Human rights, internet surveillance and Europe’s constitutional framework

The Court of Justice recently found the controversial Data Retention Directive incompatible with the Charter of Fundamental Rights of the European Union and so declared it invalid. This decision is important in a number of respects.

It illustrates the ongoing controversy over telecoms and internet surveillance. The Data Retention Directive obliges communication providers across Europe to keep telephone and internet records for between six and 24 months and was adopted in the aftermath of the terrorist attacks in Madrid in 2004 and London in 2005. At that time there was a significant consensus on the need to combat terrorism. However, there is currently greater importance placed on privacy rights, not least because of the Snowden revelations about mass surveillance in the US.

Articles 7 and 8 of the Charter of Fundamental Rights provide the framework to balance these competing interests. On the one hand, there  is a general interest in combatting terrorism and serious crime. On the other, the undoubted interference with citizens’ privacy and rights to data protection arising from the blanket retention of communications data. The Court of Justice found in favour of privacy, mainly because of the lack of detail in the Directive about who can access the stored data, how it will be accessed, the safeguards that apply to the data and the risk of onward transfer out of the European Union.

On a wider note, it shows the willingness of the Court of Justice to strike down European legislation where it is incompatible with fundamental rights under the Charter, particularly the rights to privacy and data protection. This is not the first time legislation has been struck down on this basis. For example, in 2010 the Court of Justice invalidated regulations requiring publication of the names of individuals receiving agricultural subsidies (see Volker v Land Hessen, C-92/09 & C-93/09). We may see the validity of European legislation challenged more regularly and more vigorously in the future, based on the wide range of rights granted under the Charter.

From a communication perspective, it is unlikely the Data Retention Directive will be resurrected in the near future. The European legislative machine has now ground to a halt pending the European Parliament election in May and will not restart in the autumn. In addition, whilst it might be possible to enact a new Directive with the additional detail sought by the Court of Justice, it cannot be excluded that it, too, would be struck down.

The more interesting issue is what will happen to national implementing legislation? In some Member States, there is a risk that national implementing legislation will be automatically ultra vires – i.e. as the national legislation was only introduced in order to implement the Directive, it automatically becomes invalid when the Directive become invalid.

Even if national legislation does not automatically become invalid, there will be a difficult question as to whether it is compatible with the Charter rights and the right to privacy under the European Convention on Human Rights. The analysis is not straightforward as suitably strict and detailed national legislation could resolve the deficiencies identified by the Court of Justice, even though the much more high-level and less detailed Directive does not. Clearly, telecoms operators will need to watch developments closely and consider if their continued retention of communication data is justified.

The decision of the Court of Justice of the European Union is available here.