In the EU? Setting a 'retain that data' rule? Better comply with e-Privacy
EU Parl legal bods: There are LIMITS on data-snaffling
Opinion EU countries that set their own national data retention laws must ensure those rules are in line with the EU's Privacy and Electronic Communications (e-Privacy) Directive, according to a new legal opinion.
The Court of Justice of the EU (CJEU) ruled last April that specific EU rules on data retention by telecoms providers, set out under the EU Data Retention Directive, disproportionately infringed on privacy rights enjoyed by EU citizens.
In its opinion, the European Parliament's Legal Services unit said EU countries, since the CJEU's judgment, have had the option of either repealing their own laws on data retention or maintaining them. However, it said that should countries choose to maintain the rules then those rules must adhere to the e-Privacy Directive.
"It is … clear that, as a result of the invalidity of the Data Retention Directive, Article 15(1) of the e-Privacy Directive is … applicable to the national measures dealing with data retention in the electronic communications sector," the Legal Services unit said, according to the leaked document published by civil liberties group Access (27-page/3.85MB PDF).
The e-Privacy Directive sets out rules that generally protect the privacy of electronic communications and data associated with those messages, 'traffic data'. One specific provision places a general prohibition on the unauthorised storage of communications and traffic data.
However, Article 15 of the e-Privacy Directive sets out rules that allow national rules to be created to restrict the rights and obligations provided for under the general rules. This means that rules can be set forcing electronic communication service providers to retain personal data where it is "necessary, appropriate and proportionate" to do so for the purposes of safeguarding national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences.
The national rules drawing on these provisions must correspond with the Article 15 requirements, the Legal Services unit said. This includes ensuring that limits on the period data should be retained for are set in accordance with justifiable grounds, it said.
The rules must also adhere to the principles provided for under the EU Charter and have regard for what the CJEU said on "the proportionately of the interference" with individuals' privacy rights in its judgment on the Data Retention Directive, it said. This includes adhering to the CJEU's insistence that the rules are "clear and precise", that the interference with privacy rights is "strictly necessary" and that there are "minimum safeguards" in place to protect those rights being infringed.
The Legal Services unit said the CJEU's judgment on the Data Retention Directive could have "indirect consequences" for national data retention rules on the basis that the "same general legal considerations" in the CJEU judgment could be "invoked to challenge the validity of the national acts".
It also said the legal principles established in the CJEU case could also be applied to other EU data retention initiatives, including the Passenger Name Record framework.
The Legal Services unit opinion is not binding. It was prepared for the Civil Liberties, Justice and Home Affairs (LIBE) at the European Parliament which had sought more information on the impact of the CJEU's ruling last year on national data retention laws.
In the aftermath of the CJEU's judgment, the UK government worked to fast-track the implementation of new national data retention laws in the UK. The Data Retention and Investigatory Powers (DRIP) Act came into force in July last year, but it is the subject of a judicial review challenge brought by civil rights campaigners Liberty on behalf of two MPs, David Davis and Tom Watson.
Copyright © 2015, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.