CHAPTER 5: LEGAL CONSTRAINTS
public security”, and as potentially dependent for its effectiveness on “the use of
modern investigation techniques”.88
5.68.
88
This notwithstanding, the CJEU declared the Data Retention Directive to be invalid,
for failure to comply with the principle of proportionality. The utility of the Directive in
the fight against serious crime was not enough to render it “necessary”, in the absence
of safeguards which the court ruled that the EU legislator should have provided. In
particular:
(a)
The Directive mandated the bulk retention of “all traffic data” relating to “all
means of electronic communication” used by “practically the entire European
population”, including those in respect of whom there was no suggestion that
they had a connection, even indirect or remote, with serious crime (paras 5658).
(b)
The Directive did not allow for any exceptions relating to communications that
are subject to professional secrecy (para 58).
(c)
The Directive did not require any “relationship between the data whose
retention is provided for and a threat to national security”: in particular,
retention was not restricted by reference to particular time periods, places or
persons who were likely to be involved in serious crime or who could contribute
to its prevention, detection or prosecution (para 59).
(d)
The Directive did not lay down “any objective criterion” by which to determine
the types of “serious crime” in respect of which the retained data could be
accessed or used: deferring to national definitions was not enough (para 60).
(e)
The Directive contained no substantive or procedural conditions concerning
access to and use of the data. In particular, it did not restrict access and use
of the data to what is strictly necessary for “preventing and detecting precisely
defined serious offences or conducting criminal prosecutions relating thereto”
(para 61).
(f)
The Directive did not lay down objective criteria to limit the number of persons
authorised to access and use retained data. “Above all”, access by national
authorities was not made dependent on a “prior review carried out by a court
or by an independent administrative body whose decision seeks to limit access
to the data and their use to what is strictly necessary...” (para 62).
(g)
The Directive required all data without distinction to be retained for at least six
months, and did not ensure that retention periods must be limited to what is
strictly necessary (paras 63-64).
(h)
The Directive did not provide for sufficient protection and security against
abuse and unlawful access, bearing in mind the “vast quantity” and “sensitive
nature” of the data. Service providers were wrongly allowed to have regard to
Digital Rights Ireland, paras 49 and 51.
87