The Data Retention Directive compels communications service providers routinely to capture and archive information detailing the telephone calls, web surfing, e-mail messages and other communications of their users.
The vote on the final resolution was adopted in the European Parliament by 378 votes in favour to 197 against, with 30 abstentions.
The Directive remained highly controversial and has been rejected as unconstitutional in several member states. It was successfully challenged at the European Court of Justice by Digital Rights Ireland on human rights grounds, with a judgment given in 2014.
- 1 Main provisions
- 2 Summary of issues with the directive
- 3 ECJ incompatibility ruling
- 4 State reactions to ECJ incompatibility ruling
- 5 Implementation into UK law
- 6 Review of the Directive 2011 onwards
- 7 Challenges and non-implementation
- 7.1 Norway (expected)
- 7.2 Austria December 2012
- 7.3 Sweden: non-implementation
- 7.4 Ireland February 2009: first ECJ challenge
- 7.5 Romania October 2008
- 7.6 Bulgaria 11 December 2008
- 7.7 Germany early 2010
- 7.8 Czech Republic March 2011
- 7.9 Cyprus February 2011
- 7.10 Ireland May 5th 2010 onwards: Irish High Court case and referral to ECJ
- 7.11 Article 29 Data Protection Working Party on Data Retention
- 8 Result of ECJ decision
- 9 See also
- 10 References
According to EU Law, under the 2006/24/EC Data Retention Directive, all members states are required to retain for between 6 and 24 months all data necessary:
To trace and identify the source of a communication;
To trace and identify the destination of a communication;
To identify the date, time and duration of a communication;
To identify the type of communication;
To identify the communication device;
To identify the location of mobile communication equipment.
The UK has discussed going above and beyond EU Law by retaining third party data whereby communications made through websites such as GMail and Facebook would be monitored (still the traffic data, not the content).
It is important however, to consider the European Convention on Human Rights, in particular Article 8 where this statement is found:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Does the Data Retention Directive go against this principle? Many say it does. Including us.
Summary of issues with the directive
Retaining traffic data makes it possible to reveal who has been calling and e-mailing whom, what websites people have visited and even where they were with their mobile phones. Telephone companies and internet services providers must store all specified traffic data of their customers. Police and intelligence agencies in Europe are granted access to the traffic data. No safeguards are stipulated by the Directive.
The gathered data can be made available without special warrants, and without limit to certain types of crime. There is no independent evaluation, and no extra privacy and no specific security safeguards. The data will be retained for periods ranging from 6 months upwards.
ECJ incompatibility ruling
In December 2013, the Irish High Court and Austrian Constitutional Court asked the European Court of Justice if the Data Retention Directive clashes with the treaty on fundamental rights, particularly with article 8 that stipulates the right to private and family life, right to protection of personal data and the right to freedom of expression.
On April 8th 2014, the ECJ issued a ruling, declaring the invalidity of the Directive. The ruling found the Directive incompatible with articles 7 (retroactive criminalisation of acts) 8 (right to respect for private and family life).
Paragraph 65 of the ruling:
- "Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles7and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particular serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary".
Paragraph 69 of the ruling:
- "Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter".
Paragraph 59 of the ruling refers to blanket and indiscriminate surveillance:
- "Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences"
Advocate General Opinion
On Thursday, the European Court of Justice's Advocate General, Cruz Villalon, issued an opinion on the compatibility between the Charter of Fundamental Rights and the data retention directive. In a press release he said the directive,
- "constitutes a serious interference with the fundamental right of citizens to privacy, by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications".
He said the directive was incompatible because firstly, it did not meet the charter's requirement that "any limitation on the exercise of a fundamental right must be provided for by law". (the fundamental right referenced here is the right to privacy). Secondly, the legislation did not provide sufficient guidelines for determining access to the data;
- , the European Union legislature should, in particular, have provided a more precise description than ‘serious crime’ as an indication of the criminal activities which are capable of justifying access of the competent national authorities to the data collected and retained"
And lastly the time-frame for the storage of the information was not proportionate. While the current period is 6-24 months, he said there was no reason why member states would not decrease it to under a year.
State reactions to ECJ incompatibility ruling
A Swedish ISP, Bahnhof, deleted all customer data , even though the law implementing the directive is still in place. The company's CEO said "“We have followed this verdict and from our point of view it is more important to protect the privacy and integrity of our customers"
The Finnish Minister of Communications, Krista Kiuru, announced a review into the Finnish adaptation of the law saying "if [Finland] wants to be a model country in privacy issues, Finnish legislation has to respect fundamental rights and the rule of law."
Implementation into UK law
The data to be collected is specified in a Statutory Instrument.
Review of the Directive 2011 onwards
The Commission reviewed the Directive and its implementation starting in 2011.
Challenges and non-implementation
A further challenge is expected in Norway, where an organisation called Digitalt Personvern (Digital Privacy) has collected NOK 800,000 in order to challenge the measure in their courts when implemented.
Austria December 2012
Sweden refused to implement the Data Retention Directive for a long period, finally adopting it on 21 March 2012. It came into effect on 1 May 2012.
Ireland February 2009: first ECJ challenge
Ireland (in February 2009) and Slovakia (on a different date) both issued a legal challenge in 2008.
The challenge was based on the process by which the directive was passed by the EU, claiming it didn't go through the proper channels for the type of legislation it was. The directive was passed in the way bills relating to private financial interests are passed, and Ireland and Slovakia argued that it affected policy and justice, and so should have been put through the scrutiny associated with bills in that category.
43 NGOs (Including ORG) from 11 countries across the EU sent a brief to the European Court of Justice setting out our concerns in light of the Irish and Slovakian (in particular the Irish) cases against the directive.
The European Court of Justice sided with the European Commission, saying that in fact the bill was not one regarding policy and so passed through the proper channels. However, they made it clear that they were not ruling on human rights issues so left the door for a future challenge on those grounds (see below).
Romania October 2008
Romania's constitutional courts appear to be blocking the directive.
The courts said that the Data Retention Directive directly conflicted with the citizen's fundamental right to secrecy of correspondence enshrined in the Romanian constitution and heavily implied in Article 8 of the European Convention of Human Rights.
Bulgaria 11 December 2008
Bulgaria's Supreme Administrative Court made the same ruling when the Access to Information Program filed a lawsuit against the legislation. The lawsuit was brought to a lower court and overturned, but this decision by the Supreme Administrative Court can not be subject to appeal, and so is final. The court said that the directive was not in compliance with the Bulgarian constitution, nor ECHR, and did not provide sufficient safeguards to protect personal data from misuse.
Germany early 2010
And similarly, Germany's courts have made a similar decision and are challenging the directive. The German Federal Constitution Court has ruled that the German law introduced to implement the directive is not in accordance with privacy rights that are guaranteed by the German Constitution, but the court said that the law can be amended to become constitutionally acceptable. The courts said that there were not enough safeguards to prevent misuse of citizen's personal data, and that the German data protection commissioner should have oversight of the operation. It was a class action suit brought to the court by 35 thousand German citizens, and was successful. The law as it was passed in 2008 must be amended before it can be put into action again.
In April 2012, the EU Commission warned Germany that they could be fined for failing to implement the Directive. Politicians in Germany were warned that requirements for "quick freeze" (retention after identifying a suspect) would not amount to transposition of the Directive.
Czech Republic March 2011
The Czech Republic rejected the Directive as unconstitutional in March 2011. They are however now reconsidering introducing it after the EU Commission threatened Germany with fines.
Data requests have dropped tenfold, while crime detection rates have increased, according to Luridicum Remedium (LuRe), analysing police data.
Cyprus February 2011
Cypriot courts rejected the local implementation of the Directive as unconstitutional on 1 February 2011. They resricted their judgement to matters that weren't required in the Directive, specifically means of access. The court ruled that access by police through courts to the data was in three cases illegal, and annulled the requests for access.
Ireland May 5th 2010 onwards: Irish High Court case and referral to ECJ
On May 5th 2010 the Irish High Court ruled against the Data Retention Directive in a case brought forward by Digital Rights Ireland. The court ruled that DRI was a legitimate group representing the public interest and arguing for a serious and "fundamental public importance". For the same reason potential costs were also waived by the court in the case of DRI losing.
The High Court recommended that the case be brought before the European Court of Justice for review, which could have serious implications across the EU. It is currently in the process of being heard by the European Court of Justice, but no judgment has yet been made over the issue.
A decision could be expected within 12 to 18 months, though this may depend on whether the ECJ decides the matter as a Grand Chamber rather than a smaller chamber.
Article 29 Data Protection Working Party on Data Retention
Result of ECJ decision
- Data Retention
- Text of the Directive
- stopdataretention petition
- News, position papers on and analysis of the directive
- Which UK MEPs voted, and how
- FFII press release
- English video stream of today's plenary session (Windows Media format)
- Electronic Privacy's Data Retention Directive
- ECJ ruling p25(PDF) 8 April 2014 last accessed 09/04/2014
- ECJ ruling p26(PDF) 8 April 2014 last accessed 09/04/2014
- ECJ ruling p24 (PDF) 8 April 2014 last accessed 09/04/2014
- European Court of Justice(2013) "PRESS RELEASE No 157/13
- European Court of Justice(2013) "PRESS RELEASE No 157/13
- PCWorld (2014) "Swedish ISP deletes all retained customer data in wake of EU court ruling" Accessed 10/04/2014
- Electronic Frontier Foundation (2014) "Data Retention Directive Invalid, says EU's Highest Court" Accessed 11/04/2014
- Digitalt Personvern website
- Austrian Judges Question The Validity Of EU Data Retention Directive TechWeekEurope
- Press release from the court (German)
- Full decision (German)
- Deutsche Welle 22 March 2012
- Information Overlord
- ORG blog, 2008
- Germany's data retention law ruled unconstitutional over privacy concerns, Outlaw 3 March 2010
- Germany Misses EU Data Retention Deadline, Could Face Court Action, PC World 27 April 2012
- PC Advisor
- EDRIGram 9.3
- DRI: Data retention ruled against by Irish court Open Rights Group blog
- Data retention challenge on Scribd
- Article 29 Working Party