The data retention tsunami: how EU Member States are reacting to the annulment of the data retention directive
UPDATE JUNE 2015: NEWS FROM BELGIUM
Following the annulment of the Data Retention Directive in April 8, 2014, by the Court of Justice of the European Union, European Member States are hardly starting to face the consequences of that.
As stated in my previous post on the matter, the European decision did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid. However, because of the principles laid down by the European court, most of such national legislations are at risks, because they impose data retention obligations in a too general and far-reaching way. This conclusion is shared also by a study commissioned by the Greens Group at the European Parliament which can be found here.
In fact, in §59 of the sentence the European judges stated that “blanket” data retention legislations are not allowed, they must be selective and focussed:
“Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.”
For long time Member States have hesitated in taking actions, also because of the lack of guidance from the European Commission, which is sharing its part of responsibility for this messy situation. Denmark was one of the first country in making a legal analysis whether the European decision could somehow affect their data retention legislation, but then they concluded that there was no reason to act.
In June, at a recent closed meeting of EU Justice and Home Affairs ministers, the Council’s Legal Services is reported to have stated that paragraph 59 of the European Court of Justice’s ruling on the Data Retention Directive “suggests that general and blanket data retention is no longer possible“. Therefore, should Member states not take actions, the matter will be likely submitted by individuals to a national courts, which will take the decision instead of the government, as it did just happen in Austria. In other words, today’s judgement of the Austrian Constitutional court is a clear reminder to most European member States that postponing a decision on this matter is not a good strategy. Italy is one the country mostly at risk, because their national legislation is just a copy & paste of the annulled directive.
Finally, breaking news of April 27, 2015: in an answer to a parliamentary question Dimitris Avramopoulos, Commissioner for Migration, Home Affairs and Citizenship confirmed that instead of presenting a new legislative initiative on Data Retention, the Commission intends to launch a public consultation on the matter with relevant stakeholders.
Here a list of countries which are definitively deleting DR rules (in addition to Ireland, which caused the case in front of the European Court):
On June 27, 2014 the Austrian Constitutional Court has declared invalid most parts of the Austrian law on data retention. This is the first national decision taken after the important sentence of the European Court of Justice which, on April 8, 2014 annulled the European Directive on data retention (Directive 2006/24/EC).
Austrian ISPs have to stop retaining and providing information to the Austrian authorities about data retained under the data retention regime by the end of the day following the publication of the decision. ISPs will however still be allowed to retain traffic data for their own legitimate purposes (billing, fraud prevention etc.) for a certain amount of time. Such data could still be accessible by public authorities for public securities reasons.
A source of Austrian ISP industry declared “very positive” from an ISP-angle is that the system implemented for the exchange of information with law enforcement agencies (so called “Durchlaufstelle” / “DLS”) will remain in place and will be used for the exchange of information about traffic data ISPs are still allowed to retain.
On June 11, 2015 the Belgian Constitutional Court declared invalid Belgian data retention law. The decision is here, more infos to follow.
The Bulgarian data retention law was declared incompatible with the national constitution on March 12, 2015. No further details are available at the time.
On 2 March 2010 (so, even before the European annulment judgement), the Federal Constitutional Court ruled the German data retention law unconstitutional as a violation of the guarantee of the secrecy of correspondence. As such, the directive is not currently implemented in Germany. However, we learned that the German government is trying to reintroduce a law on data retention. On April 15, 2015, the minister for Justice and Consumer Protection, Heiko Maas, and the Minister of Internal Affairs, Thomas de Maiziere, presented a document with a few guidelines: http://www.bmjv.de/SharedDocs/Downloads/DE/pdfs/20150415-Leitlinien-HSF.pdf?__blob=publicationFile. The German association Eco rose doubts about adequacy and consistency of the proposal with the principles laid down by the European court. Few weeks later, the German constitutional court issued a statement raising doubts about the proposed measure.
the Romanian data retention law was declared unconstitutional by the Constitutional Court on July 8, 2014. The ruling applies to all provisions of the law. The argumentation of the judgement is expected to be published at the beginning of August.
According to the court, the data retention law is suspended for 45 days and operators no longer have to retain data. If the government and parliament do not resolve the constitutional issues within 45 days, then the law will be annulled permanently.
On 23 April 2014, the Slovak Constitutional Court preliminary suspended effectiveness of the Slovak implementation of Data Retention Directive. Although the case is already pending for before the Court since October 2012, the Court decided to issue this preliminary measure and accept the case for the further review only now. The preliminary suspension of effectiveness means that the Slovakian retention laws are still formally valid, but have no legal effect until the Court decides on the merits of the compliant. The Court, however, suspended only provisions that are mandating data retention itself, while leaving provisions on access to those information intact for now. This means that ISPs will soon lose any legal obligation to store data about users. Any storage of personal data of users will thus need to be limited to general privacy regime.
On July 3, 2014 also the Slovenian Constitutional court annulled the national data retention legislation for reasons similar to the Austrian case. The decision is available here (only in Slovenian language, sorry): https://www.ip-rs.si/fileadmin/user_upload/Pdf/sodbe/US_RS_ZEKom-1_3julij2014.tif
In nuts, the Slovenian Court found the local data retention legislation to be disproportionate for the following reasons:
– massive and un-selective retention of data constitutes a breach of rights of a large proportion of population, while no grounded justification was provided for that;
– no justifications and grounds were provided for the selected retention periods (8 months for internet related and 14 months for telephony related data);
– the use of retained data was not limited to serious crime.
…. and here the countries that, by contrast, are confirming DR national rules (although with some accidents, such as in the Netherlands).
In Danemark, the Parliament commissioned a study on the lawfulness of the local data retention legislation and reached the conclusion that it fully comply with the minimum proportionality requirements set out in the CJEU ruling.
While hesitating and ignoring the problem for longtime, Italy suddenly adopted a new legislation which reinforced the data retention obligations, irrespective and despite of the annulment decision of the CJEU. By virtue of art. 4-bis, comma 1, of Legislative Decree n. 7 of February 18, 2015 (confirmed by law n. 43 of April 17, 2015), the Italian authorities decided that the retention of personal data (currently 24 months for calls and 12 months for Internet communications) should be extended up to December 2016 for certain categories of crimes (terrorism, mafia ecc).
In Sweden the situation is more controversial. Just after the annulment of the DR directive, various Swedish ISPs declared their intentions to stop retaining data. PTS, the Swedish regulator, had initially announced that it would stop the enforcement of the data retention law – at least until the situation is clarified. The government ordered a a study to be carried out and, on June 12, 2014 an expert group appointed by the Ministry of Justice concluded that the Swedish legislation on data retention is lawful by maintaining that, unlike the repealed directive, such provisions contain clear rules on the conditions for providing access to retained data. As a consequence of this intervention, most of the Swedish operators resumed data retention, while some of them resist, amongst them the ISP Bahnhof which has been threatened by PTS for this reason.
In November 2014 the Dutch government proposed some minor adjustments to the national data retention legislation which did not came into force yet. In the meanwhile, a judge from The Hague declared the original law to be invalid and suspended the application, here a comment about.
On July 17, a new data retention law came into force in UK, the Data Retention and Investigation Powers Act 2014 (DRIPA). The new legislation substantively re-enacts the mandatory data retention provisions of the UK 2009 Data Retention Regulations, which was based on the provision of the annulled European Directive. The rules will continue to empower the Secretary of State to give data retention notices to public telecommunications operators ). However, instead of the previous fixed 12 month period of retention, the current retention period may vary subject to a maximum 12 months. The notice may specify different periods for different types of data. The notice may relate to an operator or description of operators. Complaints against the new regime has been already announced.