The Court of Justice of the European Union (ECJ/CJEU) just announced a significant decision in relation to the mandated storage of users' communications data by telecoms companies and internet service providers. Such data includes details about user location, text messages, emails, internet use, contacts, frequency, and the storage of that information for up to two years. The purpose for such retention relates to law enforcement purposes.
An EU Directive, the Data Retention Directive, was the measure which permitted EU States to implement national data retention laws. Such laws are now called into question given the EU Court has now found the Directive to be unlawful.
TJ McIntyre, the Chairman of Digital Rights Ireland, the main party behind the questions put to the European Court, said following the decision that "This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The ECJ's judgment finds that untargeted monitoring of the entire population is unacceptable in a democratic society."
The Court held that the Directive was unlawful, disproportionate, unjustified in terms of the stated aims upon which it was being justified and infringed the privacy rights and expectations of European citizens.
This decision will have to be carefully considered in terms of policy at EU and national level. It impacts national laws, and potentially cases where national police forces may seek to rely on data or information obtained via the data retention regime in court cases or terror type cases.
However, amongst the various reasons for the EU court throwing out the Directive, some referred to above, is a suggestion that data retention data should have been required to be stored in the EU. The Court states that the"directive [did] not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by ... the [EU] Charter, by an independent authority of compliance with the requirements of protection and security ... is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data."
The implication is that for the secure storage of retained data per a data retention regime - if a new lawful and permissible one is sought to be pursed - may have to ensure that the data is stored and secured within the EU.
This has resonance with the ongoing Snowden revelations and also the concerns of some with many Cloud storage scenarios where EU citizens' personal data may be stored, copied or mirrored on Cloud servers outside of the EU.
So while the decision to strike down the Data Retention Directive is telco/ISP retention data specific, it may come to be also considered in terms of the wider field of general personal data under the general data protection regime protecting the personal data of individuals. Debate and discussion beyond data retention may ensue.
Paul Lambert
Author of Social Networking: Law, Rights and Policy (Clarus Press)