Data retention: "We ask the Court to rule in favour of Freedom"
This article is also available in:
Deutsch: Vorratsdaten: "Das Gericht soll zugunsten der Freiheit entscheide...
On 9 July 2013, the European Court of Justice held a hearing before the Grand Chamber on the validity of the data retention directive (2006/24/EC). In line with the questions the involved parties received from the Court, the hearing focused on Art. 7 and 8 of the Charter of Fundamental Rights of the European Union.
The representatives of the parties who initiated the cases in Ireland and Austria, Digital Rights Ireland, Human Rights Commission Ireland, AK Vorrat Austria and an individual Austrian citizen argued that the data retention directive is incompatible with the Charter. There still is no evidence available, they argued, that the excessive collection of communication data is a necessary and proportionate measure for combating organised crime and terrorism in the EU. Furthermore, the data available proves that retained data is used for the investigation of crimes not foreseen in the directive, like theft, drug trafficking and stalking.
The lawyer of AK Vorrat, Ewald Scheucher, referred to the ruling of the German Constitutional Court, which stated that the cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result that at the time when the German Court took its decision. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the data retention directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11 139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court.
Mr. Scheucher closed his statement with the words: "We ask the Court to rule in favour of Freedom. Security already has enough advocates."
Following the statements of the plaintiffs, a number of member states and EU institutions were asked to deliver their answers to the questions of the court. Many of them referred to the evaluation report the Commission published in 2011. This was remarkable, as this report suffered itself from a lack of evidence as, amongst other shortcomings, many member states were unable to provide any statistically relevant data on the use of retained data for the purposes defined in the directive. On the contrary, it showed an excessive number of uses in Poland in the context of minor offences.
New statistical data were presented by the representative of Austria. He explained that between 1 April 2012 and 31 March 2013 retained data has been accessed by Austrian prosecutors in 326 cases. Out of these 326 cases, 139 are already closed. In 56 of these 139 cases, the data retained contributed to solving the case. The offences of these cases were: theft (16), drug offences (12), stalking (12), fraud (7), robbery (7) and others. Following an ad hoc question of a judge, it was further stated that none of the cases involved terrorism and that the question whether organised crime was involved needed further investigation.
The statements of the other member states followed the lines that data retention is necessary and proportionate, the opposition against data retention is caused by fears of data breaches (Ireland), the anonymity of the communication needs to be avoided (Spain), the ECJ should focus on the core contents of the directive and not on the room it leaves for the implementation by member states (Italy) and that anonymous uses – like prepaid mobile phones – are not damaging the value of data retention, as additional means like video surveillance can be used to identify individuals.
The representative of the European Parliament stated that the directive was valid and in line with the Charter. Being a directive harmonising the internal market, he argued, it only regulates the obligations of providers and does not deal with the law enforcement aspects, which need to be defined by the member states. This statement led to questions by one of the judges who wanted to know if it was due to the chosen legal basis that the protection of fundamental rights could not be regulated in more detail. This was confirmed by the EP representative, whereupon the judge asked whether the legal basis should rather be chosen based on the compliance with fundamental rights. The representative of the Parliament agreed but stated that while it was important to protect fundamental rights, it was not possible to do such regulation in an internal market directive.
The representative of the Council argued – like some member states before – that the use of retained data can only be judged in the context of national laws and that therefore the directive needed to be seen in isolation rather than in context of national implementations. The maximum retention period of two years also reflects the different traditions of member states and is needed to analyse the communication of terrorists in the context of bomb attacks.
Also, the representative of the European Commission argued that the directive was only about the obligation to retain data, while the use of the data needed to be regulated by the member states. Furthermore the directive needed to be judged on the basis of the legal situation in 2006. Following this statement a judge asked whether the position of the Commission was that the Charter were not applicable. This was denied.
Finally, the representative of the European Data Protection Supervisor delivered his statement. He stated that the necessity of data retention has not been proven and that no alternative, less intrusive measures have been evaluated. In addition, the directive was not sufficiently clear in limiting the purpose of the data processing. Furthermore the use of the retained data should not be left over to be regulated by member states without further guidance by the European legislator.
The hearing continued with a number of detailed questions by the judges which also included whether data retention could be lawfully outsourced to other data processors within the EU or in third countries. According to a report, 36 percent of the retained data is subject to outsourcing and the third largest provider is based in a third country operating on the basis of the Safe Harbor agreement. Being asked whether the national laws of third countries concerning the access to data by national authorities could negatively affect the lawfulness of the processing, the representative of the Commission could not answer immediately and he also failed to provide a clear answer to whether the websites accessed by users are to be retained on the basis of the directive.
The Advocate General will provide his opinion on the 7 November 2013.
EDRi-gram 11.13: European Court of Justice data retention cases to be
heard on 9 July (including the questions asked by the Court, 3.07.2013)
EDRi-gram 9.8: Top 10 misleading statements of the European Commission
on data retention (20.04.2011)
EDRi shadow data retention report (17.04.2011)
Live-Ticker on the ECJ hearing on the data retention directive (only in
(Contribution by Andreas Krisch - EDRi member VIBE!AT - Austria)