by Alessandra Silveira, Editor and Pedro Freitas, Member of CEDU
In the decision Digital Rights Ireland of 2014[i], the ECJ was called upon to assess the validity of the Directive 2006/24 (on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks) in the light of Articles 7 (Respect for private and family life) and 8 (Protection of personal data) of the Charter of Fundamental Rights of the European Union (CFREU) and considered that the obligation imposed by the Directive 2006/24 on providers of electronic communications services constituted an interference with the aforementioned fundamental rights. [ii]
The issue at hand is that the directive concerned all those who used electronic communications services in Europe – even those whose conduct were not in any way linked with criminal activities. Furthermore, while seeking to fight against serious crime, the Directive did not provide for any differentiation, limitation or exception to the retention of data of persons whose communications are subject to professional secrecy. In addition to a general absence of limits, the Directive 2006/24 did not lay down any objective criterion to limit the access of the competent national authorities to the data and its subsequent use. Furthermore, the Directive did not require that the data in question should be kept within the territory of the Union, and thus a supervision by an independent body was not fully guaranteed.
While it is true that the fight against serious crime is of prime importance in ensuring public safety and that its effectiveness may depend on the use of modern investigative techniques, such objective, be that as it may, cannot in itself justify a retention measure such as the one established by Directive 2006/24 as necessary for those purposes[iii]. By adopting Directive 2006/24, the European Union legislature had exceeded the limits imposed by the principle of proportionality in the light of Articles 7, 8 and 52(1) of the CFREU, and for that reason the ECJ ruled the invalidity of the directive, without reservations as to the temporal effects of its decision (ex tunc).
However, following the judgment in the Digital Rights Ireland case, the reaction of the Member States was not consensual, which led to an unlawful differentiation of treatment between European citizens. The decision of the ECJ raised the problem of the effects of that invalidity in relation to the national provisions transposing the directive. According to data released by the Portuguese Public Prosecutor’s Office, ten of the EU Member States have declared invalid the national laws that transposed the data retention directive, either by parliamentary decision or through their constitutional courts. In other Member States, including Portugal, this was not the case because the substantial requirements of the ECJ’s decision were deemed satisfied by the national legislation that transposed it. [iv]
Disagreeing with the ruling of the ECJ, the Portuguese Public Prosecutor’s Office’s Practice Note no. 7 states that the ECJ’s decision required “conditions that are not viable or that, if applied, render the retention useless.” Accordingly, the Portuguese authorities declared that the Directive 2006/24 and the Portuguese Law no. 32/2008, which transposed the former, is only useful if the data is gathered from all citizens, indiscriminately, because “When the data is retained, it is not possible to know whether such data may be necessary as evidence of a crime. Only after a crime has occurred will this generalized and indiscriminate gathering of data be useful as evidence”.
Unsurprisingly, following the judgment in Digital Rights Ireland, two national courts (one Swedish and one British) requested for a preliminary ruling of the ECJ to scrutinize the conformity of those national legal systems, which continue to impose a general obligation of retention of data on providers of publicly available electronic communications services (judgment which was recently published)[v]. In other words, by requesting for a preliminary ruling, the ECJ was asked to clarify the consequences of the invalidity of Directive 2006/24 for national authorities and to determine whether a general obligation to retain data would be compatible with Article 15(1) of Directive 2002/58 (concerning the processing of personal data and the protection of privacy in the electronic communications sector), in the light of Articles 7, 8 and 52(1) of the CFREU. Article 15(1) of Directive 2002/58 allows Member States to adopt legislative measures for the retention of data for a limited period, subject to compliance with the general principles of the European Union law and fundamental rights therein protected.
As to the retention of the data, the ECJ distanced itself from the solution suggested by the Advocate General[vi] and relied its decision on the principle of stricto sensu proportionality: the CFREU would not allow widespread and undifferentiated retention of all traffic data and the location of all registered users for all electronic means of communication, with the purpose of fighting criminality. [vii] This principle of stricto sensu was not assessed by the ECJ in Digital Rights Ireland case because the Court held that the legal framework established by Directive 2006/24 exceeded what was necessary for the purpose of combating serious infringements. In any event, Article 15(1) of Directive 2002/58 does not preclude a Member State from adopting legislation which allows, on a precautionary basis, the selective conservation of traffic and location data for the purpose of fighting serious crime, as long as data retention is limited to what is strictly necessary in relation to the categories of data to be retained, the means of communication to which they relate, the persons concerned and the established retention period. [viii]
With regard to the access to the data retained, by weighing the advantages resulting from the measure in the light of the legitimate objective pursued, on the one hand, and the disadvantages that affect the fundamental rights enshrined in a democratic society, on the other hand, the ECJ held that the Article 15(1) of Directive 2002/58, in the light of Articles 7, 8, 11 and 52(1) of the CFREU, must be interpreted in such a way that no national law on the access of national authorities to retained data should be allowed i) without limiting such access to cases of serious crime, (ii) without submitting such access to the prior review of a court or an independent administrative authority, and (iii) without requiring that the data in question remains in the territory of the Union[ix]. Moreover, according to the ECJ, it is necessary that the competent national authorities that have access to the retained data inform those who had their data retained so that they exercise their right to effective judicial protection expressly provided for in Article 15 (2) of Directive 2002/58, except when the investigation being carried is not compromised. [x]
From the judgment in Tele 2, we conclude that (i) the declaration of invalidity of the legislative provisions contained in a European directive inevitably affects the legal act that transposes it to the internal legal order, and, following the declaration of invalidity of Directive 2006/24, (ii) a Member State cannot use the prerogative conferred by Article 15(1) of Directive 2002/58 to impose a general obligation to retain data. It is therefore urgent to draw conclusions from this recent ruling by the ECJ, mostly because in those Member States where the transposed legislation was maintained after the declaration of invalidity of Directive 2006/24, many criminal convictions were held on evidence (metadata) that might have been unlawfully retained.
[i] Digital Rights Ireland, Seitlinger and Others, Joined cases C-293/12 and C-594/12, 8 April 2014.
[ii] See Digital Rights Ireland case, recital no. 34.
[iii] See Digital Rights Ireland case, recital no. 61.
[iv] See Portuguese Public Prosecutor’s Office, Report no. 7 on traffic data retention and Law no. 32/2008, 2015, http://cibercrime.ministeriopublico.pt/sites/default/files/documentos/pdf/nota_pratica_7_retencao_de_dados.pdf.
[v] Tele2 case, Joined Cases C-203/15 and C-698/15, 21 December 2016.
[vi] See Tele2 conclusions (Advocate General Henrik Saugmandsgaard Øe), 19 July 2016, Joined Cases C-203/15 and C-698/1, recital no. 262.
[vii] Tele2 case, recital no. 107 and 112.
[viii] Tele2 case, recital no. 108 to 111.
[ix] Tele2 case, recital no. 125.
[x] Tele2 case, recital no. 121.
Picture credits: Video tape archive storage by DRs Kulturarvsprojekt.
One thought on “Implications of the declaration of invalidity of the Directive 2006/24 on the retention of personal data (metadata) in the EU Member States: an approach to the judgment Tele 2 of 21 December 2016”
Pingback: Editorial of May 2022 – Official Blog of UNIO