CHAPTER 5: LEGAL CONSTRAINTS
economic considerations when determining the level of security which they
applied and the Directive did not ensure the “irreversible destruction” of the data
at the end of the data retention period (paras 66-67).
(i)
The Directive did not require that the data be retained within the EU, contrary
to the requirement of Article 8(3) of the EU Charter that compliance with the
data protection rules envisaged in Article 8 be controlled by an independent
authority (para 68).
Consequences of Digital Rights Ireland
5.69.
The precise boundaries of the judgment will not be established for some time. Some
have construed it as an attack on the whole notion of bulk data retention.89 From
another perspective, the UK Government has suggested to me that the CJEU did not
hear detailed argument on some of the requirements that it referred to in its judgment;
and that it is not entirely clear whether each of the grounds summarised at 5.68 above
would have been sufficient to invalidate the Data Retention Directive, or whether it is
only their cumulative effect that did so.
Dutch case
5.70.
The District Court of the Hague, in judgment of March 2015, recently struck down the
Dutch data retention legislation.90 The judgment is of course not binding in the UK.
But as an interpretation by a national court of the CJEU’s binding Digital Rights Ireland
judgment, it deserves careful study.
5.71.
Although the Dutch law was described as “autonomous legislation that should be
assessed on its own merits”, it was subject to the constraints of the EU Charter, as
interpreted in Digital Rights Ireland, because Member States which legislate for data
retention are both implementing the e-Privacy Directive and restricting the free
movement of services. The same conclusion is likely in the UK context.91
5.72.
The District Court rendered the Dutch law inoperable, notwithstanding the State’s
unchallenged submissions that “the detection of certain types of crimes rely almost
exclusively on the use of historical telecommunication data” and that “some of its
89
90
91
See F. Fabbrini, “Human Rights in the Digital Age. The European Court of Justice Ruling in the Data
Retention Case and its Lessons for Privacy and Surveillance in the US”, (2014) Tilburg Law School
Legal Studies Research Paper Series (15), para 24: “De facto it rules out anything short of
individualised, court-approved, requests by national security and law enforcement authorities to collect
and use meta-data generated in electronic communications for specific searches.” See also the extrajudicial comments of the juge rapporteur (the member of the CJEU responsible for preparing the
judgment), Thomas von Danwitz, in an interview with the Süddeutsche Zeitung on 17 September 2014:
“Q. So would the general retention of communications data without cause no longer be admissible
following the ruling? A. That is certainly the essence of the ruling, and so a provision introducing a
general obligation to retain, without any grounds for suspicion, would be problematic.”
NL:RBDHA:2015:2498, District Court of the Hague, 11 March 2015, Case no. C/09/480009/KG/ZA
14/1575 (unofficial translation by Anna Berlee for the Interdisciplinary Internet Institute). Other national
data retention laws have also been annulled since the Digital Rights Ireland judgment: see 8.56-8.57
below.
The notion of a “UK opt-out” from the EU Charter was always a misconception. See my written
evidence to the EU Scrutiny Committee in January 2014, at paras 5-10:
http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/europeanscrutiny-committee/the-application-of-the-eu-charter-of-fundamental-rights-in-the-uk/written/4922.html.
88