Feeds

Death of data retention directive: What it means for OTHER data laws

Legal boffin considers the implications for public authorities, businesses

Application security programs and practises

The Court of Justice of the European Union (CJEU) on Tuesday declared the Data Retention Directive (DRD) invalid.

It has said that the DRD "entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary."

The key objective of the Data Retention Directive (DRD) is to ensure that "certain data are available for the purposes of investigation, detection and prosecution of serious crime." But this objective is, and always has been, subject to respect for recognised rights.

The CJEU's judgment now means that member state lawmakers need to think even more so in these terms – they must ensure that all of their laws set the balance between respect for privacy and crime prevention in a way that is compatible with the EU's Charter of Fundamental Rights, and perhaps as importantly, the CJEU's views on how to achieve that balance.

At EU level, reforms are being proposed which will introduce another law to support the DRD's underlying objective, much of which is set out in the European Commission's proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities.

The European Parliament has adopted an amended version of this law which would, if introduced, exist alongside a much more widely reported new General Data Protection Regulation.

While very little has been written about the proposed Directive, it sets out much of the same rules in relation to data processing and protection as the draft Regulation does, only it does so in respect of the specific purpose of public authorities investigating criminal activities, while the Regulation sets out those details in respect of public and private sector businesses handling data generally.

While the new potential legislation does not define the scope of what data may be collected or accessible by public authorities, it is not silent on the matter either.

The Commission's version provides some detail in recital 19, for example: "For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to retain and process personal data, collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context to develop an understanding of criminal phenomena and trends, to gather intelligence about organised criminal networks, and to make links between different offences detected."

Although the European Parliament has not accepted recital 19, its inclusion by the Commission highlights that there remains uncertainty as to the scope of the obligations and restrictions that could be imposed by the draft Directive.

It remains to be seen what similar provisions regarding scope may be included by the Council of Ministers and what the Commission will be willing to accept. The Parliament and the Council must both agree on and vote to formally approve the same wording for the Directive before it can become law.

The interpretation of the Directive and member state laws made under it about what public authorities can and cannot do with data may be affected by the interpretation given by the CJEU as to the legitimacy of the Data Retention Directive.

The interpretation may also impact on the legitimacy of other current laws which impose retention obligations on organisations. It is possible that public authority powers under member states laws will need to be revised as a result of the CJEU's views as to the proportionality of the DRD in meeting its objectives.

The CJEU has reasoned that laws which require data to be retained that do not include limitations as to which persons they apply to, the time period and geographical zone to which data required to be retained relate, and which lack clear restrictions on access, are generally incompatible with the EU Charter. Businesses and individuals affected by laws relating to, for instance, their finances or other matters which do not meet these criteria, likely now have reason to review their validity.

There is also the issue regarding the interplay between the 'right to be forgotten' and erasure obligations under current and proposed data protection laws and retention of data obligations. The right to be forgotten, as proposed by the Commission would not apply where retention is 'lawful'.

Policies that businesses put in place as to when they must respond to data subject requests in connection with the right to be forgotten (if it is ever given the force of law) will need to reflect laws on retention of data.

In light of the CJEU’s judgment, in many cases where a business could have been under the impression that it may have been entitled to refuse a request for erasure, it now may not be entitled to do so.

Generally, businesses should be very clear as to how they classify data. Clear data classification protocols and having policies in place based on clearly understood distinctions will make it easier for businesses to respond to changes in law in relation to retention obligations and access to data. It will also help businesses avoid complication when requests for data are made by regulators and data subjects.

Luke Scanlon is a technology law expert for Pinsent Masons, the law firm behind Out-Law.com

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Attack of the clones: Oracle's latest Red Hat Linux lookalike arrives
Oracle's Linux boss says Larry's Linux isn't just for Oracle apps anymore
THUD! WD plonks down SIX TERABYTE 'consumer NAS' fatboy
Now that's a LOT of porn or pirated movies. Or, you know, other consumer stuff
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.