.
The Court held that the retention of data for the purpose of possible access to them by the competent national authorities, as provided for by Directive 2006/24, directly and specifically affected private life and, consequently, the rights guaranteed by Article 7 of the Charter. Furthermore, according to the Court, such a retention of data also fell under Article 8 of the Charter because it constituted the processing of personal data within the meaning of that article and, therefore, necessarily had to satisfy the data protection requirements arising from that article (see: Cases C‑92/09 and C‑93/09 Volker und Markus Schecke and Eifert).
The Court held that by requiring the retention of the data listed in Article 5(1) of Directive 2006/24 and by allowing the competent national authorities to access those data, Directive 2006/24 derogated from the system of protection of the right to privacy established by Directives 95/46 and 2002/58 with regard to the processing of personal data in the electronic communications sector, directives which provided for the confidentiality of communications and of traffic data as well as the obligation to erase or make those data anonymous where they were no longer needed for the purpose of the transmission of a communication, unless they were necessary for billing purposes and only for as long as so necessary.
The Court added in order to establish the existence of an interference with the fundamental right to privacy, it did not matter whether the information on the private lives concerned was sensitive or whether the persons concerned had been inconvenienced in any way (see, to that effect, Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and Others).
The Court thus held that the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constituted in itself an interference with the rights guaranteed by Article 7 of the Charter.
Furthermore, the access of the competent national authorities to the data constituted a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constituted an interference with the rights guaranteed by Article 7 of the Charter. Likewise, Directive 2006/24 constituted an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provided for the processing of personal data.
The Court pointed out Article 52(1) of the Charter provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
The Court held that so far as concerns the essence of the fundamental right to privacy and the other rights laid down in Article 7 of the Charter, it must be held that, even though the retention of data required by Directive 2006/24 constituted a particularly serious interference with those rights, it was not such as to adversely affect the essence of those rights given that, as followed from Article 1(2) of the directive, the directive did not permit the acquisition of knowledge of the content of the electronic communications as such. Nor was that retention of data such as to adversely affect the essence of the fundamental right to the protection of personal data enshrined in Article 8 of the Charter, because Article 7 of Directive 2006/24 provided, in relation to data protection and data security, that, without prejudice to the provisions adopted pursuant to Directives 95/46 and 2002/58, certain principles of data protection and data security must be respected by providers of publicly available electronic communications services or of public communications networks.
The Court found that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest. In those circumstances, it was necessary to verify the proportionality of the interference found to exist.
The Court reiterated thatthe principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives (see, to that effect, Case C‑343/09 Afton Chemical, Cases C‑581/10 and C‑629/10 Nelson and Others; and Case C‑283/11 Sky Österreich).
The Court stressed that with regard to judicial review of compliance with those conditions, where interferences with fundamental rights were at issue, the extent of the EU legislature’s discretion might prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., S. and Marper v. the United Kingdom [GC], nos. 30562/04 and 30566/04, § 102, ECHR 2008-V).
The Court found that in the present case, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by Directive 2006/24, the EU legislature’s discretion was reduced, with the result that review of that discretion should be strict.
The Court held that the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data had been retained had sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99).
The Court added that the need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data were subjected to automatic processing and where there was a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35).
The Court found that Directive 2006/24 affected, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data were retained being, even indirectly, in a situation which was liable to give rise to criminal prosecutions. It therefore applied even to persons for whom there was no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it did not provide for any exception, with the result that it applied even to persons whose communications were subject, according to rules of national law, to the obligation of professional secrecy.
Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 did not require any relationship between the data whose retention was provided for and a threat to public security and, in particular, it was not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contributed, by the retention of their data, to the prevention, detection or prosecution of serious offences.
The Court held that not only was there a general absence of limits in Directive 2006/24 but Directive 2006/24 also failed to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, might be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply referred, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.
The Court in short held that Directive 2006/24 did not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. The Court held that Directive 2006/24 entailed a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it was actually limited to what was strictly necessary.
The Court concluded that that, by adopting Directive 2006/24, the EU legislature had exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter. The Court held that in those circumstances, there was no need to examine the validity of Directive 2006/24 in the light of Article 11 of the Charter.
Text of judgment