By Orla Lynskey
In its eagerly anticipated judgment in the Digital Rights Ireland case, the European Court of Justice held that the EU legislature had exceeded the limits of the principle of proportionality in relation to certain provisions of the EU Charter (Articles 7, 8 and 52(1)) by adopting the Data Retention Directive. In this regard, the reasoning of the Court resembled that of its Advocate General (the facts of these proceedings and an analysis of the Advocate General’s Opinion have been the subject of a previous blog post). However, unlike the Advocate General, the Court deemed the Directive to be invalid without limiting the temporal effects of its finding. This post will consider the Court’s main findings before commenting on the good, the bad and the ugly in the judgment.
The Court’s Findings
In reaching this conclusion, the Court reasoned as follows. It first narrowed the multiple questions referred by the Irish and Austrian courts down to one over-arching issue, whether the Data Retention Directive is valid in light of Articles 7, 8 and 11 of the Charter (setting out the rights to privacy, data protection and freedom of expression respectively). It then conducted its assessment in three parts.
First, it examined the relevance of these Charter provisions with regard to the validity of the Data Retention Directive. Although the Court recognised the potential impact of data retention on freedom of expression, it chose not to examine the validity of the Directive in light of Article 11 of the Charter. It noted that the Directive must be examined in light of Article 7 as it ‘directly and specifically affects private life’ and in light of Article 8 as it ‘constitutes the processing of personal data within the meaning of that article and, therefore necessarily has to satisfy the data protection requirements arising from that article’.
Second, it considered whether there was an interference with the rights laid down in Articles 7 and 8 of the Charter. It noted that the Data Retention Directive derogates from the system of protection set out in the Data Protection Directive and the E-Privacy Directive . It cited Rundfunk as authority for the proposition that an interference with the right to privacy can be established irrespective of whether the information concerned is sensitive or whether the persons concerned have been inconvenienced in any way . The Court therefore held that the obligations imposed by the Directive to retain data constitutes an interference with the right to privacy  as does the access of competent authorities to that data . The Court also held that the Directive interferes with the right to data protection on the mystifyingly simplistic grounds that ‘it provides for processing of personal data’ . It observed that these interferences were both wide-ranging and particularly serious .
The Court then, thirdly, assessed whether these interferences with the Charter rights to privacy and data protection were justified. According to Article 52(1) of the Charter, in order to be justified limitations on rights must fulfil three conditions: they must be provided for by law, respect the essence of the rights and, subject to the principle of proportionality, limitations must be genuinely necessary to meet objectives of general interest. The Court held that the essence of the right to privacy was respected as the Directive does not permit the acquisition of content data  and the essence of the right to data protection was respected as the Directive requires Member States to ensure that ‘appropriate technical and organisational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of data’ . With regard to whether the interference satisfies an objective of general interest, the Court distinguished between the Directive’s ‘aim’ and ‘material objective’: it noted that the aim of the Directive is to harmonise Member States’ provisions regarding data retention obligations while the ‘material objective’ of the Directive is to contribute to the fight against serious crime . The Court observed that security is a right protected by the EU Charter and an objective promoted by EU jurisprudence . It therefore held that the Data Retention Directive ‘genuinely satisfies an objective of general interest’  and proceeded to analyse the proportionality of the Directive.
The Court effectively adopted a two-pronged proportionality test, considering whether the measure was appropriate to achieve its objectives and did not go beyond what was necessary to achieve them . Applying the ECtHR’s Marper judgment by analogy, it noted that factors such as the importance of personal data protection for privacy and the extent and seriousness of the interference meant the legislature’s discretion to interfere with fundamental rights was limited [47-48]. It held that the data retained pursuant to the Directive allow national authorities ‘to have additional opportunities to shed light on serious crime’ and are ‘a valuable tool for criminal investigations’ . Therefore, it found that the Directive was suitable to achieve its purpose.
With regard to necessity, it noted that limitations to fundamental rights should only apply in so far as is strictly necessary  and that EU law must lay down clear and precise rules governing the scope of limitations and the safeguards for individuals . It held that the Directive did not set out clear and precise rules regarding the extent of the interference . It highlighted several elements of the Directive which fell short in this regard. By applying to all traffic data of all users of all means of electronic communications the Directive entailed ‘an interference with the fundamental rights of practically the entire European population’  and did not require a relationship between the data retained and serious crime or public security [58-59]. Moreover, no substantive conditions (such as objective criterion by which the number of persons authorised to access data can be limited) or procedural conditions (such as review by an administrative authority or a court prior to access) determined the limits of access and use to the data retained by competent national authorities [60-62]. Nor did the Directive determine the time period for which data are retained on the basis of objective criteria [64-65].
The Court also held that the Directive did not set out clear safeguards for the protection of the retained data. This finding was supported by the Court’s observation that the rules in the Directive were not tailored to the vast quantity of sensitive data retained and to the risk of unlawful access to these data . Rather, the Directive allowed providers to have regard to economic considerations when determining the technical and organisational means to secure these data . Moreover, the Directive did not specify that the data must be retained within the EU and thus within the control of national Data Protection Authorities . For these reasons, the Directive was declared invalid by the Court .
The Good, the Bad and the Ugly
The Good The judgment is to be welcomed for its end result – the invalidity of the Directive – as well as for many other reasons. It is a victory for grassroots civil liberties organisations and citizen movements: the preliminary references stemmed from actions taken by Digital Rights Ireland – an NGO – and just under 12,000 Austrian residents. More of these types of initiatives are needed in order to assure effective privacy and data protection. From a more substantive perspective, the judgment also recognises the dangers posed by aggregated meta-data – that it may ‘allow very precise conclusions to be drawn concerning the private lives’ of individuals  – and by data retention more generally – that it ‘is likely to generate in minds of the persons concerned the feeling that their private lives are the subject of constant surveillance’. It also acknowledges that such data retention may have a chilling effect on individual freedom of expression .
The Bad Nevertheless, some aspects of the judgment are less welcome. Most notably here, the Court glosses over the fact that it assesses the proportionality of the Directive in light of its ‘material objective’ – crime prevention – rather than its stated objective – market harmonisation. This sits uncomfortably with the Court’s finding in Ireland v Council that the Directive was enacted on the correct legal basis as its predominant purpose was to ensure the smooth functioning of the EU internal market. The Court also incorrectly applies Article 8 of the EU Charter. Not only does it consider that there is an interference with this right every time data are processed , it also fails to consider how the application of this right can be applied to a piece of legislation which pursues law enforcement objectives. The Data Protection Directive excludes data processing for law enforcement purposes from its scope (Article 3(2)) and the right to Data Protection should, pursuant to Articles 51(2) and 52(2) of the Charter, be interpreted in light of and reflect the scope of the Directive. This conundrum is conveniently overlooked by the Court.
And the Ugly However, the most disappointing element of the judgment, like the Opinion of the Advocate General, is that it does not query the appropriateness of data retention as a tool to fight serious crime . Given the prominence of this issue in both the EU and the US in the post-PRISM period, empirical evidence is needed to justify this claim.