With today's decision, the Court of Justice has declared the Data Retention Directive invalid. (see our previous post on the opinion in this case: Challenging the Data Retention Directive...)
The Directive concerned the harmonisation of Member States' legislations as to the storage of data which are generated or processed by providers of publicly available electronic communications services or of public communications networks, to the end of fighting terrorism and other forms of organised crime. In this context, providers must retain traffic and location data as well as related data necessary to identify the subscriber or user.
The Court observed that such large-scale collection and retention of data represents a serious interference with fundamental rights such as the right to private life and respect of personal data. It then sought to ascertain whether such interference was justified in light of the objectives pursued by the Directive.
While acknowledging that the infringement of fundamental rights brought about by the Directive is limited and linked to genuine public interest, "the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality".
First, "the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception";
Second, it "fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them" only in relation to the crimes that the directive was meant to prevent/fight;
Third, the data retention period seems to be established without giving any meaningful indication as to how differences could be made among different subjects and different categories of data.
Finally, the Directive doesn't seem to provide sufficient guarantees against abuse and does not "ensure the irreversible destruction of the data at the end of their retention period", and furthermore does not require the data to be kept within Europe, which leaves unclear what authorities will, in fact, have access to the data.
The decision, which is making privacy advocates rather happy, will of course have consequences. Stay tuned for updates!