By Heini Järvinen

On 8 April, the European Court of Justice ruled that the EU legislation on mass surveillance contravenes European law. The case was brought before the Court by EDRi member Digital Rights Ireland, together with the Austrian Working Group on Data Retention.

While it will take some time to get a clear view of what is going to happen in this policy area, the initial comments from key players may give some clues.

Perhaps the most remarkable comment is from Commissioner Cecilia Malmstroem, who has legal obligation ensure that the Charter of Fundamental Rights is respected. She claimed that her services were fully aware of the incompatibility of the Directive with primary European law for at least three years but chose to do nothing:

“The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive. The European Commission will now carefully assess the verdict and its impacts.”

The European Court of Justice didn’t provide any guidance on its ruling implications on national legislation. Luxembourg Minister of Justice Félix Braz annouced shortly after the ruling in his statement that “the national legislation, even though it was adopted in application of the invalidated Directive, will remain in place and continue to bind telecom operators”. He added that

“a deep analysis of the national legislation must be conducted to quickly establish whether the respect for fundamental rights in our legislation can be considered as adequate with respect to the ECJ requirements [...] particularly concerning issues related to access to data by judicial authorities and to the definition of serious crime”.

Braz urged the EU institutions to adopt the data protection Regulation as a starting point, in order to define “a general regime establishing a harmonised high level of protection prior to any definition of potential derogations that might include data retention”.

The Romanian Government had no reaction to the ECJ decision, but in the day after the ruling decided to extend the mass surveillance on its citizens in a new draft law: all the citizens that connect to free WiFis must identify themselves to the operators, that need to keep the personal data for at least 6 months. Also, all the pre-paid mobile cards owners have to be present an ID card if they want to buy such a card. All the current 7 million pre-paid card users in Romania need to register in 6 months, otherwise their cards will be de-activated. Impact on human rights? None, according the Ministry of Justice.

Finnish Minister of Education, Science and Communications Krista Kiuru welcomed the decision. She commented:

“Naturally, we must clean out the paragraphs enacted due to the directive. We will gladly adhere to this decision. If we want Finland to be a model country when it comes to data protection, our legislation has be be in accordance with the fundamental citizen rights,”

The ruling may have an impact on ongoing legislative projects in Finland, such as the preparatory work on the online surveillance law.

European Court overturns EU mass surveillance law (08.04.2014)
http://edri.org/european-court-overturns-eu-mass-surveillance-law/

Data retention directive: Commissioner Malmström’s statement on today’s Court judgment (only in French, 08.04.2014)
http://europa.eu/rapid/press-release_STATEMENT-14-113_en.htm?locale=en

Felix Braz: “The judgment of the ECJ clearly states that all the fundamental rights of EU citizens are to be respected” (08.04.2014)
http://www.gouvernement.lu/3641093/08-cjue

Romanian new draft law (09.04.2014)
http://gov.ro/ro/stiri/proiectul-de-lege-pentru-modificarea-si-completarea-oug-nr-111-2011-privind-comunicatiile-electronice

ECJ ruled data retention directive illegal (only in Finnish, 08.04.2014)
http://www.lvm.fi/tiedote/4395687/eu-tuomioistuin-totesi-tietojen-sailyttamista-koskevan-direktiivin-laittomaksi

Finland must revise its data protection laws (08.04.2014)
http://www.helsinkitimes.fi/finland/finland-news/domestic/10120-finland-must-revise-its-data-protection-laws.html