Skip to main content

Advertisement

SpringerLink
Log in

Data retention: the life, death and afterlife of a directive

  • Article
  • Published:
ERA Forum Aims and scope

Abstract

In its landmark judgment in Digital Rights Ireland, the Court of Justice of the European Union struck down the Data Retention Directive on the basis that it violated the fundamental rights to privacy and data retention. While the judgment has rightly been praised for its robust protection of fundamental rights, it also leaves important questions unresolved and raises deeper issues about the proper division of competence between the EU and its Member States and the respective roles of the courts and the political organs within the EU’s constitutional structure.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland, Seitlinger & Others (Judgment of 8 April 2014), EU:C:2014:238 (‘Digital Rights Ireland’).

  2. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54.

  3. See e.g. Lynskey [8]; Fabbrini [5]; Granger/Irion [6]; Marin [9].

  4. See European Commission [4]; European Commission [3]; Anderson [1], paras. 7.49–7.51 and 9.43–9.47.

  5. Anderson [1], para. 9.23.

  6. European Commission [4], p. 6.

  7. European Commission [4], p. 6.

  8. The European Union has recently undertaken its most extensive reform of data protection law with the introduction of the reform package including Regulation (EU) 2016/679, the General Data Protection Regulation, and Directive (EU) 2016/680, the Law Enforcement Directive.

  9. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31 (‘the Data Protection Directive’).

  10. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37 (‘the e-Privacy Directive’). Article 5 of the e-Privacy Directive required Member States to ensure ‘the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation’. Article 6 required that, in general, traffic data ‘be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication’. Article 9 provided that ‘location data other than traffic data […] may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service’. Article 2(b) of the e-Privacy Directive defined ‘traffic data’ as ‘any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof’. Article 2(c) of the e-Privacy Directive defined ‘location data’ as ‘any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service’.

  11. Article 3(2) Data Protection Directive; Article 1(3) e-Privacy Directive.

  12. See European Commission [4], p. 10.

  13. Article 47 TEU at this stage precluded the adoption of legislation under the Treaty on European Union which would affect the acquis communautaire. See European Commission [4], pp. 10–11.

  14. European Commission [4], pp. 5–6.

  15. European Commission [4], p. 13.

  16. Ireland and Slovakia voted against the adoption of the Directive.

  17. See, in particular, Recital 6 Data Retention Directive: ‘The legal and technical differences between national provisions concerning the retention of data for the purpose of prevention, investigation, detection and prosecution of criminal offences present obstacles to the internal market for electronic communications’.

  18. Article 1(1) Data Retention Directive.

  19. Articles 1(2) and 5(2) Data Retention Directive.

  20. Recital 25 recorded that the Directive was ‘without prejudice to the power of Member States to adopt legislative measures concerning the right of access to, and use of, data by national authorities, as designated by them’ and that ‘[i]ssues of access to data retained pursuant to this Directive by national authorities for such activities as are referred to in the first indent of Article 3(2) of Directive 95/46/EC fall outside the scope of Community law’.

  21. Articles 6–8 Data Retention Directive.

  22. European Commission [3], p. 30.

  23. Case C-301/06 Ireland v Parliament & Council (Judgment of 10 February 2009), EU:C:2009:68.

  24. Case C-301/06 Ireland v. Parliament & Council, EU:C:2009:68, para. 34.

  25. Case C-301/06 Ireland v. Parliament & Council, EU:C:2009:68, para. 80.

  26. Case C-301/06 Ireland v Parliament & Council, EU:C:2009:68, para. 83.

  27. C-301/06 Ireland v. Parliament & Council, EU:C:2009:68, paras. 85 and 93.

  28. Case C-185/09 Commission v Sweden, EU:C:2010:59; Case C-202/09 Commission v Ireland, EU:C:2009:736; Case C-189/09 Commission v Austria, EU:C:2010:455; Case C-211/09 Commission v Greece, EU:C:2009:737.

  29. Case C-270/11 Commission v Sweden (Judgment of 30 May 2013), EU:C:2013:339.

  30. Case C-329/12 Commission v Germany, EU:C:2014:2034.

  31. European Commission [3], pp. 1 and 5.

  32. European Commission [3], p. 1.

  33. European Commission [3], pp. 5–6. For a useful summary, see Vainio/Miettenin [12].

  34. Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert (Judgment of 9 November 2010), EU:C:2010:662.

  35. Opinion of Advocate General Cruz Villalón in Joined Cases C-293/12 and C-592/12 Digital Rights Ireland, Seitlinger & Others, EU:C:2013:84570, para. 72.

  36. Opinion in Digital Rights Ireland, paras. 122–124: ‘However, the issue which now arises is precisely that of whether the European Union may lay down a measure such as the obligation to collect and retain, over the long term, the data at issue without at the same time regulating it with guarantees on the conditions to which access and use of those data are to be subject, at least in the form of principles. […] It must even be considered that, without knowing how that access and use may take place, it is not really possible to reach an informed judgment on the interference resulting from the collection and retention at issue.’

  37. Opinion in Digital Rights Ireland, paras. 93–95.

  38. Opinion in Digital Rights Ireland, para. 124.

  39. Opinion in Digital Rights Ireland, para. 132.

  40. Opinion in Digital Rights Ireland, paras. 154–158.

  41. Judgment in Digital Rights Ireland, paras. 37 and 56.

  42. Judgment in Digital Rights Ireland, para. 27.

  43. Judgment in Digital Rights Ireland, para. 37. The choice of language here is of interest as it is much stronger than that used by the Advocate General who in turn quoted the German Constitutional Court, referring to ‘the vague feeling of surveillance’ data retention could generate: Opinion in Digital Rights Ireland, para. 92.

  44. Judgment in Digital Rights Ireland, paras. 32–37.

  45. Judgment in Digital Rights Ireland, paras. 39–40.

  46. Judgment in Digital Rights Ireland, para. 41.

  47. Judgment in Digital Rights Ireland, para. 43.

  48. Judgment in Digital Rights Ireland, para. 48.

  49. Judgment in Digital Rights Ireland, para. 49.

  50. Judgment in Digital Rights Ireland, para. 55.

  51. Judgment in Digital Rights Ireland, para. 57 and, more generally, paras. 56–59.

  52. Judgment in Digital Rights Ireland, para. 61.

  53. Judgment in Digital Rights Ireland, para. 62.

  54. Judgment in Digital Rights Ireland, paras. 63–64.

  55. Judgment in Digital Rights Ireland, para. 67.

  56. Judgment in Digital Rights Ireland, paras. 67–68.

  57. See Court of Justice, Press Release No. 54/2014: Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, 8 April 2014.

  58. Article 288 TFEU.

  59. Case 23/75 Rey Soda [1975] ECR 1279, para. 50.

  60. For an excellent overview of the position in the immediate aftermath of the judgment, see Vainio/Miettenin [12]. For a more recent and very helpful overview of the position, see Privacy International [11].

  61. See e.g. Communication of the Council of the European Union General Secretariat, CM 2168/17 (24 March 2017).

  62. Privacy International [11].

  63. The litigants challenging the legislation included two MPs from different sides of the political divide, David Davis (Conservative) and Tom Watson (Labour). In advance of his appointment as Minister with responsibility for Exiting the EU, David Davis withdrew from the case.

  64. Opinion of Advocate General Saugmandsgaard Øe of 19 July 2016 in Case C-203/15 Tele2 Sverige/Watson, EU:C:2016:572.

  65. Opinion in Tele2 Sverige/Watson, para. 125.

  66. Opinion in Tele2 Sverige/Watson, para. 261.

  67. Joined Cases C-203/15 and C-698/15 Tele2 Sverige/Watson (Judgment of 21 December 2016), EU:C:2016:970, para. 73.

  68. Judgment in Tele2 Sverige/Watson, paras. 76–81.

  69. Judgment in Tele2 Sverige/Watson, paras. 104–107.

  70. Judgment in Tele2 Sverige/Watson, para. 108.

  71. Judgment in Tele2 Sverige/Watson, para. 109.

  72. Judgment in Tele2 Sverige/Watson, para. 111.

  73. Judgment in Tele2 Sverige/Watson, para. 102; see also para. 115.

  74. Judgment in Tele2 Sverige/Watson, para. 111.

  75. Judgment in Tele2 Sverige/Watson, para. 119.

  76. Judgment in Tele2 Sverige/Watson, para. 120.

  77. Judgment in Tele2 Sverige/Watson, para. 121.

  78. Judgment in Tele2 Sverige/Watson, para. 122.

  79. Judgment in Tele2 Sverige/Watson, para. 124.

  80. Secretary of State for the Home Department v. Watson & Others [2018] EWCA Civ 70, para. 27.

  81. Liberty v. Secretary of State for the Home Department [2018] EWHC 975 (Admin).

  82. Privacy International [11].

  83. For a valuable commentary on the judgment, see Cameron [2].

  84. See e.g. Lenaerts/Van Nuffel [7], para. 7-008.

  85. This very issue is the subject of a preliminary reference from the Investigatory Powers Tribunal in the United Kingdom in Case C-623/17 Privacy International (pending).

  86. Judgment in Digital Rights Ireland, para. 47 (quoting S. and Marper v UK, nos. 30562/04 and 30566/04, Sect. 102, ECHR 2008-V).

  87. For an important contribution to the broader debate which addresses the approaches of the Luxembourg and Strasbourg Courts, see O’Leary [10].

  88. Case C-207/16 Ministerio Fiscal (pending).

  89. In the wake of Tele2 Sverige/Watson, the Council of the European Union has been engaged in a reflection process on data retention without any clear indication of possible outcomes.

  90. Judgment in Tele2 Sverige/Watson, para. 111.

  91. See the Opinion of Advocate General Saugmandsgaard Øe of 3 May 2018 in Ministerio Fiscal, C-207/16, ECLI:EU:C:2018:300. In grappling with the problematic concept of ‘targeted retention’ in Tele2 Sverige/Watson, the Advocate General suggests that the concepts of ‘general and indiscriminate retention’ and ‘targeted retention’ should not be broadly interpreted and should be understood by reference to the specific measures seeking access to retained data, rather than the framework legislation under which such measures may be adopted: see Opinion, paras. 37, 84 and 90. At the time of writing, the judgment in Ministerio Fiscal is awaited.

  92. Dwyer v. Commissioner of An GardaSíochána & Others, High Court Record No. 2015/351P (pending).

  93. On 22 June 2018, in Carpenter v. United States, No. 16-402, 585 U.S. \(\_\_\_\) (2018), the US Supreme Court held (by 5–4) that access by authorities to cell phone location data without a search warrant was a violation of the Fourth Amendment to the United States Constitution which protected not only property interests but also certain expectations of privacy. In language reminiscent of the CJEU judgment in Digital Rights Ireland, the majority opinion stated that phone location records hold for many Americans the ‘privacies of life’ and stated that tracking a cell phone’s location allowed the government to achieve the ‘near perfect surveillance’.

References

  1. Anderson, D.: A question of trust: report of the investigatory powers review. HM Stationery Office (2015)

  2. Cameron, I.: Balancing data protection and law enforcement needs: Tele2 Sverige and Watson. Common Mark. Law Rev. 54(5), 1467 (2017)

    Google Scholar 

  3. Commission, E.: Evaluation report on the Data Retention Directive. COM(2011) 225

  4. Commission, E.: Extended Impact Assessment: annex to a proposal for a directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC. SEC(2005) 1131

  5. Fabbrini, F.: Human rights in the digital age: the European Court of Justice ruling in the data retention case and its lessons for privacy and surveillance in the US. Harv. Hum. Rights J. 28, 65 (2015)

    Google Scholar 

  6. Granger, M.-P., Irion, K.: The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection. Eur. Law Rev. 39(6), 835 (2014)

    Google Scholar 

  7. Lenaerts, K., Van Nuffel, P.: European Union Law, 3rd edn. Sweet & Maxwell, London (2011)

    Google Scholar 

  8. Lynskey, O.: The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland. Common Mark. Law Rev. 51(6), 1789 (2014)

    Google Scholar 

  9. Marin, L.: The fate of the Data Retention Directive: about mass surveillance and fundamental rights in the EU legal order. In: Mitsilegas, V., Bergström, M., Konstadinides, T. (eds.) Research Handbook on EU Criminal Law. Edward Elgar, Cheltenham (2016)

    Google Scholar 

  10. O’Leary, S.: Balancing rights in a digital age. Ir. Jurist, 60 (2018)

  11. International, P.: National data retention laws since the CJEU’s Tele-2/Watson Judgment (September 2017). Available at https://privacyinternational.org/sites/default/files/2017-10/Data%20Retention_2017_0.pdf

  12. Vainio, N., Miettenin, S.: Telecommunications data retention after Digital Rights Ireland: legislative and judicial reactions in the Member States. Int. J. Law Inf. Technol. 23(3), 290 (2015)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Law, Trinity College Dublin, Dublin, Ireland

    David Fennelly

  2. Law Library, Dublin, Ireland

    David Fennelly

Authors
  1. David Fennelly
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Fennelly.

Additional information

This article is based on a lecture delivered as part of the Annual Conference on EU Criminal Justice (Trier). While the author has appeared in a number of the cases under discussion in this article, any views are expressed in a purely personal capacity.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Fennelly, D. Data retention: the life, death and afterlife of a directive. ERA Forum 19, 673–692 (2019). https://doi.org/10.1007/s12027-018-0516-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12027-018-0516-5

Keywords

Search

Navigation