Last week the European Court of Justice declared the 2006 Data Retention Directive invalid. As a result, communications providers may be able to look forward to an easing of the requirements on them to collect and store individual communications data.
In a pair of joined cases brought by an Irish campaigning organisation (Digital Rights Ireland) and by a large group of Austrian applicants the court considered whether the Data Retention Directive was compatible with two fundamental rights: respect for private life and protection of personal data.
The court said that it was not, commenting in its press release that
by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
Less than a year ago the same court fined Sweden 3 million Euro for failure to implement on time. Then the court was not interested in Sweden’s internal debates about the balance between the protection of privacy and the prevention of crime. It said
given that the directive is intended to ensure that electronic communications data are available for the purpose of the investigation, detection and prosecution of serious crime, any delay in its transposition is liable to have consequences for public and private interests.
In 2006 concerns about terrorism and organised crime were high on the agenda, following the Madrid train bombings in 2004 and the London tube and bus bombings of 2005. The aim of the directive was to enable the collection of data by national governments in a uniform way across Europe, so that there were equal levels of protection for individuals, as well as a level playing field for businesses providing communications services. But it has been much criticised, and the relevant national laws have been challenged in several countries. With the Snowden revelations concerns about privacy for private communications and 'government snooping' now have greater political weight.
The Irish and Austrian courts will have to consider how to respond to the ruling. But because the directive itself is void EU countries which have put in place their own laws to implement it will have to consider what action to take.
The UK implemented the directive with a set of regulations covering mobile telephony, internet access, internet email and internet telephony. These regulations apply to public communications providers who generate or process communications data in the UK. Specified data to trace and identify the source of a communication, its destination, date, time, duration and type, has to be retained for 12 months and can be accessed in by officials such as police officers in accordance with the Regulation of Investigatory Powers Act 2000.
It is not clear what action the UK will now take, but the Government's heavily criticised draft Communications Data Bill, that would extend the range of communications data being collected, seems even less likely to become law.