Feeds

Death of data retention directive: What it means for OTHER data laws

Legal boffin considers the implications for public authorities, businesses

7 Elements of Radically Simple OS Migration

The Court of Justice of the European Union (CJEU) on Tuesday declared the Data Retention Directive (DRD) invalid.

It has said that the DRD "entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary."

The key objective of the Data Retention Directive (DRD) is to ensure that "certain data are available for the purposes of investigation, detection and prosecution of serious crime." But this objective is, and always has been, subject to respect for recognised rights.

The CJEU's judgment now means that member state lawmakers need to think even more so in these terms – they must ensure that all of their laws set the balance between respect for privacy and crime prevention in a way that is compatible with the EU's Charter of Fundamental Rights, and perhaps as importantly, the CJEU's views on how to achieve that balance.

At EU level, reforms are being proposed which will introduce another law to support the DRD's underlying objective, much of which is set out in the European Commission's proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities.

The European Parliament has adopted an amended version of this law which would, if introduced, exist alongside a much more widely reported new General Data Protection Regulation.

While very little has been written about the proposed Directive, it sets out much of the same rules in relation to data processing and protection as the draft Regulation does, only it does so in respect of the specific purpose of public authorities investigating criminal activities, while the Regulation sets out those details in respect of public and private sector businesses handling data generally.

While the new potential legislation does not define the scope of what data may be collected or accessible by public authorities, it is not silent on the matter either.

The Commission's version provides some detail in recital 19, for example: "For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to retain and process personal data, collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context to develop an understanding of criminal phenomena and trends, to gather intelligence about organised criminal networks, and to make links between different offences detected."

Although the European Parliament has not accepted recital 19, its inclusion by the Commission highlights that there remains uncertainty as to the scope of the obligations and restrictions that could be imposed by the draft Directive.

It remains to be seen what similar provisions regarding scope may be included by the Council of Ministers and what the Commission will be willing to accept. The Parliament and the Council must both agree on and vote to formally approve the same wording for the Directive before it can become law.

The interpretation of the Directive and member state laws made under it about what public authorities can and cannot do with data may be affected by the interpretation given by the CJEU as to the legitimacy of the Data Retention Directive.

The interpretation may also impact on the legitimacy of other current laws which impose retention obligations on organisations. It is possible that public authority powers under member states laws will need to be revised as a result of the CJEU's views as to the proportionality of the DRD in meeting its objectives.

The CJEU has reasoned that laws which require data to be retained that do not include limitations as to which persons they apply to, the time period and geographical zone to which data required to be retained relate, and which lack clear restrictions on access, are generally incompatible with the EU Charter. Businesses and individuals affected by laws relating to, for instance, their finances or other matters which do not meet these criteria, likely now have reason to review their validity.

There is also the issue regarding the interplay between the 'right to be forgotten' and erasure obligations under current and proposed data protection laws and retention of data obligations. The right to be forgotten, as proposed by the Commission would not apply where retention is 'lawful'.

Policies that businesses put in place as to when they must respond to data subject requests in connection with the right to be forgotten (if it is ever given the force of law) will need to reflect laws on retention of data.

In light of the CJEU’s judgment, in many cases where a business could have been under the impression that it may have been entitled to refuse a request for erasure, it now may not be entitled to do so.

Generally, businesses should be very clear as to how they classify data. Clear data classification protocols and having policies in place based on clearly understood distinctions will make it easier for businesses to respond to changes in law in relation to retention obligations and access to data. It will also help businesses avoid complication when requests for data are made by regulators and data subjects.

Luke Scanlon is a technology law expert for Pinsent Masons, the law firm behind Out-Law.com

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Best practices for enterprise data

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
VMware builds product executables on 50 Mac Minis
And goes to the Genius Bar for support
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?