Data victory for citizens


In a far-reaching move, the European Court of Justice has struck down the European Data Retention Directive, a dramatic decision that is a victory for Irish and European citizens. The ruling was based largely on a consideration of privacy group Digital Rights Ireland’s challenge to the constitutionality of Ireland’s own data retention legislation. The case was referred to the ECJ by the High Court for clarification: was the EU directive, on which Irish law is based, itself legal?

The EU’s highest court resoundingly said no. The justices unequivocally stated that it violated existing privacy, human rights and data protection guarantees given to the EU’s half a billion citizens. Furthermore – as privacy advocates have long argued – it had done so from the start, and should never have been implemented. The 2006 directive mandated that EU member states retain and store, for up to two years, details about all mobile and landline calls, such as the time of a call, who made it, the recipient and the phone location. In addition, similar “metadata”, or data about information, were also retained on some internet activities.

The justices stated that, “by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.” Such a programme, said the court, amounted to the mass surveillance of nearly every EU citizen, because “those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained.”

The central issue for the court was the proportionality of the law. There is no doubt, it said, that law enforcement needs access to some of these data, to prevent and to prosecute serious crime, and terrorism. But – as with the secretive, mass interception and storage of phone call data by the National Security Agency in the US, revealed by Edward Snowden – authorities had been unable to present any convincing evidence that holding data for such long periods, for hundreds of millions of people, made citizens safer.

The ruling will not deny national law enforcement agencies appropriate access to retained data as, under data-protection laws, communications companies keep data for up to six months for business purposes. But the ruling is likely to force the EU to come up with a new, more defined, limited and targeted retention directive, with much better public oversight.

Meanwhile, Digital Rights Ireland will return to the High Court, with its original case greatly strengthened by the ECJ ruling. The result should be national and European legislation that more appropriately balances security and personal privacy. In a post-Snowden world, that is a significant win for the people.

Sign In

Forgot Password?

Sign Up

The name that will appear beside your comments.

Have an account? Sign In

Forgot Password?

Please enter your email address so we can send you a link to reset your password.

Sign In or Sign Up

Thank you

You should receive instructions for resetting your password. When you have reset your password, you can Sign In.

Hello, .

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

Thank you for registering. Please check your email to verify your account.

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.