Legal analysis of the Data Retention ruling of the European Court

By EDRi · May 21, 2014

The legal service of the Council of the European Union has produced an analysis of the ruling of the Court of Justice of the European Union on the data retention Directive. While these documents are normally confidential, this text has been leaked and provides interesting insights into the ruling – making one wonder what justification could possibly exist for it being kept from the public in the first place.

The document points out what should have been already clear – that the Court will not consider any such measure legal unless it is accompanied by adequate safeguards and unless the measure is strictly necessary. The European Commission previously appears to have believed that including a text saying “this Directive respects fundamental rights” (recital 22 of the Directive) had some magical legal significance that was enough to ensure compliance. Other examples of this approach can be found in proposals as varied as the proposed Directive on suspicionless storage and transfer of passenger name records (“This Directive respects the fundamental rights and the principles of the Charter of Fundamental Rights of the European Union” and even ACTA “preserves fundamental freedoms such as freedom of expression”).

Ominously for the Commission, the Legal Service says that necessary steps must now be taken with regard to “existing, proposed and future legislation”. A footnote lists some examples of the existing legislation and proposed legislation that is now called into question:

“Examples of such provisions are the (already allowed) access by law enforcement authorities to the Visa Information System (VIS) and to EURODAC (database of asylum seekers). Two proposals of this nature currently under examination are the draft Passenger Name Record (PNR) Directive, which could potentially concern the data of between 500 million to 1,5 billion persons a year (see CLS opinion in doc. 8850/11) and the draft “entry/exit” data base of all foreign travellers entering/exiting the EU which provide for the registration of the 10 finger prints of each foreign traveller and to which many delegations wish the law enforcement authorities to have access.”

The Legal Service chooses to rely on paragraph 42 of the ruling that “the retention of data for the purpose of allowing the competent national authorities to have possible access to those data (…), genuinely satisfies an objective of general interest” to argue that the court upheld “the general approach of data retention as a tool to fight terrorism”. The analysis chooses to ignore salient analysis elsewhere in the ruling. In particular, this Legal Service analysis does precisely what the Court criticises in paragraph 65, in that it seeks to claim a broad justification “without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.” It is very questionable whether it can be argued that untargeted data retention was accepted in principle by the Court. Analysis elsewhere in the Legal Service document does, importantly, seem to accept this.

The unacceptably chaotic (thanks to the railroading of the EU’s decision-making process by the UK Presidency of the Council at the time) text is laid bare by the analysis. It explains that, on the one hand, safeguards regarding access to the data could not be included because it was ostensibly a measure to harmonise the market. On the other hand, the “harmonisation” was limited to giving a very wide range of options for the retention periods – ranging from 6 to 24 months. The implication appears to be that, had the legal basis been correct (or, more likely, if it can be corrected in the future), some of the Court’s criticisms could have been avoided.

Under the heading “Consequences of the judgement for the Council”, the legal service concludes:

  • the Court of Justice will not satisfy itself with anything less than a strict assessment of the proportionality and necessity of measures that constitute serious restrictions to fundamental rights, however legitimate the objectives pursued by the EU legislature.
  • such measures do not stand a serious chance of passing the legality test unless they are accompanied by adequate safeguards in order to ensure that any serious restriction of fundamental rights is circumscribed to what is strictly necessary and is decided in the framework of guarantees forming part of Union legislation instead of being left to the legislation of Member States.

It is quite obvious from the Legal Service opinion that the European Commission needs to  withdraw the proposed Directive on PNR. However, if previous experience is anything to go by, Commissioner Malmstroem will choose to do nothing, fearing that doing what obviously needs to be done will upset some Member States.

Court page on data retention case

Legal Service analysis (05.05.2014)

(Contribution by Joe McNamee – EDRi)