The Data Retention Saga: Dutch Court Declared National Data Retention Law Invalid!

On March 11, 2015, the district court of The Hague in the Netherlands declared the country's 2009 Telecommunications Data Retention Act  invalid. This decision was a foreseeable effect because of a previous judgement of the Court of Justice of the European Union (CJEU) concerning the annulment of the European Directive on data retention (Directive 2006/24/EC) on April 8, 2014. It seems now that European Member States are starting to face the consequences of that annulment. The cause of this is the fact that the European judgement did not automatically make national data retention legislation invalid. Because of the principles laid down by the European Court, most of such national legislation is at risk, because they impose data retention obligations in a too general and far-reaching way. According to the European Court, data retention obligations are compatible with European law, namely with fundamental rights and privacy, as long as they are sufficiently selective and proportional. In this blog I will briefly discuss the case of the Dutch national data retention law.

The Dutch Telecommunications Data Retention Act
The Dutch court ruled that the country's 2009 Telecommunications Data Retention Act (TDRA), which requires telephone and internet service providers to store the traffic and location data of their users for 12 months, violates the right to respect for private life and the right to protection of personal data, in contravention of the Charter of Fundamental Rights of the European Union. The Dutch court therefore declared the TDRA inoperative and the judgment to be enforceable to the extent practicable. The TDRA will remain inoperative indefinitely pending a potential appeal by the Dutch government.

Prior to the ruling, the (former) Dutch Minister of Security and Justice, Ivo Opstelten, had made a proposal to revise the law through the adoption of stricter data access rules. He stressed that data retention is vital for monitoring jihadist groups and organized crime and that the government cannot "make a distinction in advance between suspected and non-suspected citizens."The Dutch Data Protection Authority, a government-funded privacy watchdog, strongly criticized the draft legislation, stating that "the infringement of the private life of virtually all Dutch citizens is too big and disproportionate."

TDRA and the EU Directive on Data Retention
Telecommunications_usclipdealerThe suspended Dutch Telecommunications Data Retention Act was based on the European Union Data Retention Directive, which had been adopted in 2006 following terrorist attacks in Madrid in 2004 and London in 2005, in order "to harmonize the EU efforts in the investigation and prosecution of the most serious crimes such as, in particular, organized crime and terrorism." The Directive was invalidated by the CJEU in 2014, on grounds that it violated fundamental privacy rights. Despite that ruling, the Dutch government decided in November 2014 to largely maintain its national data retention law on the grounds that it “is indispensable for the investigation and prosecution of serious criminal offenses.” Only a few adjustments were made, concerning who will have access to what data and under what circumstances. However, these adjustments have been just proposed and have not yet entered into force. So the current judgment therefore only relates to the “original” law. A broad coalition of organizations, including Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and a few telecom companies, were not satisfied with that approach and sued the government in January 2015 to get the law invalidated (Stichting Privacy First et al. v. de Staat der Nederlanden (het Ministerie van Economische Zaken en het Ministerie van Veiligheid en Justitie, Case No. C/09/480009 / KG ZA 14/1575, Mar. 11, 2015)).
Unlike the CJEU, the Dutch judge did not declare the large-scale collection of data illegal as such. It seems that, according to the Dutch court, a limitation on the data that need to be retained would not make sense, given the purpose of the legislation, which is to fight and prevent serious crimes (§3.8. of the ruling). Consequence of the Dutch ruling is that the Ministry of Security and Justice, led by Minister Opstelten's temporary replacement Stef Blok, will have to respond to the ruling. The Dutch political party GroenLinks has already taken the step of submitting a proposal to the Parliament to revoke the law. In the long term, Opstelten's successor and the Parliament will have to present a solution.

Other European Countries
DataretentionOther European governments, such as Denmark, United Kingdom, Sweden, Germany and Austria reviewed their national legislation to bring them in line with the European judgment. The Netherlands is not the only country where a law based on the EU Data Retention Directive was invalidated. A similar law was also declared invalid by the Constitutional Court of Austria in the wake of the CJEU ruling, while Germany’s data retention law was ruled unconstitutional long before the CJEU ruling. In Sweden, the government maintains that the national data retention law can still be applied. Finally in the United Kingdom, a new data retention law was rushed through by the  government in December 2014, replacing the one that was based on the EU directive. That new law will be reviewed by the country’s High Court to determine if it violates human rights.

Nevertheless it seems that some European governments have underestimated the consequence of the annulment of the European directive. On the basis of the Dutch precedent, any individual can challenge national data retention rules on the basis that they do not comply with the criteria laid down by the CJEU. Other important European governments, such as Italy, are silent on the matter and they run the risk that related data retention legislation will be entirely declared invalid by a court, with major consequences for their entire investigation activities.

Librarian's choice

A selection of relevant publications from the Peace Palace Library collection

Relevant PPL-keywords for further research

Leave a Reply

Your email address will not be published. Required fields are marked *