Court of Justice: Data Retention Directive is invalid

bureau Brandeis / 08 Apr 2014

Today, the Court of Justice of the European Union (CJEU) ruled that the so-called Data Retention Directive (2006/24/EC) is invalid. According to the Court, the Directive constitutes a serious interference with the right to private life and the right to protection of personal data and lacks proportionality and effective safeguards.

The Data Retention Directive prescribes that Internet providers should save traffic data of all users for a period of six months. This metadata may be used for the purpose of investigation, detection and prosecution of serious crime.

The broad scope of the Directive allows for the retention of a large amount of data, which eventually could lead to very precise information on a person’s private life. According to the Court:

Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has beenretained, such as the habits of everyday life, permanent or temporary placesof residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”

The CJEU finds that the Directive exceeds the limits of the principle of proportionality. First of all, the Directive applies to all individuals and all means of electronic communication and imposes no limitations or exceptions. Furthermore, the Directive does not established objectives or criteria to limit the powers of the national authorities. Thirdly, there is no limitation on duration of the data retention period to ensure that this period is limited to what is strictly necessary. Lastly, the Directive lacks effective safeguards to protect against the risk of abuse and against unlawful access and use of data.

This leads to the conclusion that the Directive is not sufficiently circumscribed to ensure that the interference with an individual’s right to private life and protection of personal data is limited to what is strictly necessary. Therefore, the CJEU renders the Directive invalid.

Read the press release here.

Author: Sam van Velze

Related articles

GDPR Compliance Roadmap

bureau Brandeis / 03 Nov 2017

On 25 May 2018 the General Data Protection Regulation (“GDPR”) comes into effect. From that date the GDPR will have a direct effect on all EU Member States, and must be complied with. The current…

Court of Appeals: no centralised storage of fingerprints

Christiaan Alberdingk Thijm / 18 Feb 2014

The Dutch government would contravene the right to privacy of Dutch citizens by introducing a centralised storage system for fingerprints, submitted to obtain a passport. This is the outcome of a case of Privacy First…

EU Parliament Committee says “no more” to the NSA

Christiaan Alberdingk Thijm / 10 Jan 2014

The civil liberties committee of the European has demanded the termination of the collection of personal data by the NSA and other intelligence agencies. In a 51-page draft report it stresses that national agencies must…