ECJ preliminary ruling: the data retention Directive 24/2006 is invalid.

In joined cases C-293/12 and C-594/12, the ECJ was called upon to examine the validity of Directive 24/2006 concerning the retention of data that are generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Directive aims to guarantee that the traffic and location data and related data necessary to identify the subscriber or user are available for the purpose of the prevention, investigation, detection and prosecution of serious crimes, such as those related to racket services and terrorism.

The High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court, Austria) asked the Court of Justice to examine the validity of the Directive in the light of two fundamental rights under the Charter of Fundamental Rights of the EU: the right to respect for private life and the right to the protection of personal data.

The Court first noticed that the data to be retained allowed private information to be collected, for instance the means of communication used, who users communicate with, the time and the place of the communications and the frequency of them, allowing the profiling of the daily activities and the movements of the person. For these reasons, the Directive substantially interferes with the right to respect for private life and the right to the protection of personal data. However, according to the Court, this data process does not violate the essential content of these rights and it is justified by the objective of public security and the fight against crime.

Nevertheless, the Court believes that the European Legislator exceeded the limits imposed by the principle of proportionality: precisely because of the typology of the rights affected by the Directive, the EU legislature’s discretion is limited and must comply with rigorous and strictly necessary rules. From this point of view, the EU judge criticised the fact that the Directive takes into consideration a general group of subjects, means of communication and data, without making any distinction, limitation or exception based on the objective of fighting serious crime. Furthermore, the Directive does not foresee any substantive and procedural conditions for the access and use of the data by the competent national authorities and consequently it does not limit or control how the authorities could use them. Additionally, the Court disagreed with the data retention period, declaring it not properly diversified in relation to the subjects involved and to the objective of the retention.

The judge finally declared that the Directive in question does not have enough guarantees to allow effective registered data protection in order to prevent the risk of abuse.  The Directive does not impose any specific security systems nor does it demand the irreversible destruction of data at the end of the retention period, and it does not require that the data be retained within the EU. In this way, according to the Court, it is impossible to establish full control by an independent authority that can guarantee the respect of the demand of security and protection explicitly required by the Charter, a control that is particularly necessary and essential in the consideration of a matter as delicate as personal data protection.

As a result of the preliminary ruling, the Court therefore declared that Directive 24/2006 to be invalid.