The Data Retention Directive (2006/24/EC) was a response to terrorist attacks in Madrid and London. The directive requires telecommunications providers to retain traffic, subscriber and location data generated by users of their service for the purposes of investigation, detection and prosecution of serious crime and terrorism. The UK brought the directive into force by the Data Retention (EC Directive) Regulations 2009.
Following references from the Irish High Court and the Austrian Constitutional Court, the legality of the directive was considered by the European Court of Justice.
On 8 April 2014 the court declared the directive invalid, stating that 'by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data'. Although the court considered that retaining data for the purposes of preventing crime and terrorism was capable of satisfying the general interest objective, it held that the directive and the interference with the rights to privacy and the protection of personal data was too wide ranging and went beyond what was strictly necessary. In other words the directive was not a proportionate means of achieving the purpose of prevention of crime.
The court identified several key concerns, particularly that the directive applies to all individuals 'without any differentiation, limitation or exception' even where there is no evidence of a link, even an indirect or remote one, with serious crime. The court also referred to a lack of safeguards surrounding access to and use of data and an absence of guidance in respect of the data retention period which should be applied to different types of data.
The court's declaration of invalidity has retrospective effect. This will consequentially affect the validity of the laws introduced by each member state in response to the directive. It remains to be seen whether the UK withdraws the 2009 Regulations entirely or amends them to fit with the court's decision.
If you would like further information, please contact Andrew Dunlop or Chris O'Connell in our Data Protection team.