Whilst the case mentioned in my previous post concerned a question that according to AG Wahl is beyond the reach of EU law, AG Cruz Villalón today presented his opinion on a topic that is certainly within its scope and, if the CJEU follows the AG's reasoning, could have a paramount effect on it. In Digital Rights Ireland, the AG submits that the EU's Data Retention Directive is incompatible with the right to privacy laid down in the Charter of Fundamental Rights.
AG Cruz observes:
'72. [T]he collection and, above all, the retention, in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period. (...)
77. It is true that Directive 2006/24 requires the Member States to ensure that data are retained in accordance with that directive. It is interesting to note though that it is required to carry this out only in such a way that those data and any other necessary information relating to them ‘can be transmitted upon request to the competent authorities without undue delay’. Directive 2006/24 provides, moreover, that the Member States must ensure that providers of electronic communications services observe minimum principles concerning the protection and security of the data retained.
78. However, no provision of Directive 2006/24 lays down the requirement for those service providers themselves to store the data to be retained in the territory of a Member State, under the jurisdiction of a Member State, a fact which considerably increases the risk that such data may be accessible or disclosed in infringement of that legislation.
79. That ‘outsourcing’ of data retention admittedly allows the retained data to be distanced from the public authorities of the Member States and thus to be placed beyond their direct grip and any control, but by that very fact it simultaneously increases the risk of use which is incompatible with the requirements resulting from the right to privacy.
80. Directive 2006/24 therefore constitutes, as is clear from the foregoing reasoning, a particularly serious interference with the right to privacy and it is in the light of the requirements resulting from that fundamental right that its validity, and in particular its proportionality, must primarily be examined. (...)
102. The serious interference with the right to privacy which, as a consequence of the "creating" effect of Directive 2006/24, the Member States are meant to incorporate into their own legal systems thus appears to be disproportionate to the need solely to ensure the functioning of the internal market, even if that collection and retention must also be considered an appropriate and even necessary means of achieving the ultimate objective pursued by the directive of ensuring that the data are available for the purpose of the investigation and prosecution of serious crime. In summary, Directive 2006/24 would fail the proportionality test for the very reasons which justified its legal basis. The reasons for its legitimacy in terms of its legal basis would, paradoxically, be the reasons for its illegitimacy in terms of proportionality.'
On the division of tasks between EU and Member States, AG Cruz remarks:
'120. The European Union legislature cannot, when adopting an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, entirely leave to the Member States the task of defining the guarantees capable of justifying that interference. It cannot content itself either with assigning the task of defining and establishing those guarantees to the competent legislative and/or administrative authorities of the Member States called upon, where appropriate, to adopt national measures implementing such an act or with relying entirely on the judicial authorities responsible for reviewing its practical application. It must, if it is not to render the provisions of Article 51(1) of the Charter meaningless, fully assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of those guarantees.'
Accordingly, 'it was for the European Union legislature to define the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use' (para. 121).
See the CJEU's press release for further details.
See the CJEU's press release for further details.