A victory in a David v Goliath challenge

European advocate general upholds key concerns put forward by Irish advocacy group

The European Court of Justice’s advocate general, Cruz Villalón, argues that there must be far greater oversight to the data retention process and controls on access to data.
The European Court of Justice’s advocate general, Cruz Villalón, argues that there must be far greater oversight to the data retention process and controls on access to data.

The European Court of Justice’s advocate general, Cruz Villalón, is clear: European countries have no right to gather and store data about people’s phone, internet and email use, at least not as is currently practised using the EU’s data retention directive.

The always-controversial directive, the basis of Ireland's data retention laws, constitutes a serious interference with the fundamental right of citizens to privacy and is incompatible with the Charter of Fundamental Rights, the advocate general has written. It therefore must be overturned and carefully rebuilt with greater controls and protections.

If the full European Court of Justice (ECJ) accepts the opinion of its advocate general in a final ruling due early next year – and it almost always does – it will prove a huge vindication of Ireland's small privacy advocacy group, Digital Rights Ireland (DRI).

Its case against Irish retention laws, which began in 2006, forms the basis of this broader David v Goliath challenge and initial opinion.

READ MORE

The advocate general’s advice largely upholds the key concerns put forward by DRI against Ireland’s laws. Withholding so much data about every citizen, including children, in case someone commits a future crime, is too intrusive into private life, and could allow authorities to create a “faithful and exhaustive map of a large portion of a person’s [private] conduct”.

Retained data is so comprehensive that they could easily reveal private identities, which are supposed to remain anonymous. And the data, entrusted to third parties, is at too much risk of fraudulent or malicious use.

Cruz Villalón argues that there must be far greater oversight to the retention process, and controls on access to data, and that citizens should have the right to be notified after the fact if their data has been scrutinised. The Irish Government had repeatedly waved off such concerns from Digital Rights Ireland in the past.

Would the opinion have been the same a year ago? Revelations on secret surveillance from whistleblower Edward Snowden may have stoked the appetite for greater privacy protection.

The opinion strikes a legal balance, suggesting the directive should remain in place while revision is undertaken. It also steers revision back to a democratic legislative process in the European Parliament. An open, moderate route tends to be preferred by the court’s 14 justices, increasing the likelihood the ECJ will adopt the advocate general’s recommendations.