Depending on the new Commission’s level of ambition when it takes office in the Autumn, this week’s European Court of Justice preliminary ruling (Cases C-293/12 and C-594/12), which found a 2006 Directive invalid, could prove an opportunity to re-think the EU approach to privacy and protecting personal data.
When we think about the EU and privacy, the controversial data protection reform package with its headline-grabbing features (e.g. anti-trust style fines [subscription required] for data breaches of up to 2% of a company’s global turnover), springs to mind. While this package is, indeed, the key-stone to Union privacy law, other legislation also deserves attention.
This week, the spotlight was turned on the 2006 Data Retention Directive (DRD, for which Home Affairs Commissioner, currently Cecila Malström, is responsible) and the 2002 e-Privacy Directive (Digital Agenda Commissioner, currently Vice-President Neelie Kroes, is responsible). Both contain provisions on data retention for law enforcement purposes. Both will be reviewed shortly. The Court’s preliminary ruling invalidated the DRD and will augment the pressure for rapid reform.
Joined cases brought by privacy advocates from Ireland and Austria gave the European Court of Justice the opportunity to set out its views on how far restrictions to EU citizens’ rights may be justified in the general interest and how much discretion may be left to Member States to legislate within the single market.
The first notable point is that the Court underscored the extent to which the DRD impinges on EU citizen’s rights. The Court stated that the DRD “entails an interference with the fundamental rights of practically the entire European population.” It “covers, in a generalized manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception.”
Second, the Court found that the DRD “interferences” could only be justified if clear and precise rules had been set out in the legislation as well as minimum safeguards against the risk of abuse and unlawful access and use of the data collected. The Court found it unacceptable that important aspects of the Directive had been left to Member State discretion.
Third the Court faulted the legislators for not requiring the data to be retained within the European Union, stating this ran counter to Article 8(3) of the European Charter of Fundamental Rights and settled case-law requiring control of the data by an “independent authority of compliance.” The full implications of this aspect of the ruling remain to be seen but this could boost the campaign by some Europeans to create a so-called “Schengen cloud” to store European data.
In many respects, most of this ruling is relatively unsurprising. The DRD has been a challenge from the start. A handbook of best practices, a non-binding tool to assist industry, law enforcers, and Member States replaced what should have been greater clarity in the legislative text. Questions have been raised for some time about the mismatch between DRD obligations and actual needs. Given the differing national retention requirements, cross-border police and judicial cooperation is rather difficult and operators highlight the high cost of compliance.
The Commission had been expected to await the outcome of the negotiations on the data protection package, and the review of the e-Privacy Directive before embarking on any reform of the DRD. The Court ruling may mean this sequence of events is now revised. Now that legal action is complete, the Commission may also resume infringement proceedings against Member States for faulty DRD implementation.
The next Justice, Home and Digital Agenda Commissioners should make protecting personal data an early priority and complete the legislative framework in the initial years of their new term of office. Pressure from the Court and elsewhere will ensure that European solutions are prioritized. Meantime, for data retention, market operators will remain subject to national legislation.