Data retention has been increasingly perceived as a criminal justice and law enforcement tool in the EU in the past years. As a matter of fact, the EU Data Retention Directive (the Directive 2006/24/EC) was adopted in the wake of the London bombing attacks, back in 2005, despite the fact that data retention would not actually have any relevant effect on the tragic event.
Nevertheless, the Directive requires EU Member States to compel telecommunications and Internet service providers to retain considerable amounts of communications data – including landline phones, mobile, fax and email – regarding individuals within the EU, even those never suspected of committing a crime, for a minimum period of six months and up to two years, for law enforcement purposes, namely regarding investigations of serious crimes and terrorism.
The data thus collected and retained allows for the identification of all the people with whom a user has communicated, the means employed, the time, the place and the frequency of those communications. Therefore, despite not permitting the access to the content of the communications as such, this data nonetheless provides detailed information on the private lives of individuals, in an evident interference in the private sphere of their lives.
The question to be asked, then, was: is this interference acceptable in the light of the EU Charter of Fundamental Rights?
In this regard, article 52 of the Charter states that restrictions upon the rights foreseen in the Charter must be established by law, respect the core of the right, be subjected to the principles of proportionality and necessity, aimed to fulfil public interest objectives and balanced with the rights and freedoms of others individuals.
As you certainly well remember, last April, the Court of Justice of the European Union (hereafter CJEU) ruled on the entire invalidity of the abovementioned Directive, in the light of the EU Charter of Fundamental Rights, namely the rights to privacy and data protection, respectively foreseen in its Articles 7 and 8.
Having this in consideration, recognising that there was a public safety interest subjacent to such intrusion, the Court focused, instead, on whether such interference could be somehow justified. In this regard, the Court concluded that such a collecting, processing and accessing of personal data by authorities did not comply with the principles of necessity and proportionality and, therefore, constituted an unjustified and serious interference with the fundamental rights to privacy and data protection. Indeed, while requiring the mass retention of all communication traffic of all individuals in the EU, including innocent or not suspect of any crime, the instrument was considered to go beyond what is strictly necessary for a criminal investigation.
In this context, the broad scope of the Directive, given that it refers to all means of electronic communication; the broad time period set for retention; the lack of clear rules limiting the access and use of data by authorities; the absence of an obligation to destroy the data once the retention period expires; the dissatisfying level of protection of the data from unlawful access and use; and the possibility of storage outside the EU territory were deemed particularly problematic.
This ruling has a far-reaching impact at many levels. As a direct consequence, the Data Retention Directive is deemed to be void and a new Directive will have to be built from scratch. Moreover, this ruling seems to oppose the practice of mass surveillance related to the existing EU legislation and the ongoing reforms, with an obvious direct effect on agreements concluded by the EU with third countries. To be true, it raised some practical issues regarding the data retention laws implemented by EU Member States and the validity of international agreements which require the retention of personal data, such as the PNR frameworks.
One of the main issues at stake is that, despite long years have passed since the foreseen deadline for its implementation, the Directive has still not been fully implemented by all Member States. In fact, several Member States were subjected to infringement proceedings for failing to implement national legislation on due time. Nevertheless, those which have fully implemented the Directive weren’t able to achieve a full harmonization due to the abstraction of concepts such as ‘competent national authorities’ and ‘serious crime’ and the broad scope of the time data retention period. So long for the intended harmonization.
Moreover, as the Data Retention Directive amended the e-Privacy Directive to remove prohibitions on data retention, this invalidation implies that the previous version of the e-Privacy Directive is again applicable. Member States no longer have the obligation to retain data pursuant to the Data Retention Directive. In fact, national measures transposing the Directive will need to be amended.
Where a national Court has doubts about the compatibility of the national law with the EU law, the proceeding for a preliminary ruling by the CJEU must be initiated. Alternatively, once exhausted the domestic remedies, a claim could be addressed to the ECtHR. Anyway, the European Commission or another Member State are entitled to initiate an infringement procedure in case of violation of EU law by national measures or of incomplete, inadequate transposition or non-transposition.
Furthermore, in 2011, the European Commission published a proposal for the EU Passenger Name Record (PNR) Directive, which would require air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival, and is currently under negotiation. In the light of the above mentioned ruling, the envisaged text will not be able to stand. For instance, the data retention period of five years is clearly not acceptable.
Additionally, the legality of several already in force and proposed international agreements which include data retention schemes has been questioned. For instance, an Irish court referred to the CJEU, asking whether the EU ‘Safe Harbour’ arrangement on data protection with the USA is compatible with the rights to privacy and data protection
Last month, the European Parliament voted to refer the EU-Canada PNR agreement, which is currently being renegotiated, to the CJEU, for an opinion, in order to assess its compliance with the EU Charter of Fundamental Rights. The Treaty of Lisbon allows the European Parliament to refer to the CJEU regarding the compatibility with EU law of a draft agreement to be concluded by the EU with third States on police or criminal law cooperation. In this regard, the EU-Canada agreement may not be concluded before a ruling on its compatibility with the EU law is issued because the consent of the European Parliament is now required for the conclusion of such international agreements.
Where does all this leave us?
Well, currently the EU has negotiated PNR data sharing agreements with the USA, Australia, and Canada.
In the light of Snowden’s revelations regarding the extent of spying by the American National Security Agency (NSA), the agreement with the USA, regarding the transfer of air passengers’ data for flights from the EU to the USA, has raised serious concerns within the EU, namely due to the access of the PNR database by the USA government for purposes other than fighting terrorism.
In this context, the ruling requested by the European Parliament regarding the EU-Canada agreement would indirectly establish if the EU/USA and EU/Australia agreements and the proposed EU PNR Directive do or do not violate those rights as well.
Subsequently to the rulings regarding the Data Retention Directive and the ‘right to be forgotten’, future judgements regarding data collection, processing and transfers are most certainly welcomed as they are expected to cast some light regarding the legality or illegality of the existing or upcoming PNR frameworks.
What would happen if the CJEU would rule that all these international agreements are in breach of the rights to privacy and data protection? The application of such agreements would need to be challenged, now that they are already in force, by individuals via their national courts or the European Parliament would have to require the other EU institutions to ensure the full respect on the EU Charter of Fundamental Rights by denouncing the agreements at stake.
Consequently, all instruments dealing with data retention will have to be subjected to necessity and proportionality tests in order to assess their compliance with the EU Charter of Fundamental Rights. Therefore, the requirements set in the ruling might unavoidably challenge the EU PNR proposal. Similarly, other EU-USA agreements, such as the agreement on the access to financial data under the USA Terrorist Finance Tracking Programme (TFTP), will need to be tested for compliance with the judgement standards.
Moreover, an analysis regarding the compliance of other legislative proposals might need to be conducted regarding the proposals for an entry-exit system to track non-EU nationals crossing EU borders, for the European Terrorist Financing Tracking System and for the governments’ access to the Eurodac database.
History has shown us that PNR data has turned into an attractive source for governments to obtain personal data regarding individuals. EU institutions should therefore question the necessity and proportionality of these and similar schemes of data collecting, data retention and bulk transfers to third countries and review the draft and existing legislation, frameworks and agreements to ensure that they do comply with the EU Charter of Fundamental Rights.
Update: The title was modified because, due to a lapse, it referred to the Data Protection Directive, instead of the Data Retention Directive.