On the Data Retention Directive Case

In another round of “privacy versus security” in the European Union, the Court of Justice of the European Union (ECJ) on April 8, 2014 struck down the European Union’s Data Retention Directive 2006/24/EC. The directive, whose origins are tied to the July 2005 terror attacks in London, required Internet service and telecommunications providers (communications providers) to store subscribers’ communications data for later possible use in major crime and terror investigations. Under Articles 5 and 6 of the directive and implementing legislation from the member states, communications providers were required to maintain certain electronic communications data for no less than six months to no more than two years.  Expressly excluded under Article 1 of the directive, was the content of the communications.  Article 4 of the directive provides that only “competent” law enforcement or intelligence agencies could have access to the data in “specific cases” and pursuant to national law. In declaring the Data Retention Directive invalid, the ECJ acknowledged in its Digital Rights Ireland et. al. judgment that “the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.”  However, the court found, the EU went too far with the directive, exceeding the limits of the “proportionality” principle of the EU’s Data Protection Directive 95/46/EC.  Proportionality, of course, is one of the seven fair information practice principles undergirding the Data Protection Directive, and is defined under that directive as data that are “relevant and not excessive in relation to the purposes for which they are processed.” The outcome isn’t surprising and mirrors a December 2013 opinion that ECJ Advocate General Pedro Cruz Villalón, delivered to the court.  The Advocate General opined that the Data Retention Directive violated Articles 7 (respect for private and family life) and 52(1) (discussing limitations of rights and proportionality) of the Charter of Fundamental Rights of the European Union.  In a likely reference to the Snowden revelations and the EU’s data protection “adequacy” requirement, the Advocate General observed the Data Retention Directive lacked a requirement that “the data must be retained in the territory of a Member State. They can therefore be accumulated at indeterminate locations in cyberspace.” The EU’s data protection authority, the European Data Protection Supervisor (EDPS), in his press release on the ECJ’s ruling, praised the “landmark judgment that limits the blanket government surveillance of communications data”, noting that it “highlights the value placed on the protection of fundamental rights at the core of EU policy in this critical area.”  The EDPS called for a new EU retention directive limiting what member states can do with respect to data retention, while also exhorting the EU to take a “firm position” with, among others, the US, “on the access and use of communications data of EU residents.” Data retention isn’t dead in Europe.  First, individual member states’ data retention laws likely are not directly affected by the ECJ’s decision, and those countries could continue to enforce their data retention laws, something the EDPS is concerned may happen.  Second, the European Parliament could rewrite the directive, to bring it in line with the ECJ’s decision. Communications providers in those EU member countries with extant data retention requirements may find themselves in a difficult position, especially in countries in which data protection authorities lack competence, or jurisdiction, over law enforcement and intelligence agencies.  Those providers could receive conflicting, yet equally compulsory, orders from government entities on the proper course of action on data retention.  The law enforcement and intelligence agencies asking for the data are same ones who are responsible investigating and defending against criminal activity and cyber attacks.  On the other side, are citizens, privacy advocates, and data protection authorities who could bring civil or criminal actions against ISPs for violations of the EU’s Data Protection Directive.  Under such circumstances, the “balancing” of privacy versus security is a zero-sum game for communications providers. Hugo Teufel III is an attorney focusing on privacy and civil liberties matters, with both public and private sector experience. He is also a judge advocate with the District of Columbia Army National Guard. From 2006 until 2009, Mr. Teufel served as the Chief Privacy Officer for the US Department of Homeland Security.  He was primarily responsible for privacy policy at the Department, reporting directly to the Secretary and Deputy Secretary.  Mr. Teufel was also a principal of the High Level Contact Group, a joint US/EU effort on transatlantic exchanges of data.  Mr. Teufel graduated from the Washington College of Law of the American University and was the Senior Articles Editor of The Administrative Law Journal.  He also holds a Master’s degree in National Security and Strategic Studies from the Naval War College.