In the current case, the requests for a preliminary ruling were filed with the Court of Justice of the European Union by the High Court of Ireland and the Austrian Constitutional Tribunal. The Irish case was initiated by Digital Rights Ireland, an organisation defending digital fundamental rights. The Austrian case found support from, among others, 11,000 Austrian citizens.
The Data Retention Directive was adopted in order to prevent serious crime, in particular organised crime and terrorism. The Court of Justice of the European Union has ruled today that the interference with fundamental rights connected with the implementation of European law is too far-reaching.
In the opinion on the case, advocate general Cruz Villalon also concluded that the application of the Data Retention Directive could not be reconciled with the provisions of the European Union Charter for Fundamental Rights and with the necessity to protect the right to privacy.
In its judgment, the Court of Justice noted that the data retained on the basis of retention regulations can provide precise information on the private lives of users, such as the habits of everyday life, place of residence, social relationships and social environments frequented.
Even though the Court of Justice states that retention itself can be justified by the need to combat serious crime and protect public safety, by adopting the Data Retention Directive the EU institutions crossed the boundary set by the principle of proportionality. The court emphasized that the directive does not guarantee that the interference in the privacy will be sufficiently circumscribed to ensure that that it is strictly necessary to achieve the above-mentioned goals.
Among other things, the directive does not guarantee that the data will indeed be used only to combat serious crime. Furthermore, access to data does not depend on any court control. The directive does not provide guarantees that would prevent abuses, for example the use of data in an unauthorized manner. Finally, the directive does not establish an obligation to retain the data in the territory of the European Union.
According to Dorota Głowacka, expert of the Warsaw based Helsinki Foundation for Human Rights, “All problems referred to by the court are reflected in the provisions of Polish telecommunications law on data retention. Current rules allow fairly free access to these data by different agencies and may encourage abuse. HFHR has long emphasized the need to change the law in this regard. We postulated, among others, introduction of an effective mechanism for external oversight of the use of retained data, the need to create an exhaustive list of serious offenses for which the authorized entities will be able to use this tool, or the introduction of the obligation to notify the person whose data was accessed.”
In Poland, for quite some time now, the provisions of the directive have raised concerns related to, for example, the wide array of situations in which the police and other agencies can request data administrators to make the telecommunications data available. In principle, this should be the case only in relation to the most serious crime. The practice, however, has diverged from this premise. Some of the reasons for this are that there is no sufficient control over the requests formed by the police and other agencies, the matter of data destruction has not been properly regulated, and it is often a problem to establish the exact number of requests.
However, it is not only the scale of telecommunications data use that is disquieting. The problem also lies in the lack of guarantees that would protect citizens from possible abuses. This is visible in the example of Bogdan Wróblewski’s case. In 2013, Mr Wróblewski, then a journalist for one of the Polish dailies, won a precedential case for protection of personal interests against the Central Anti-corruption Bureau. The court decided that the CAB acquired the journalist’s phone records and other telecommunications data illegally. During the debate organized by the Helsinki Foundation for Human Rights, the director of CAB himself admitted that there had been abuses in Mr Wróblewski’s case.
“The judgement of the Court of Justice of the European Union will undoubtedly have influence on the judgement of the Polish Constitutional Tribunal. The Tribunal is currently assessing the compliance of the provisions of Telecommunications Law on data retention with the Constitution of the Republic of Poland. The interpretation based on the right to privacy and the principle of proportionality should definitely be reflected in the judgement of the Tribunal,” say Adam Bodnar, vice president of the Helsinki Foundation for Human Rights.
So far, the laws on data retention were declared unconstitutional in Germany, Romania and Czech Republic.