UPDATE: On June 11, 2015 the Belgian Constitutional Court declared invalid Belgian data retention law. The decision is here, more infos to follow
On March 11, 2015 a Dutch court declared the national data retention legislation to be invalid. The decision is a foreseeable effect of the previous sentence of the Court of Justice of the European Union which on April 8, 2014 annulled the European Directive on data retention (Directive 2006/24/EC).
Following the annulment by the EU jurisdiction, European Member States are hardly starting to face the consequences of that. In facts, the European judgement did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid. However, because of the principles laid down by the European court, most of such national legislations are at risks, because they impose data retention obligations in a too general and far-reaching way. According to the European Court, data retention obligation are compatible with EU law, namely with fundamental rights and privacy, as far as they are sufficiently selective and proportionated.
In the case of Netherlands, the government made a review of the national data retention legislation and concluded that no major modifications were needed and that in any case such legislation was necessary “for the investigation and prosecution of serious criminal offenses”. Only a few adjustments were made, which mainly tightened who had access to what data and under what circumstances. However, such adjustments have been just proposed and consulted, but have not yet entered into force. The current judgment therefore only related to the “original” law.
Remarkably, unlike the European Court, the Dutch judge did not declare the massive collection of data as such illegal. It seems that, according to the Dutch court, a limitation on the data that need to be retained would not make sense, given the purpose of the legislation, which is to fight and prevent serious crimes (§3.8. of the ruling). The court mainly focused on the safeguards around such as: where and how the data are stored? who and how can access the data for what kind of crimes (i.ee not only serious crimes)? here a Google translation of the relevant paragraph:
“In that respect it is noted that a limitation of the data to be saved to the data of suspected citizens is not conceivable in view of the purpose of the Wbt, i.e. the effective detection of serious crime. In case of a first offender it is not possible to distinguish in advance between suspicious and non-suspicious citizens. The need for providing assurances and guarantees regarding access to these data, however, is all the greater because it is a very large interference, so that should be put to that high standard.”
Also other European governments, for instance Denmark, UK and Sweden, reviewed their national legislations to be in line with the European judgment. To have a full picture see my previous post.
While the details of the case at stake still needs to be analyzed, it is clear that some European governments have underestimated the consequence of the annulment of the European directive. On the basis of this precedent, any individual can challenge national data retention rules on the basis that they do not comply with the criteria laid down by the European court. Whether or not such a legislation was enacted as implementation of the annulled directive, it is irrelevant.
Other important European governments, such as Italy for instance, are silent on the matter and they risk that related data retention legislation to be entirely declared invalid by a court, with major consequence on their entire investigation activities.