On 8 April 2014 the Court of Justice handed down its judgment in the cases of Digital Rights Ireland against the Irish authorities and of the Austrian Constitutional Court against the Government of Carinthia and Mr Seitling, Mr Tschohl and other complainants, Cases C-293/12 and C-594/12, declaring the invalidity of the Directive on the retention of telecommunications and electronic communications data of 2006, hereinafter the “Directive”, with effect from the date on which the Directive entered into force.
What were the requirements of the Directive? What type of data was retained?
With the goal of combating terrorism and other serious offences, the Directive required telecommunications companies and internet operators to register and retain the following data from all types of telephone calls (fixed and mobile as well as unanswered calls) and e-mails during a period of between 6 and 24 months, depending on the applicable legislation in each state:
- In the case of fixed telephones, the data of the calling telephone number and destination number, the names and addresses of the persons calling and those to which the telephone numbers were registered at the time of connection, as well as the telephone service used and from where they were calling, but not the content of the conversation, which required judicial authorisation.
- In the case of mobile telephones, the identifier of the device was also required.
- In the case of internet, the dynamic and static IP addresses assigned by the internet access provider, the name and address of the user and data necessary to identify the date, time and duration of a communication.
- In the case of a pre-paid card, data regarding the date and time of the activation of the service also needed to be retained.
Reasons for the invalidity of the Directive
The Court of Justice indicates that the requirements on telecommunications operators imposed by the Directive entails a wide-ranging and particularly serious interference of the fundamental right of individuals to privacy and the protection of their personal data, given that there are no substantive and procedural limits in the Directive regulating and restricting those interferences to what is strictly necessary, thus exceeding the limits of the principle of proportionality.
In fact, the judgment states that “the Directive covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against terrorism and serious crime.”
Consequently, the judgment holds that the said data taken as a whole, what we call Big Data, may provide very precise information concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, the activities carried out in their daily life, when going out or on holiday, the relationships, friends, of those persons and the social environments frequented by them, in short all their life, thoughts, beliefs, feelings, location, and that of their children, current accounts, without prior information provided or consent sought to process that data, basic principles of the fundamental right to the protection of personal data.
In its judgment the Court of Justice examines whether or not such interference in fundamental rights is justified, and although it recognises that the Directive:
(i) does not allow for the content of electronic communications to be revealed,
(ii) requires internet service providers to respect certain data protection and security principles and
(iii) requires that the retention of data for the purpose of possible access to them by the competent national authorities must genuinely meet objectives of general interest in the fight against serious crime in order to ensure public security
the Court declares that the Directive does not provide for sufficient safeguards to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data.
As a result, there is no formal requirement to apply reinforced security measures to protect the said information or to review or audit the measures taken to verify whether they have been fulfilled and prevent the data from falling into the hands of persons or entities that may make unauthorised use thereof, from the creation of personality or behavioural profiles, to a criminal use thereof, blackmail, house burglaries or theft of money, kidnapping of individuals or their family, etc.
As everyone knows, the application of security measures requires investment, and the Court indicates that the Directive allows service providers to take into account economic considerations when determining the level of security which they apply (in particular as regards the costs of implementing security measures) and does not ensure the irreversible destruction of the data at the end of the data retention period.
In fact, the security of individuals is also affected because, according to the Court of Justice, the directive does not require the data in question to be retained within the European Union. As a result, the Directive does not guarantee that the data will be processed with the same levels of security and the same protection criteria as those existing in the EU, an essential principle, duly established and consolidated in the European legislation governing the processing of personal data in the EU, nor does it require authorisations from the competent authority or checks of the levels of security applied to the data in third countries.
Technological development has resulted in the possibility of everything about us being known, and each and everyone of us being vulnerable to attack from the standpoint of cybersecurity, the only limits to an attack being how long a hacker takes to get hold of the data and what are the measures put in place by companies and governments to slow down the attack, detect it and put a stop to it. The current location of the war and the power of information is space and I am not referring to airspace but to cyberspace, even though this may sound like something from Star Wars.
The abuse of our data by some governments, from the espionage of the NSA to that of other countries such as the Ukraine, leads us to once again consider the need to defend our security, without which there is no freedom or democracy, and hence to protect our data, congratulating the Court of Justice on its decision.