Boum ! The Court of Justice has declared that the Data Retention Directive, Directive 2006/24/EC, is invalid in today’s judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd and Kärntner Landesregierung and others.

Not only that, but the Court says some important things about judicial review, legislative discretion and compliance with the principle of protection of personal data: in matters of privacy and the protection of personal data, legislative discretion is reduced, therefore judicial review is strict.

The controversial Data Retention Directive provides the retention of certain data which are generated or processed by providers of publicly available electronic communications services or of public communications networks. The data must be available for the purpose of the prevention, investigation, detection and prosecution of serious crime, like organised crime and terrorism. Thus, the network providers must retain traffic and location data as well as related data necessary to identify the subscriber or user. By contrast, the Directive does not permit the retention of the content of the communication or of information consulted.

There was litigation both in Ireland and in Austria concerning the legality of measures implementing the Directive. Consequently, both the High Court of Ireland and the Austrian Verfassungsgericht referred questions to the Court of Justice on whether the Directive complied with the Charter of Fundamental Rights and in particular the fundamental right to respect for private life and the fundamental right to the protection of personal data.

The Court of Justice held that the Directive is incompatible with Articles 7, 8 and 52 (1) of the Charter.

It held that the obligation imposed by Articles 3 and 6 of Directive 2006/24 on network providers  to retain, for a certain period, data relating to a person’s private life and to his communications constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter.

Also, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter.

Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.

The Court also held that interferences with this rights were disproportionate to the aim of fighting serious crime.

It recalls that Article 52(1) of the Charter provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

The fight against terrorism and serious crime is important as it stated the case-law made clear that the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest (Cases C‑402/05 P and C‑415/05 P Kadi and Al Barakaat International Foundation v Council and Commission EU:C:2008:461, paragraph 363, and Cases C‑539/10 P and C‑550/10 P Al-Aqsav Council EU:C:2012:711, paragraph 130). The same is true of the fight against serious crime in order to ensure public security (Case C‑145/09 Tsakouridis EU:C:2010:708, paragraphs 46 and 47). 

However, measures taken to pursue those ends must comply with the principle of proportionality: acts of the EU institutions must be appropriate for attaining the legitimate objectives pursued by the legislation at issue and must not exceed the limits of what is appropriate and necessary in order to achieve those objectives (Case C‑343/09 Afton Chemical EU:C:2010:419, paragraph 45; Cases C‑581/10 and C‑629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C‑283/11 Sky Österreich EU:C:2013:28, paragraph 50; and Case C‑101/12 Schaible EU:C:2013:661, paragraph 29).

What the Court then says about its judicial review of compliance with that principle is important.

With regard to judicial review of compliance with the principle of proportionality, where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., S. and Marper v. the United Kingdom[GC], nos. 30562/04 and 30566/04, § 102, ECHR 2008-V).

In the present case, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by Directive 2006/24, the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict.

The Court finds that the retention of such data may be considered to be appropriate for attaining the objective pursued by the Directive.

However, the Court goes on to examine the safeguards put in place to restrict the interference with the rights of privacy and the protection of personal data. It emphasises that the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99).

The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR,S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35).

It concludes that in this case, Directive 2006/24 fails to lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It therefore held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary. Moreover, as far as concerns the rules relating to the security and protection of data retained by network providers, it held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data.

As a parting shot, the Court adds that the Directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data (Case C‑614/10 Commission v Austria EU:C:2012:631, paragraph 37).