subscriber or registered user being informed is likely to generate in the persons concerned a
feeling that their private lives are the subject of constant surveillance.
The Court then examines whether such an interference with the fundamental rights at issue is
justified.
It states that the retention of data required by the directive is not such as to adversely affect
the essence of the fundamental rights to respect for private life and to the protection of
personal data. The directive does not permit the acquisition of knowledge of the content of the
electronic communications as such and provides that service or network providers must respect
certain principles of data protection and data security.
Furthermore, the retention of data for the purpose of their possible transmission to the
competent national authorities genuinely satisfies an objective of general interest, namely the
fight against serious crime and, ultimately, public security.
However, the Court is of the opinion that, by adopting the Data Retention Directive, the EU
legislature has exceeded the limits imposed by compliance with the principle of
proportionality.
In that context, the Court observes that, in view of the important role played by the protection of
personal data in the light of the fundamental right to respect for private life and the extent and
seriousness of the interference with that right caused by the directive, the EU legislature’s
discretion is reduced, with the result that review of that discretion should be strict.
Although the retention of data required by the directive may be considered to be appropriate for
attaining the objective pursued by it, the wide-ranging and particularly serious interference of
the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure
that that interference is actually limited to what is strictly necessary.
Firstly, the directive covers, in a generalised manner, all individuals, all means of electronic
communication and all traffic data without any differentiation, limitation or exception being
made in the light of the objective of fighting against serious crime.
Secondly, the directive fails to lay down any objective criterion which would ensure that the
competent national authorities have access to the data and can use them only for the purposes of
prevention, detection or criminal prosecutions concerning offences that, in view of the extent and
seriousness of the interference with the fundamental rights in question, may be considered to be
sufficiently serious to justify such an interference. On the contrary, the directive simply refers in a
general manner to ‘serious crime’ as defined by each Member State in its national law. In addition,
the directive does not lay down substantive and procedural conditions under which the competent
national authorities may have access to the data and subsequently use them. In particular, the
access to the data is not made dependent on the prior review by a court or by an independent
administrative body.
Thirdly, so far as concerns the data retention period, the directive imposes a period of at least six
months, without making any distinction between the categories of data on the basis of the persons
concerned or the possible usefulness of the data in relation to the objective pursued. Furthermore,
that period is set at between a minimum of six months and a maximum of 24 months, but the
directive does not state the objective criteria on the basis of which the period of retention must be
determined in order to ensure that it is limited to what is strictly necessary.
The Court also finds that the directive does not provide for sufficient safeguards to ensure effective
protection of the data against the risk of abuse and against any unlawful access and use of the
data. It notes, inter alia, that the directive permits service providers to have regard to economic
considerations when determining the level of security which they apply (particularly as regards the
costs of implementing security measures) and that it does not ensure the irreversible destruction of
the data at the end of their retention period.
www.curia.europa.eu