9 April, 2014
On 8 April 2014, the European Court of Justice ruled that the Data Retention Directive (Directive 2006/24/EG), that requires providers to retain data related to electronic communications, breaches the European law and is retroactively invalid.
The ECJ observed that the retained data make it possible to know with whom, by what means, how often, how long and from which place a subscriber or registered user communicates with certain persons during a giving period of time. According to the ECJ, those data may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, social relationships and activities carried out. Therefore, the ECJ states that the Directive that requires the retention of this data interferes with the fundamental rights to privacy and the protection of personal data.
The ECJ argues that this interference is not justified, as the legislation has exceeded the limits of proportionality. Firstly, the Directive covers the retention of data of all individuals, without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. Secondly, there is no objective criterion to ensure that the competent national authorities only use the data for the purposes of prevention, detection or criminal prosecutions concerning serious crimes. Thirdly, the Directive imposes a retention period of at least six months, without making any distinction between different categories of data. Besides, the Directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary. Furthermore, the Court states that the Directive does not provide sufficient safeguards to ensure effective protection against the risk of abuse. Lastly, the Directive does not require that the data is retained within the EU.
Dutch Secretary Teeven stated that this decision of the ECJ has no influence on the Dutch data retention rules yet. In the Netherlands, providers are required to retain telephone data for 12 months and internet data for 6 months. According to Teeven, the retention of those data is necessary for, amongst others, retrieving stolen telephones. He indicated that he wants to study the decision in the coming weeks. However, several parliamentary groups have filed motions already to cancel the data retention requirement, as they think it is unacceptable to wait several weeks before reacting on such an groundbreaking European decision. Probably, there will be some changes in the Dutch data retention law soon, or it will be cancelled in its entirety.
The ‘Ethics in Networked Systems Research’ project at the Oxford Internet Institute launched a...
On 15 June 2015, the European Council agreed on the proposal for the new general data protection...