Newsflash: August 2014 Update on Data Retention Obligations in the European Union
In January 2014, we published an article informing readers about the data retention obligations in Europe. You can read our article here. Now, due to a recent decision of the European Court of Justice, the law in this area is in a state of flux.
In more detail:-
• On 8 April 2014, in the joint cases of Digital Rights Ireland and Seitlinger and Others C-293/12 and C-594/12, the European Court of Justice declared the controversial EU Data Retention Directive (2006/24/EC) (the “Directive”) invalid.
• To recap, the Directive came into force in May 2006 and obliged Member States to implement it via national laws which would require communications service providers to retain certain traffic, subscriber and location data generated by their users for a period of between 6 – 24 months. The retained data was to be made available to national authorities in the investigation, detection and prosecution of serious crimes. In the UK, the implementing legislation was the Data Retention (EC Directive) Regulations 2009 (the “2009 Regulations”).
• The Directive failed to properly harmonise data retention law in the EU, as it left it to individual Member State governments to choose the requisite retention period (within the prescribed limits) and to prescribe what would constitute a “serious crime” which would trigger access to retained data. Some Member States even refused to implement it, due to the constitutional and human rights issues which it raised.
• The European Court of Justice cited a number of factors in declaring the Directive invalid. One key issue, was the lack of prescribed safeguards to protect the privacy rights of individuals in light of the substantial level of interference with those rights which the Directive facilitated.
• Despite the Court’s decision, the individual EU Member States’ national implementing laws were not automatically invalidated and it is now up to each Member State government to evaluate how to proceed. The UK government chose to replace the 2009 Regulations with new emergency legislation to fill the gap until the EU introduces alternative law on this topic. The Data Retention and Investigatory Powers Act 2014 (“DRIPA”) came into force on 17 July 2014 in the UK. This legislation is temporary and will only remain in force until 31 December 2016.
• The data retention obligations in the DRIPA are largely similar to those under the 2009 Regulations, but with certain changes being made in an attempt to resolve some of the ambiguities and issues that previously existed. The DRIPA also amends the Regulation of Investigatory Powers Act 2000 to clarify that UK jurisdiction will apply to overseas organisations providing public telecommunications services in the UK.
• The new UK law makes it clear that the obligations only apply to public telecommunications operators who are cited or described in a retention notice made by the Secretary of State requiring them to retain relevant communications data. It also seeks to more narrowly define the purposes for which the data must be retained and disclosed. Additionally, the blanket 12 month retention period in the 2009 Regulations is replaced by a provision stating that the period for which data must be retained will be specified in the retention notice and must not exceed a maximum period of 12 months.
• A legal challenge has already been raised in the UK about the speed with which this legislation was passed through Parliament: it became law in only three days, providing no time for any meaningful scrutiny or debate. It also questions whether the new law sufficiently addresses the European Court’s concerns over interference with privacy rights. It is likely that further legal challenges will follow, given the significance of the issues identified in the European Court’s declaration.
• The reactions of other Member States to the declaration of invalidity have been mixed. Austria declared its data retention laws unconstitutional and significantly reduced its data retention obligations. The Treaty violation proceedings, which were commenced against Germany by the EU Commission as a result of its failure to implement the Directive, have been rendered groundless by the decision. In the Netherlands, where the Directive was implemented, Dutch providers were initially required to continue retaining traffic data for a short period while the government studied the decision.
Despite temporary measures by some Member State governments in response to the invalidity of the Directive, future change in this area is inevitable. It remains to be seen how the EU will re-draft the law in this area, in light of the constitutional and human rights issues raised.
Squire Patton Boggs (UK) LLP
Squire Patton Boggs (UK) LLP is one of the world’s strongest integrated legal practices with more than 1,500 lawyers in 44 offices across 21 countries. Our EU Data Protection Group is ideally placed to advise on this and all other data privacy issues, with specialist data privacy lawyers, located for example, in France, Germany, the UK, Belgium, the Czech Republic, Hungary, Slovakia and Spain.
Widely acknowledged for its international reach and diverse sector expertise, it advises every type of business from fast-growth companies and the established global mid-market to Fortune 100 and FTSE 100 businesses, together with regional and national governments. For more information, visit www.squirepattonboggs.com
This article is made available by Squire Patton Boggs only to provide general commentary of the law as it stands on 18 August 2014, not to provide specific legal advice nor to warrant compliance with the law by Purple WiFi Limited. There is no attorney-client relationship between the reader and Squire Patton Boggs. This article should not be used as a substitute for competent, up-to-date legal advice from a licensed professional attorney.
© Squire Patton Boggs (UK) LLP
All rights reserved
To discuss how we can help you, please contact:-
Intellectual Property and Technology
T – 0113 284 7679
E – firstname.lastname@example.org
Intellectual Property and Technology
T – 0113 284 7459
E – email@example.com