Tldr: In Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Ors, the CJEU ruled that the EU Data Retention Directive (2006/24/EU) was invalid for violating Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The broadly framed Directive failed the necessity/proportionality test.
Facts of the case:
- In 2006, the European Parliament and the Council passed Directive 2006/24/EC on the retention of electronic communications.
- Directive 2006/24 created an obligation on all service providers to retain communication data on all users for a minimum of 6 months and up to two years.
- Ireland passed a national legislation, the Communication Retention Data Act of 2011, which gave effect to the Data Retention Directive and mandated all telephone data retention for 2 years and internet data for 12 months.
- Digital Rights Ireland, an advocacy group, challenged the Irish law – and the underlying EU Data Protection Directive – for violating Articles 7, 8 of the EU Charter’s protections on private life and communications, and personal data.
Issue:
- Whether the Data Retention Directive (2006/24/EC) is compatible with the EU Charter’s fundamental right to privacy and personal data?
Judgment of the CJEU:
- The Court found that the main objective of the Directive was to harmonize member states’ laws on retaining electronic communications data to assist law enforcement in the EU in fighting serious crime and terrorism.
- The Court analyzed the Data Retention Directive and noted that while the Directive did not permit retention of the actual content of communications, it required retaining metadata on all users (i.e. location and duration of calls, type of handset used, numbers called, etc.) that could identify a person and draw precise conclusions about someone’s everyday habits, places of residence, daily movements, social relations, etc.
- The Court found that the Directive required all telephone companies and ISP to retain all data for a minimal period of six months and to provide access to law enforcement as needed.
- Based on the above, the Court held that the Directive clearly constitutes an interference with the rights guaranteed by Articles 7, 8 of the EU Charter, and therefore, must meet the requirements of Article 52(1) of the EU Charter which states that, “any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.
- The Court held that the Directive was not proportional and exceeded the limits of appropriate and necessary for the following reasons:
- i) The Directive was very broad and applied to all means of electronic communications (telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony).
- ii) The Directive covered all calls made by all subscribers and registered users without any differentiation, limitation or exceptions tied to the objective of fighting against serious crime and thus impacted the rights of practically the entire European population.
- iii) The Directive provided no objective criterion on who could access the retained data or its subsequent use.
- iv) The Directive had no provisions on judicial review and contained no conditions needed to access data or limits on subsequent use of the data.
- v) Finally, since the Directive did not require that the data be stored or retained within the European Union the data set outside the EU would be outside the scope of the Charter.
Holding:
The CJEU held that the Data Retention Directive (2006/24/EC) was invalid for being incompatible with the EU Charter. The Directive had failed to provide sufficient safeguards to ensure effective data protection against the risk of abuse and unlawful use and access.