In a far-reaching move, the European Court of Justice has struck down the European Data Retention Directive, a dramatic decision that is a victory for Irish and European citizens. The ruling was based largely on a consideration of privacy group Digital Rights Ireland's challenge to the constitutionality of Ireland's own data retention legislation. The case was referred to the ECJ by the High Court for clarification: was the EU directive, on which Irish law is based, itself legal?
The EU’s highest court resoundingly said no. The justices unequivocally stated that it violated existing privacy, human rights and data protection guarantees given to the EU’s half a billion citizens. Furthermore – as privacy advocates have long argued – it had done so from the start, and should never have been implemented. The 2006 directive mandated that EU member states retain and store, for up to two years, details about all mobile and landline calls, such as the time of a call, who made it, the recipient and the phone location. In addition, similar “metadata”, or data about information, were also retained on some internet activities.
The justices stated that, “by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.” Such a programme, said the court, amounted to the mass surveillance of nearly every EU citizen, because “those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained.”
The central issue for the court was the proportionality of the law. There is no doubt, it said, that law enforcement needs access to some of these data, to prevent and to prosecute serious crime, and terrorism. But – as with the secretive, mass interception and storage of phone call data by the National Security Agency in the US, revealed by Edward Snowden – authorities had been unable to present any convincing evidence that holding data for such long periods, for hundreds of millions of people, made citizens safer.
The ruling will not deny national law enforcement agencies appropriate access to retained data as, under data-protection laws, communications companies keep data for up to six months for business purposes. But the ruling is likely to force the EU to come up with a new, more defined, limited and targeted retention directive, with much better public oversight.
Meanwhile, Digital Rights Ireland will return to the High Court, with its original case greatly strengthened by the ECJ ruling. The result should be national and European legislation that more appropriately balances security and personal privacy. In a post-Snowden world, that is a significant win for the people.