The Advocate General has given his Opinion in a case concerning the interpretation to be given in a national context to the judgment of the Court of Justice of the EU (CJEU) in 2014 in Digital Rights Ireland (which found the EU Data Retention Directive to be invalid). The Advocate General found that an obligation to retain data imposed by a Member State on providers of electronic communication services may be compatible with EU law, subject to strict requirements.
In its judgment in Digital Rights Ireland in 2014, the CJEU invalidated the Data Retention Directive on the grounds that the general obligation to retain certain data imposed by that Directive constituted serious interference with the fundamental rights to respect for private life and to the protection of personal data, and second, that the rules established were not limited to what was strictly necessary for the purpose of the fight against serious crime.
Following that judgment, two joined cases (C-203/15 and C-698/15) were referred to the CJEU, from courts in Sweden and the UK, as to whether a general obligation on telecommunications service providers to retain data is compatible with the fundamental rights to privacy and data protection under EU law. The Advocate General therefore had the opportunity to specify the interpretation to be given in a national context to the judgment in Digital Rights Ireland.
The case referred from Sweden arose out of a notification by a Swedish telecommunications undertaking to the Swedish telecommunications authority of its decision to cease retaining data and delete data already retained, due to the invalidity of the Data Retention Directive.
The case referred from the UK arose from an action brought by three individuals against the UK Data Retention and Investigatory Powers Act 2014, which authorises the Home Secretary to require public telecommunications operators to retain communications data for a maximum of 12 months.
The Advocate General found that a general obligation to retain data may be compatible with EU law, subject to satisfying strict requirements. It is for the national courts to determine whether those requirements are satisfied.
The requirements are:
(1) The general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.
(2) The obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.
(3) Any interference with the fundamental rights should be in the pursuit of an objective in the general interest. The Advocate General considers that solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.
(4) The general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights.
(5) The general obligation to retain data must be proportionate to the objective of the fight against serious crime.
Update: The CJEU delivered its decision on 21 December 2016. The CJEU ruled that EU law precludes Member States from imposing a general obligation to retain traffic and location data. However, it is open to Member States to make provision, as a preventative measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national authorities to the retained data must be subject to conditions, including prior preview by an independent authority and the data being retained within the EU.
The Data Retention Directive was implemented in Ireland by the Communications (Retention of Data Act) 2011 (the Irish Act). The legal status of the Irish Act remains unaffected by the 2014 judgment of the CJEU in Digital Rights Ireland, and this recent Opinion by the Advocate General. Whilst the European Commission published an FAQs, following the judgment in Digital Rights Ireland, clarifying that national legislation would need to be amended to the extent that it conflicted with EU law, the Irish government have yet to introduce any amending legislation. Accordingly, national electronic communications providers remain obliged to comply with the terms of the Irish Act unless it is repealed or amended by the Irish Government or declared invalid by an Irish court.