Judgment Approved by the court for handing down.
Davis & Ors v SSHD
the legal order of the EU, without such an interference being precisely circumscribed
by provisions to ensure that it is actually limited to what is strictly necessary.
68.
Moreover, as far as concerns the rules relating to the security and protection of data
retained by providers of publicly available electronic communications services or of
public communications networks, it must be held that Directive 2006/24 does not
provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure
effective protection of the data retained against the risk of abuse and against any
unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24
does not lay down rules which are specific and adapted to (i) the vast quantity of data
whose retention is required by that directive, (ii) the sensitive nature of that data and
(iii) the risk of unlawful access to that data, rules which would serve, in particular, to
govern the protection and security of the data in question in a clear and strict manner
in order to ensure their full integrity and confidentiality. Furthermore, a specific
obligation on Member States to establish such rules has also not been laid down.
69.
Article 7 of Directive 2006/24, read in conjunction with Article 4(1) of Directive
2002/58 and the second subparagraph of Article 17(1) of Directive 95/46, does not
ensure that a particularly high level of protection and security is applied by those
providers by means of technical and organisational measures, but permits those
providers in particular to have regard to economic considerations when determining
the level of security which they apply, as regards the costs of implementing security
measures. In particular, Directive 2006/24 does not ensure the irreversible destruction
of the data at the end of the data retention period.
70.
In the second place, it should be added that that directive does not require the data in
question to be retained within the European Union, with the result that it cannot be
held that the control, explicitly required by Article 8(3) of the Charter, by an
independent authority of compliance with the requirements of protection and security,
as referred to in the two previous paragraphs, is fully ensured. Such a control, carried
out on the basis of EU law, is an essential component of the protection of individuals
with regard to the processing of personal data (see, to that effect, Case C 614/10
Commission v Austria EU:C:2012:631, paragraph 37).
71.
Having regard to all the foregoing considerations, it must be held that, by adopting
Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance
with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the
Charter.
72.
In those circumstances, there is no need to examine the validity of Directive 2006/24
in the light of Article 11 of the Charter.
73.
Consequently, the answer to the second question, parts (b) to (d), in Case C 293/12
and the first question in Case C 594/12 is that Directive 2006/24 is invalid.