EU Data Retention: Europe’s Top Court Rules 2006 Telecoms Data Retention Law Is Invalid
The European Court of Justice (ECJ), the top court in the European Union, has ruled that an EU-wide law that requires telecoms companies to store user-data for up to two years so it can be handed over to law enforcement authorities is invalid.
However, the ECJ has ruled the directive is invalid on right-to-privacy grounds — specifically flagging up a clash with two fundamental rights under the Charter of Fundamental Rights of the E.U.: “namely the fundamental right to respect for private life and the fundamental right to the protection of personal data”.
*****DATA RETENTION BREACHES ECHR AND DATA PROTECTION LAWS
The ruling boils down to a view that the directive is disproportionate. In a press release the ECJ notes that the directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”.
It also argues, in what could be couched as a post-Snowden observation, that the law is likely to generate a feeling that citizens’ private lives are “the subject of constant surveillance”.
“The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality,” it adds.
****DATA RETENTION IS NOT PROPORTIONAL
The ECJ takes particular issue with the generalised approach of the data retention law, noting that it covers “all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.”
***BULK DATA COLLECTION IS ILLEGAL
So, in other words, it’s the dragnet nature of the directive that’s causing a clash with EU citizens’ fundamental rights.
***DRAGNET SURVEILLANCE IS ILLEGAL
Another problem, in the ECJ’s view, is the directive’s failure to “lay down any objective criterion” to ensure that national authorities do not misuse their ability to access to citizens’ personal comms data for overreaching data-fishing expeditions. i.e. rather than specifically for…
…prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference
The ECJ also flags up the directive’s failure to establish objective criteria for determining the length of the data retention period – which is set at a minimum of six months but can be as long as two years.
It is also unhappy at security measures covering the retained data, noting a lack of sufficient safeguards against the risk of abuse and unlawful access to the data. And also flagging up that the directive does not ensure the “irreversible destruction” of the data at the end of the retention period.
***DATA RETENTION LACKS SAFEGUARDS AGAINST STATE ABUSE; RIGHT TO DATA DELETION; SAFEGUARDS AGAINST UNLAWFUL ACCESS
Finally, the ECJ notes the problematic fact that the directive does not require the data be retained within the E.U., which thus introduces another compliance failure regarding the fundamental rights attached to personal data set out in the Charter:
Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.
WHAT HAS THE EU SAID?
1. DRAGNET SURVEILLANCE IS ILLEGAL
2. BULK DATA COLLECTION IS ILLEGAL – you need a specific court order, detailing a specific crime. The “collect it all” NSA mentality is illegal.
3. DATA RETENTION MUST BE WITHIN EUROPE – no GCHQ bulk data collection being sent over to the NSA for analysis.
4. An Independent Body must authorise access to the data – not the police authorising access for itself. No “marking your own homework” that is illegal.
5. Data Retention breaches two fundamental rights – which are more serious than the “fight crime” justification given for dragnet surveillance. DRAGNET SURVEILLANCE IS ILLEGAL.
6. The Right to Deletion and safeguards are important. This is aimed at the UK police, who collected DNA of teenagers, driver checkpoints (no offence had been committed) and then refused to delete unlawfully collected DNA from their database.
YAY!! For EU Data Protection.
Big Data versus Privacy – the fight of the century.
Big Data 0