EU data retention law said to breach privacy rights

The 2006 directive has generated considerable controversy over the years because it allows governments and intelligence agencies to track and store data on the movements, meetings, phone and Internet use of every EU citizen.

Operators are required to retain details of emails and telephone calls for up to two years in a database specifically designed for police access.

“The directive treats everyone as a suspect, it monitors everyone, it puts everyone under surveillance,” said TJ McIntyre of Digital Rights Ireland, who took the case to the court almost seven years ago.

Villalon’s opinion is not binding but is still seen as a major victory by pro-rights advocates because the court’s judges often come to the same conclusion.

A final court verdict is expected sometime in the first half of next year.

“It bodes very well for the final judgement, it is a very measured, a very balanced opinion, and I think it is one the court’s will find very influential,” said McIntyre.

Villalon says the European commission has to come up with better reasons to justify the directive.

The Spanish advocate says safeguards need to be set up to limit access because the retained data is at risk of being used in unlawful, fraudulent, and malicious ways.

He suggests using courts or independent bodies to screen access requests instead of just allowing a loose interpretation of a ‘serious crime’ to justify police probes.

“It should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary,” notes the opinion.

Principles should have been set up, it says, so that authorities authorised to access the data are required to erase them once no longer useful.

Authorities should also have to notify people their data was accessed, at least retrospectively, if they are innocent or if the notification presents no risk to criminal investigations.

The opinion casts some doubt on fines levied against member states, which did not fully transpose the directive into national law on time.

Sweden over the summer was fined a lump sum of €3 million because of the delay.

Germany is also under the commission’s scrutiny.

Last year, the Brussels executive took Berlin to the court after it refused to transpose it. Germany’s Federal Constitutional Court annulled the directive in 2010.

The commission wants Germany to pay a daily penalty payment of €315,036.54 for each day after the Court ruling until the country ceases to be in breach of EU law.

The German case is still on-going.

“You can’t say there is an obligation to implement the directive, while at the same time the advocate general has said the directive should be regarded as invalid. At a minimum, the case should be put on hold,” says McIntyre.

A contact at the Court said it would be difficult for a member state to be in breach of a directive that no longer exists, should it be annulled.

“There are some very special cases where EU law can be deemed to be non-existant, which basically means it had never been valid, ever, and anything that it has caused to happen should be reversed,” he said.

The European Commission, for its part, says they are working on improving the directive but must take into account existing EU data protection laws like the e-privacy directive.

“It doesn’t really make sense to review or make a change of the data retention directive if these other elements are not in place,” said European Commission spokesperson for home affairs, Michele Cercone.