Privacy Trumps Security as EU Court of Justice Invalidates Data Retention Directive
In 2006, responding to terrorist attacks in London and Madrid, the European Commission impelemented a data retention directive (the “Directive”) seeking to harmonize EU member states’ retention of certain electronic data that is generated or processed by providers of electronic communications services or public communications networks. The Directive requires, among other things, that Internet service providers retain details of network user communications and information necessary to identify particular users for at least six months and, in some cases, up to two years.
An Irish company, Digital Rights Ireland, disputed the breadth and legality of the Directive in a dispute with Irish authorities concerning certain electronic data in DRI’s possession. Various other challenges to the Directive were also brought in other EU countries. The matters were consolidated and referred to the European Court of Justice sitting in Luxembourg for a resolution of whether the Directive violates two fundamental rights under the European Union’s Charter of Fundamental Rights, namely the fundamental right of respect for private life and the fundamental right to the protection of personal data.
On April 8, 2014, the European Court of Justice declared the Directive invalid.
In so holding, the court noted that the Directive was so broad as to allow for retention of information that could later identify: (1) the person with whom a subscriber or registered user has communicated and by what means; (2) the time and place of the communication; and (3) the frequency of the communications of the subscriber or registered user with certain persons during a given period. Taken as a whole, the data involved could provide authorities with “very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.”
The Court noted that the Directive “satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security,” but nevertheless violates the principle of “proportionality” because it fails to differentiate between different types of data and fails to set forth objective criteria by which authorities would be able to gain access to the information. Allowing authorities access to such data interferes, said the Court, in a “particularly serious manner with the fundamental rights [of] respect for private life and [with] the protection of personal data.” The opinion also noted that the authorities often were granted access to data without any prior court review of the requesting authority’s need for the information or any review of the breadth of the data request.
The ruling is a reminder that EU member states view privacy protection as a fundamental human right, and often one that trumps potentially serious security or terrorist threats. That perspective generally is not shared by U.S. courts and law enforcement, although the ongoing national security debate in the U.S. has brought the issue of privacy protection to the forefront. In addition, at least some procedural protections, including prior court review of data sought in individual cases, are starting to be imposed more consistently among law enforcement agencies in all but the most emergent situations. It remains to be seen, however, whether U.S. courts take any lessons from this ruling about how to strike the right balance between privacy and security. It also remains to be seen how this decision impacts negotiations between the EU and the U.S. concerning cross-border data transfer protocols, safe harbor protections, cybersecurity programs, and other electronic data initiatives currently under consideration.