‘Mind your step’ – Repeal looms large in Europe for attempts to legalise invalid legislation

Last year, many thought data retention legislation across Europe would withdraw quietly into the history books. In April, the Data Retention Directive (2006/24/EC) was declared invalid by Europe’s highest court (the CJEU) – based on its finding that the duration of its retention period provision went beyond what was strictly necessary, and thus infringed, fundamental privacy rights. Since then, however, some EU Member States have sought to retain existing data retention laws or enact new laws under different guises.

The Netherlands is one such country. An evaluation of the legality of its new data retention law (in particular, its conformity with the EU Charter of Fundamental Rights) is currently pending in front of the District Court of the Hague and will be heard on 18th February. The law requires internet and telecommunications companies to retain their subscriber traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes. Under previous Dutch law implementing the defunct Data Retention Directive, internet traffic data was required to be kept for one year at a minimum. Dutch campaign groups have challenged the new law on the basis that its retention period is still disproportionately long, consequently posing a serious interference with the fundamental rights to respect for the private life of internet users and the protection of their personal data, in breach of the DRI ruling.

For background, as Sophie mentioned in her recent post, the non-binding but influential Legal Service Opinion of the European Parliament on the CJEU data retention ruling in the Digital Rights Ireland (DRI) case – a leaked document recently published by civil liberties group ‘Access’ – states that EU Member States run a ‘higher risk’ of having their legislation annulled by national courts since the judgment. The Opinion evidences this by reference to countries such as Austria, Slovenia, and Romania where domestic data retention laws have been scrapped.

Other Member States will no doubt be watching the Dutch Court’s judgement carefully from the side-lines, including the UK where an application for judicial review of the new Data Retention and Investigatory Powers Act 2014 (DRIPA) is also pending.

Meanwhile, perhaps surprisingly in light of this on-going political ‘hot potato’, some non-EU governments in the wider European area appear to be formulating plans to expand their national data retention regimes. Examples include Switzerland, which, while not bound by the CJEU’s DRI decision, is still a party to the European Convention on Human Rights (ECHR), together with Kosovo (a potential candidate country to accession to the EU, who therefore has to think carefully about meeting EU legal standards).

Switzerland, which has had a data retention law in place over the last decade, is proposing to extend the retention period from six months to one year. If their government is successful in enacting this new law, will be interesting to see if the new Swiss law will end up being scrutinised by the European court of Human Rights in a few years’ time as the right to respect for private life is also found within the ECHR.

Alison Knight