On March 11, 2015, the district court of The Hague in the Netherlands declared the country's 2009 Telecommunications Data Retention Act invalid. This decision was a foreseeable effect because of a previous judgement of the Court of Justice of the European Union (CJEU) concerning the annulment of the European Directive on data retention (Directive 2006/24/EC) on April 8, 2014. It seems now that European Member States are starting to face the consequences of that annulment. The cause of this is the fact that the European judgement did not automatically make national data retention legislation invalid. Because of the principles laid down by the European Court, most of such national legislation is at risk, because they impose data retention obligations in a too general and far-reaching way. According to the European Court, data retention obligations are compatible with European law, namely with fundamental rights and privacy, as long as they are sufficiently selective and proportional. In this blog I will briefly discuss the case of the Dutch national data retention law.
The Dutch Telecommunications Data Retention Act
The Dutch court ruled that the country's 2009 Telecommunications Data Retention Act (TDRA), which requires telephone and internet service providers to store the traffic and location data of their users for 12 months, violates the right to respect for private life and the right to protection of personal data, in contravention of the Charter of Fundamental Rights of the European Union. The Dutch court therefore declared the TDRA inoperative and the judgment to be enforceable to the extent practicable. The TDRA will remain inoperative indefinitely pending a potential appeal by the Dutch government.
Prior to the ruling, the (former) Dutch Minister of Security and Justice, Ivo Opstelten, had made a proposal to revise the law through the adoption of stricter data access rules. He stressed that data retention is vital for monitoring jihadist groups and organized crime and that the government cannot "make a distinction in advance between suspected and non-suspected citizens."The Dutch Data Protection Authority, a government-funded privacy watchdog, strongly criticized the draft legislation, stating that "the infringement of the private life of virtually all Dutch citizens is too big and disproportionate."
TDRA and the EU Directive on Data Retention
The suspended Dutch Telecommunications Data Retention Act was based on the European Union Data Retention Directive, which had been adopted in 2006 following terrorist attacks in Madrid in 2004 and London in 2005, in order "to harmonize the EU efforts in the investigation and prosecution of the most serious crimes such as, in particular, organized crime and terrorism." The Directive was invalidated by the CJEU in 2014, on grounds that it violated fundamental privacy rights. Despite that ruling, the Dutch government decided in November 2014 to largely maintain its national data retention law on the grounds that it “is indispensable for the investigation and prosecution of serious criminal offenses.” Only a few adjustments were made, concerning who will have access to what data and under what circumstances. However, these adjustments have been just proposed and have not yet entered into force. So the current judgment therefore only relates to the “original” law. A broad coalition of organizations, including Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and a few telecom companies, were not satisfied with that approach and sued the government in January 2015 to get the law invalidated (Stichting Privacy First et al. v. de Staat der Nederlanden (het Ministerie van Economische Zaken en het Ministerie van Veiligheid en Justitie, Case No. C/09/480009 / KG ZA 14/1575, Mar. 11, 2015)).
Unlike the CJEU, the Dutch judge did not declare the large-scale collection of data illegal as such. It seems that, according to the Dutch court, a limitation on the data that need to be retained would not make sense, given the purpose of the legislation, which is to fight and prevent serious crimes (§3.8. of the ruling). Consequence of the Dutch ruling is that the Ministry of Security and Justice, led by Minister Opstelten's temporary replacement Stef Blok, will have to respond to the ruling. The Dutch political party GroenLinks has already taken the step of submitting a proposal to the Parliament to revoke the law. In the long term, Opstelten's successor and the Parliament will have to present a solution.
Other European Countries
Other European governments, such as Denmark, United Kingdom, Sweden, Germany and Austria reviewed their national legislation to bring them in line with the European judgment. The Netherlands is not the only country where a law based on the EU Data Retention Directive was invalidated. A similar law was also declared invalid by the Constitutional Court of Austria in the wake of the CJEU ruling, while Germany’s data retention law was ruled unconstitutional long before the CJEU ruling. In Sweden, the government maintains that the national data retention law can still be applied. Finally in the United Kingdom, a new data retention law was rushed through by the government in December 2014, replacing the one that was based on the EU directive. That new law will be reviewed by the country’s High Court to determine if it violates human rights.
Nevertheless it seems that some European governments have underestimated the consequence of the annulment of the European directive. On the basis of the Dutch precedent, any individual can challenge national data retention rules on the basis that they do not comply with the criteria laid down by the CJEU. Other important European governments, such as Italy, are silent on the matter and they run the risk that related data retention legislation will be entirely declared invalid by a court, with major consequences for their entire investigation activities.
A selection of relevant publications from the Peace Palace Library collection
- Durica, J., ”Directive on the Retention of Data on Electronic Communication in the Rulings of the Constitutional Courts of EU Member States and Efforts for its Renewed Implementation”, The Lawyer Quarterly, (2013), No. 2, pp. 143-158.
- Feiler, L., “The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection”, European Journal of Law and Technology, 1 (2010), No. 3. (PDF)
- Granger, M. and K. Irion, "The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling Off the EU Legislator and Teaching a Lesson in Privacy and Data Protection", European Law Review, 29 (2014), No. 6, pp. 835-850.
- Konstadinides, T., "Mass Surveillance and Data Protection in EU Law - the Data Retention Directive Saga", in European Police and Criminal Law Co-operation, Oxford, Portland, Oregon, Hart Publishing, 2014.
- Jones, C. and B. Hayes, The EU Data Retention Directive: a Case Study in the Legitimacy and Effectiveness of EU Counter-terrorism Policy, Securing Europe through Counter-Terrorism – Impact, Legitimacy & Effectiveness (SECILE D2.4), 2013. (PDF)
- Seidler, C., ”European Commission v. Germany: the Data Retention Directive – Legal or Political Issue?”, German Yearbook of International Law, 55 (2013), pp. 601-612.
- Tsesis, A., "The Right to Erasure: Privacy, Data Brokers, and the Indefinite Retention of Data", Wake Forest Law Review, 49 (2014), No. 2, pp. 433-484.