EU Data Retention Directive finally before European Court of Justice
Update: Follow this link for more recent news on the EU Directive on Data Retention.
On July 9 2013, the European Court of Justice (ECJ) in Luxembourg holds a hearing on one of the most contested pieces of communication legislations, the 2006 EU Directive on Data Retention.
EU Directive vs. Regulation
Regulations are powerful instruments in the EU. They take immediate effect in all Member States – as opposed to directives, which first have to be transposed into national laws allowing for considerable differences across the EU.
Several supreme courts of EU member states declared the entire directive, the implementation or parts thereof as unconstitutional. Several member countries only belatedly implemented the directive and some countries, including Germany and Belgium, have not transposed it at this point in time. The case heard next week before the ECJ combines referrals from Austria and Ireland and seemingly tries to do what legislators may have failed to: ask for proof that the massive data collection is proportionate, necessary and efficient.
The much debated directive, which obliges communication data providers to store traffic and location data for later access by law enforcement, has been pushed through following the terrorist attacks of September 11 2001 on US soil as part of a flurry of anti-terror measures in the EU. From the beginning it met with considerable resistance in several member states. Thousands of people took to the streets, a foreboding to the even more powerful EU protest marches against the Anti-Counterfeiting Trade Agreement (ACTA).
Mass protests, mass complaints
Mass protests did not kill the legislation (unlike the beheaded ACTA), enticing people to take it to their country’s supreme courts in numbers. Several member states saw the first ever “mass complaints.“ In Germany, alongside the Minister-of-justice-to-be, as many as 34,000 citizens joined together to appeal to their Constitutional Court to invalidate the implementation of the directive into German law – and succeeded. Similarly, in Austria 11,000 citizens (organised by the working group ‘AK Data Retention’) filed a complaint, which has since reached the European Court of Justice.
Beside Austria's AK Data Retention, the regional government of Carinthia, an Austrian IT manager and, Digital Rights Ireland (a member of European Digital Rights, EDRI) are complainants, as futurezone.at recently reported. The Irish High Court in 2010 decided for the referral to the Luxembourg Court. Non-governmental organisations in many EU member states are enthusiastic about the hearing, which came much quicker than they had hoped for.
Many applaud the questionnaire sent out by the Luxembourg judges to the parties. The ECJ listed a broad set of questions about the purpose and benefit of the Directive, EDRI reported. The parties are invited, EDRI quotes, “to comment at the hearing as to whether the area covered by the Directive 2006/24 data retention can serve the purpose of detection and prosecution of serious crime. You will be asked in this context to an explanation (sic) of the impact it has that many options for anonymous use of electronic communications services exist.“
The Court is also looking for an assessment of negative side effects, including the possibility of profiling citizens, according to the EDRI list. None of these questions will be easy to answer for the European Union: did the Directive help to fight terrorism (or at least serious crime)? Did it go too far in infringing EU citizens’ fundamental rights granted in Articles 7 and 8 of the Charter of Fundamental Rights?
NGOs never tired continuously criticise the lack of statistical data on the efficiency and necessity of this directive. In fact, when member states decided to pass the directive in 2006, Germany's Federal Police (BKA) for example was still collecting data on cases from state police, as an officer told this reporter at the time. Statistical data relative to the need of the directive has continued to be a problem for proponents of the directive in many of the court cases. NGOs at the same time said, the EU Commission's own reports proved that the directive was used much more broadly than intended (for data collected by the Commission see here).
Status of implementation
The Commission has postponed a full-fledged review to 2014, while at the same time continuing to push for implementation in all member states.
The European Court of Justice, in a decision dated 30 May 2013, has tackled data retention implementation, requesting Sweden to pay a lump sum of 3 million Euro for its delay in transposing the directive into national law in time. Sweden already lost the first case in 2010 for violating its obligations to transpose the directive by September 2007. A new Swedish government finally implemented the data retention provisions on 1 May 2012.
Belgium was warned by the Commission by the end of May 2013 for not fully transposing the directive.
The Commission's case against Germany is pending.
Romania and Bulgaria have adjusted implementation after judgments by their Constitutional Courts.
The transposition into Czech law was cancelled by its Constitutional Court in 2011. In October 2012, Czech data retention legislation was adapted (for an English summary, see here). Another constitutional complaint is still pending before the Slovak Constitutional Court.
Incoming EU member Croatia, as several other “young” members of the European Union, on the other hand were quick to implement the directive. Article 109 of its Electronic Communications Act (from June 2008) regulates to retain traffic and location data for 12 months, for national security reasons and other crime investigations.
Will the Court decision, which still might take some time to be made, change this course? Its ruling certainly will influence the belated review in the EU.