BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
210. The access of the competent national authorities to the data
constituted a further interference with those fundamental rights, which the
CJEU considered to be “particularly serious”. The fact that data were
retained and subsequently used without the subscriber or registered user
being informed was, according to the CJEU, likely to generate in the minds
of the persons concerned the feeling that their private lives were the subject
of constant surveillance. The interference satisfied an objective of general
interest, namely to contribute to the fight against serious crime and terrorism
and thus, ultimately, to public security. However, it failed to satisfy the
requirement of proportionality.
211. Firstly, the directive covered, in a generalised manner, all persons
and all means of electronic communication as well as all traffic data without
any differentiation, limitation or exception being made in the light of the
objective of fighting against serious crime. It therefore entailed an
interference with the fundamental rights of practically the entire European
population, according to the CJEU. It applied even to persons for whom
there was no evidence capable of suggesting that their conduct might have a
link, even an indirect or remote one, with serious crime.
212. Secondly, the directive did not contain substantive and procedural
conditions relating to the access of the competent national authorities to the
data and to their subsequent use. By simply referring, in a general manner,
to serious crime, as defined by each Member State in its national law, the
directive failed to lay down any objective criterion by which to determine
which offences might be considered to be sufficiently serious to justify such
an extensive interference with the fundamental rights enshrined in Articles 7
and 8 of the Charter. Above all, the access by the competent national
authorities to the data retained was not made dependent on a prior review
carried out by a court or by an independent administrative body whose
decision sought to limit access to the data and their use to what was strictly
necessary for the purpose of attaining the objective pursued.
213. Thirdly, the directive required that all data be retained for a period
of at least six months, without any distinction being made between the
categories of data on the basis of their possible usefulness for the purposes
of the objective pursued or according to the persons concerned. The CJEU
concluded that the directive entailed a wide-ranging and particularly serious
interference with the fundamental rights enshrined in Articles 7 and 8 of the
Charter, without such an interference being precisely circumscribed by
provisions to ensure that it was actually limited to what was strictly
necessary. The CJEU also noted that the directive did not provide for
sufficient safeguards, by means of technical and organisational measures, to
ensure effective protection of the data retained against the risk of abuse and
against any unlawful access and use of those data.
69