Data Retention – the ECJ in a quandary, overhasty euphoria by privacy groups
On 12 December 2013, Advocate-General Pedro Cruz Villalón – responsible for the pending proceeding of the Data Retention Directive 2006/24/EC before the ECJ- delivered his opinion on that case (case C-293/12 – Digital Rights Ireland).
The Advocates-General support the ECJ in its decisions by providing, beforehand, a non-binding legal assessment of the matters in question. These considerations can be taken up by the judges but there is no obligation to do so.
Taken by themselves, the explanations made by the Advocate-General about whether the directive in question were contrary to fundamental rights are remarkable in many aspects. This concerns – just to give one example – the distinction of Art. 7 CFREU, the right to respect for private and family life, from Art. 8 CFREU, which guarantees the protection of personal data on the basis of data quality. The General-Advocate distinguishes between “classical” personal data only used to identify a person and new data, which in their quality go beyond that level insofar as they, for instance, allow creating behavioural profiles. Art. 8 CFREU shall be meant to protect classical personal data whereas Art. 7 CFREU is supposed protect even more sensitive data.
However, a particularly interesting aspect is the fact that the estimation of the General-Advocate leads the ECJ into a dilemma as it is in contradiction to the court’s jurisdiction. Thus, the Advocate-General holds that the directive infringes Art. 7 EU Charter of Fundamental Human Rights (CFREU) because it makes absolutely no provision regarding the access to the data by national security agencies. Instead, the directive regulates only the retention of data by telecommunication service providers. In its first holding on data storage (Case C-301/06 – Ireland vs. Parliament and Council), the ECJ by contrast stated the directive was compatible with Union law precisely because it has been limited to storage obligations.
Certainly, the Advocate-General cannot be accused of infedility towards the authority of the ECJ. In fact, with regard to the scope of regulation this different position was possible since the objects of both submission proceedings were varying in nature as will be shown in a moment.
Having said that and inspecting the Court’s contemplations on Ireland vs. Parliament and Council, the early euphoria by privacy groups about a bided repeal of the directive by the ECJ after the Advocate’s opinion last month seems to be more or less groundless.
The proceeding of Ireland vs. Parliament and Council – The Issue of Competences
In the first case of data retention, the ECJ had to rule on whether the directive was based on the correct legal basis whereas for procedural reasons, the court was not supposed to answer issues of fundamental rights and hence did not take them into account.
The question of the correct legal basis always arises for the European legislator as it can, according to the so-called principle of conferral of competences, only act within the limits of the competences conferred to the EU by the European treaties. The Court of Justice confirmed, like it was provided by the European legislator, to base the directive on the legal basis of the realisation of the European internal market according to Art 95 EC (today’s Art. 114 TFEU). This is due to the fact that at that time different or partly no legal obligations at all to data retention existed in the member states. In turn, this situation led to different financial burdens for telecommunication providers operating in various member states and, in consequence, distorted competition.
The fact that the directive was additionally (or even primarily?) to facilitate crime prevention and prosecution for national security agencies was in the court’s opinion harmless. There was no need for another competence basis beside the competence of the realisation of the European internal market. This was only because the directive was limited to obligations of data storage, any regulation concerning access was left to the member states.
The proceeding of Ireland v. Parliament and Council – The Issue of Fundamental Rights
By now, the question concerning the compatibility of the directive with fundamental rights, left aside in the first holding on data retention, has to be answered by the ECJ. In the Advocate General’s view the situation is problematic because of the absence of any regulations as regards the access to the data (which, according to the ECJ, were necessary in order to base the directive on the competence for the interior market). In his opinion there is a infringement of Art. 52(1) CFREU which requires a statutory basis in case of any infringements of rights guaranteed in the CFREU. Indeed, with the directive itself a statutory basis was formally given. But Art. 52 went beyond this formal requirement and demanded for a sufficient statutory basis virtually which needs a certain precision. The “quality of the law” was crucial, then.
The European legislator itself should regulate at least the basic requirements if he allowed such a massive violation of fundamental rights by permitting the access to the stored data. By creating the possibility itself, it could not leave the responsibility to protect fundamental rights to the implementing member states. At any rate, it was therefore necessary and also within the responsibility of the European legislator to define principles for the data access. In consequence, the directive was illegitimate, precisely as it did not regulate the access to data but was limited to obligations of data storage only.
Furthermore, the General Advocate finds that the directive violates the proportionality principle, as it allows the Member States to store data for a period of up to to two years.
Decision of the ECJ remains open
It is doubtful how the court will respond to it. Not to be discussed in detail here, several answers would be conceivable. In any event, all these expectations, which were spread in the course of the opinion’s publication, including that the ECJ would judge as a rule and thus as well in this case fully according to the Advocates-General’s opinion in every single point were hasty. Contrary to standard practice, the ECJ has already dealt with this specific legal act and did comment quite extensively on particular aspects. At that time they had been discussed in the light of competence issues but in the Advocate-General’s opinion at once they are of relevance in the context of fundamental rights issuses as well. Thus, the court virtually commits itself in this field. It does not seem to rule out the incompatibility of the directive with European law in general. Otherwise, the judges could have made that clear in their first judgment notwithstanding the procedural limits, as the judgment regarding the competence issue would not make sense if the legal act was in any case incompatible with other provisions of European law.
In this respect, the court’s decision may still be awaited with excitement. The ECJ will most likely not confirm the full compatibility of the directive with fundamental rights, but rather formulate certain requirements in this respect. It will probably even follow some of the findings of the Advocate General, especially the ones regarding the violation of the proportionality principle. But even if the ECJ expressed full agreement with the Advocate-General it would not mean the end of data retention in general. Measures required according to the Advocate-General for preventing violations of fundamental rights could be implemented with only little difficulty and without abolishing the method as such. In the Advocate-General’s view, additional provisions concerning the access to stored data and reduction of storage periode from two years to date to only one year will be sufficient. Even for the transitional year till the adoption of a revised directive, in his opinion, the ECJ should mandate its continuing validity although it violates fundamental rights. So, the door is open for data retention – unless the ECJ goes even further in estimating the issue of fundamental rights than the Advocate-General and considers the measure principally incompatible with the European Charter of Fundamental Human Rights. However, according to previous experience in handling with opinions of the Advocates-General – that case seems rather unlikely .
- EuGH, Urt. v. 10.2.2009, Rs. C-301/06 (Vorratsdatenspeicherung I).
- EuGH, Schlussanträge, Rs. C-293/12 (Vorratsdatenspeicherung II).
- Die bevorstehende Entscheidung des EuGH aus rechtlicher Perspektive eingehend antizipierend Daniel Thym, Wer kontrolliert den digitalen Frankenstein? Die Zukunft der Vorratsdatenspeicherung, www.verfassungsblog.de v. 17.12.2013.
This post is part of a weekly series of articles by doctoral canditates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and asssociated research projects, please contact email@example.com.
This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact firstname.lastname@example.org.
Sign up for HIIG's Monthly Digest
and receive our latest blog articles.
Analysing security in cyberspace can encompass a variety of topics. The workshop under scrutiny touched upon some of them, providing valuable insights for society and, ultimately, relevant ideas for building...
The Internet and Society Fellowship is internationally focused and offers a unique opportunity for innovative thinkers who wish to engage in the exchange of research and to set up new…
Anonymization is advertised as a solution for privacy concerns, while machine learning is portrayed as dangerous and evil – but those operations have more in common than widely assumed. We...