Data retention: what next?

Last week, we reported in Comet that the Data Retention Directive had been declared invalid by the European Court of Justice.

The purpose of the—now defunct—Directive was to harmonise Member States’ provisions on the retention of certain personal data, by telecoms companies in particular. The court decided that the way in which such data was collected had been seriously interfering with EU citizens' fundamental rights to respect for their private life and to the protection of their personal data.

Furthermore, the Court also decided that there were insufficient safeguards against the risk of abuse and against any unlawful access and use of data, including from outside of the EU. The retention of data ought to be for genuine reasons such as the fight against serious crime and terrorism. A sweeping, unconsidered trawl of data, of whatever kind, was a big no-no.

In other words, the EU had failed to find the proper balance between safeguarding security (ie fighting serious crime and terrorism) and protecting the private lives of its citizens. The court was demonstrably displeased. It showed its annoyance by invalidating the Directive from the date it came into force.

In effect, the Directive has never been. To quote George Orwell in 1984—a book that is so often referred to when opining on matters of privacy—it has been 'vaporised'.

So what next? Should the telecoms companies start taking hammers to all of their data storage kit?

Probably not.

As it happens, whilst the Directive has been 'vaporised', the regulations that implement it into UK law (the Data Retention (EC Directive) Regulations 2009) have seemingly avoided a similar fate—for now. The Regulations would still appear to be law but they rest on very shaky foundations indeed. Their days are numbered.

Perhaps a good place to understand where we may be is the interesting analysis set out in the LSE Media Policy Project blog: Messy Consequences for National Legislation following Annulment of EU Data Retention Directive.

In this post, Innocenzo Genna, a lawyer with plenty of experience in European regulation, asserts that the invalidation of the Directive does not mean that the national laws implementing it become automatically invalid; the European Court of Justice and the relevant treaties providing no clear guidance in this respect.

So what next, according to Mr Genna? He concludes:

Member States seem to have the alternative between: abrogating the entire national data retention legislation; or modify[ing] that legislation in order to meet the 'proportionality concern' of the court.

Perhaps not surprisingly, groups which fight for privacy have taken a more robust view. The Open Rights Group in its blog post ISPs and the Data Retentive Directive states that:

... these regulations no longer have a valid basis in UK law

I'm not so sure. 'Not having a valid basis' and 'being invalid' are two different things. Something may not have a valid basis but still have validity in law (eg until it is challenged in a national court). To be fair, I don't think that this takes us much further in understanding the practicalities of 'what now?'

Equally, Privacy International in its piece, The Data Retention Directive: Life after Death?, asserts:

In the United Kingdom, it appears that the legislation that implements the Directive … is rendered ultra vires as a result of the Court’s decision to invalidate the Directive. The power of the Secretary of State to pass the 2009 Regulations is conditional upon the existence of a valid EU Directive. Because the Court retroactively invalidated the Directive, the Secretary of State is retroactively deprived of the power to make the 2009 Regulations, meaning that the Regulations now lack legal effect

This argument turns on very nuanced arguments on EU and UK constitutional law (the full details of which are understandably not set out in its blog). Indeed, so far as I am aware, this specific point has not been litigated on in any EU or UK court. Accordingly, it would take a brave telecoms company to rely on this argument to cease collecting data on its customers.

Indeed, officials at the EU have stated that telecom providers in the 28 Member States will have to continue storing data according to those laws (see Grapevine Magazine: WSJ: EU top court strikes down data retention law) but they acknowledge that,

the EU court ruling opens the door to legal challenges against data collection in national courts

The European Commission has also stated in a FAQ published on the date of the judgment:

National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data

If I was a telecoms company, I would put the hammers away for the time being. The results of the Directive's invalidation are not as clear-cut than it would seem.

In conclusion, the EU and national governments still seem to be quite quiet on the ramifications on this judgment at the moment. The UK government hasn't really let us have its thinking on what happens next apart from the odd comment to news organisations that everything should continue as though nothing much has happened. 

This is just a show. Like a swan which looks impossibly elegant above the waterline but the legs of which are wildly thrashing around underneath, the government will doubtless be spending a lot of time working out how it is going to comply with the new regime.

Expect a lot more on this over the next few months...