On 8 April 2014 the Court of Justice handed down its judgment in the cases of Digital Rights Ireland against the Irish authorities and of the Austrian Constitutional Court against the Government of Carinthia and Mr Seitling, Mr Tschohl and other complainants, Cases C-293/12 and C-594/12, declaring the invalidity of the Directive on the retention of telecommunications and electronic communications data of 2006, hereinafter the “Directive”, with effect from the date on which the Directive entered into force.
What were the requirements of the Directive? What type of data was retained?
With the goal of combating terrorism and other serious offences, the Directive required telecommunications companies and internet operators to register and retain the following data from all types of telephone calls (fixed and mobile as well as unanswered calls) and e-mails during a period of between 6 and 24 months, depending on the applicable legislation in each state:
- In the case of fixed telephones, the data of the calling telephone number and destination number, the names and addresses of the persons calling and those to which the telephone numbers were registered at the time of connection, as well as the telephone service used and from where they were calling, but not the content of the conversation, which required judicial authorisation.
- In the case of mobile telephones, the identifier of the device was also required.
- In the case of internet, the dynamic and static IP addresses assigned by the internet access provider, the name and address of the user and data necessary to identify the date, time and duration of a communication.
- In the case of a pre-paid card, data regarding the date and time of the activation of the service also needed to be retained.
Reasons for the invalidity of the Directive
The Court of Justice indicates that the requirements on telecommunications operators imposed by the Directive entails a wide-ranging and particularly serious interference of the fundamental right of individuals to privacy and the protection of their personal data, given that there are no substantive and procedural limits in the Directive regulating and restricting those interferences to what is strictly necessary, thus exceeding the limits of the principle of proportionality.
In fact, the judgment states that “the Directive covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against terrorism and serious crime.”
Consequently, the judgment holds that the said data taken as a whole, what we call Big Data, may provide very precise information concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, the activities carried out in their daily life, when going out or on holiday, the relationships, friends, of those persons and the social environments frequented by them, in short all their life, thoughts, beliefs, feelings, location, and that of their children, current accounts, without prior information provided or consent sought to process that data, basic principles of the fundamental right to the protection of personal data.