Whilst the case mentioned in my previous post concerned a question that according to AG Wahl is beyond the reach of EU law, AG Cruz Villalón today presented his opinion on a topic that is certainly within its scope and, if the CJEU follows the AG's reasoning, could have a paramount effect on it. In Digital Rights Ireland, the AG submits that the EU's Data Retention Directive is incompatible with the right to privacy laid down in the Charter of Fundamental Rights.
AG Cruz observes:
'72. [T]he collection and, above all,
the retention, in huge databases, of the large quantities of data
generated or processed in connection with most of the everyday electronic
communications of citizens of the Union constitute a serious interference
with the privacy of those individuals, even if they only establish the
conditions allowing retrospective scrutiny of their personal and professional
activities. The collection of such data establishes the conditions for
surveillance which, although carried out only retrospectively when the data are
used, none the less constitutes a permanent threat throughout the data
retention period to the right of citizens of the Union to confidentiality in
their private lives. The vague feeling of surveillance created raises very
acutely the question of the data retention period. (...)
77. It is true that Directive 2006/24 requires the
Member States to ensure that data are retained in accordance with that
directive. It is interesting to note though that it is required to carry this
out only in such a way that those data and any other necessary information
relating to them ‘can be transmitted upon request to the competent authorities
without undue delay’. Directive 2006/24 provides, moreover, that the Member
States must ensure that providers of electronic communications services observe
minimum principles concerning the protection and security of the data retained.
78. However, no provision of Directive 2006/24 lays down
the requirement for those service providers themselves to store the data to be
retained in the territory of a Member State, under the jurisdiction of a Member
State, a fact which considerably increases the risk that such data may be
accessible or disclosed in infringement of that legislation.
79. That ‘outsourcing’ of data retention admittedly
allows the retained data to be distanced from the public authorities of the
Member States and thus to be placed beyond their direct grip and any
control, but by that very fact it simultaneously increases the risk of use which is
incompatible with the requirements resulting from the right to privacy.
80. Directive 2006/24 therefore constitutes, as is clear
from the foregoing reasoning, a particularly serious interference with the
right to privacy and it is in the light of the requirements resulting from that
fundamental right that its validity, and in particular its proportionality,
must primarily be examined. (...)
102. The serious interference with the right to privacy which, as a consequence of the "creating" effect of Directive 2006/24, the Member States are meant to incorporate into their own legal systems thus appears to be disproportionate to the need solely to ensure the functioning of the internal market, even if that collection and retention must also be considered an appropriate and even necessary means of achieving the ultimate objective pursued by the directive of ensuring that the data are available for the purpose of the investigation and prosecution of serious crime. In summary, Directive 2006/24 would fail the proportionality test for the very reasons which justified its legal basis. The reasons for its legitimacy in terms of its legal basis would, paradoxically, be the reasons for its illegitimacy in terms of proportionality.'
On the division of tasks between EU and Member States, AG Cruz remarks:
'120. The European Union legislature cannot, when adopting an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, entirely leave to the Member States the task of defining the guarantees capable of justifying that interference. It cannot content itself either with assigning the task of defining and establishing those guarantees to the competent legislative and/or administrative authorities of the Member States called upon, where appropriate, to adopt national measures implementing such an act or with relying entirely on the judicial authorities responsible for reviewing its practical application. It must, if it is not to render the provisions of Article 51(1) of the Charter meaningless, fully assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of those guarantees.'
Accordingly, 'it was for the European Union legislature to define the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use' (para. 121).
See the CJEU's press release for further details.
See the CJEU's press release for further details.
