Feeds

Death of data retention directive: What it means for OTHER data laws

Legal boffin considers the implications for public authorities, businesses

Internet Security Threat Report 2014

The Court of Justice of the European Union (CJEU) on Tuesday declared the Data Retention Directive (DRD) invalid.

It has said that the DRD "entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary."

The key objective of the Data Retention Directive (DRD) is to ensure that "certain data are available for the purposes of investigation, detection and prosecution of serious crime." But this objective is, and always has been, subject to respect for recognised rights.

The CJEU's judgment now means that member state lawmakers need to think even more so in these terms – they must ensure that all of their laws set the balance between respect for privacy and crime prevention in a way that is compatible with the EU's Charter of Fundamental Rights, and perhaps as importantly, the CJEU's views on how to achieve that balance.

At EU level, reforms are being proposed which will introduce another law to support the DRD's underlying objective, much of which is set out in the European Commission's proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities.

The European Parliament has adopted an amended version of this law which would, if introduced, exist alongside a much more widely reported new General Data Protection Regulation.

While very little has been written about the proposed Directive, it sets out much of the same rules in relation to data processing and protection as the draft Regulation does, only it does so in respect of the specific purpose of public authorities investigating criminal activities, while the Regulation sets out those details in respect of public and private sector businesses handling data generally.

While the new potential legislation does not define the scope of what data may be collected or accessible by public authorities, it is not silent on the matter either.

The Commission's version provides some detail in recital 19, for example: "For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to retain and process personal data, collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context to develop an understanding of criminal phenomena and trends, to gather intelligence about organised criminal networks, and to make links between different offences detected."

Although the European Parliament has not accepted recital 19, its inclusion by the Commission highlights that there remains uncertainty as to the scope of the obligations and restrictions that could be imposed by the draft Directive.

It remains to be seen what similar provisions regarding scope may be included by the Council of Ministers and what the Commission will be willing to accept. The Parliament and the Council must both agree on and vote to formally approve the same wording for the Directive before it can become law.

The interpretation of the Directive and member state laws made under it about what public authorities can and cannot do with data may be affected by the interpretation given by the CJEU as to the legitimacy of the Data Retention Directive.

The interpretation may also impact on the legitimacy of other current laws which impose retention obligations on organisations. It is possible that public authority powers under member states laws will need to be revised as a result of the CJEU's views as to the proportionality of the DRD in meeting its objectives.

The CJEU has reasoned that laws which require data to be retained that do not include limitations as to which persons they apply to, the time period and geographical zone to which data required to be retained relate, and which lack clear restrictions on access, are generally incompatible with the EU Charter. Businesses and individuals affected by laws relating to, for instance, their finances or other matters which do not meet these criteria, likely now have reason to review their validity.

There is also the issue regarding the interplay between the 'right to be forgotten' and erasure obligations under current and proposed data protection laws and retention of data obligations. The right to be forgotten, as proposed by the Commission would not apply where retention is 'lawful'.

Policies that businesses put in place as to when they must respond to data subject requests in connection with the right to be forgotten (if it is ever given the force of law) will need to reflect laws on retention of data.

In light of the CJEU’s judgment, in many cases where a business could have been under the impression that it may have been entitled to refuse a request for erasure, it now may not be entitled to do so.

Generally, businesses should be very clear as to how they classify data. Clear data classification protocols and having policies in place based on clearly understood distinctions will make it easier for businesses to respond to changes in law in relation to retention obligations and access to data. It will also help businesses avoid complication when requests for data are made by regulators and data subjects.

Luke Scanlon is a technology law expert for Pinsent Masons, the law firm behind Out-Law.com

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
Oracle hires former SAP exec for cloudy push
'We know Larry said cloud was gibberish, and insane, and idiotic, but...'
Symantec backs out of Backup Exec: Plans to can appliance in Jan
Will still provide support to existing customers
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.