54
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
15. As a matter of fact, the Luxembourg Court played a major role in
redefining the limits of covert data gathering for national security purposes
in the EU and outside it. In Maximillian Schrems v Data Protection
Commissioner24, the Court of Justice of the European Union declared that
the Commission’s US Safe Harbour Decision is invalid, because it
authorises, on a generalised basis, storage of all the personal data of all the
persons whose data is transferred from the EU to the United States without
any differentiation, limitation or exception being made in the light of the
objective pursued and without an objective criterion being laid down for
determining the limits of the access of the public authorities to the data and
of its subsequent use. The Court added that legislation permitting the public
authorities to have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence of the
fundamental right to respect for private life. Likewise, the Court observed
that legislation not providing for any possibility for an individual to pursue
legal remedies in order to have access to personal data relating to him, or to
obtain the rectification or erasure of such data, compromises the essence of
the fundamental right to effective judicial protection, the existence of such a
possibility being inherent in the existence of the rule of law. Finally, the
Court found that the Safe Harbour Decision denies the national data
protection supervisory authorities their powers where a person calls into
question whether the decision is compatible with the protection of the
privacy and of the fundamental rights and freedoms of individuals. The
Court held that the Commission did not have competence to restrict the
national supervisory authorities’ powers in that way.
In the joint cases of Digital Rights Ireland and Seitinger and Others25,
the Luxembourg Court had already declared invalid the Data Retention
Directive 2006/24/EC laying down the obligation on the providers of
publicly available electronic communication services or of public
communications networks to retain all traffic and location data (or
metadata) for periods from six months to two years, in order to ensure that
the data were available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in its
national law. Both individually and in the aggregate, these surveillance
capabilities allowed the state to build a precise picture of the most intimate
aspects of an individual’s life. The potential threat to privacy resulting from
such compulsory, suspicionless, untargeted data retention obligation,
generating in the minds of the persons concerned the feeling that their
24
25
Case C-362/14, judgment of 6 October 2015.
Cases C-293/12 and C-594/12, judgment of 8 April 2014.