Today, the European Court of Justice issued its judgment in the case Ireland v. the European Parliament and Council. The Court concludes that the Data Retention Directive (2006/24/EC) relates predominately to the functioning of the internal market, so it was necessary to adopt it on the basis of Article 95 EC Treaty.
The Court makes clear at the outset that its judgment concerns not the question whether the Directive violates fundamental rights such as the right to privacy. It bases its judgment about the appropriateness of the legal base on three arguments, each of which seems enough (for the Court) to come to that conclusion:
There were differences between member states in the obligations on communications providers to retain data. These differences would have a direct impact on the functioning of the internal market.
The Directive amends 2002/58/EC which is also based on Article 95 EC. Article 47 EU Treaty (the relative primacy of Community law over third pillar) then implies that it should have been based on Article 95.
The Directive limits itself to the activities of communications providers. It does not regulate access to data or the use thereof by the police or judicial authorities of the Member States.
It’s not too hard to comment on the ruling because I am not very impressed by its logic. Since I have already commented on some of the main arguments, which are informed by the Opinion of the Advocate General, I will restrict myself to one main point, that is the implications of this ruling for the question whether the directive is a violation of fundamental rights.
Although it is true that the Court was not asked directly to rule on the interference of blanket data retention with fundamental rights, the Court’s complete separation of that issue from this case is striking. In fact, Slovakia directly claimed the Directive could only be a third pillar measure because the interference could only be argued to be proportional in view of the fight against crime and terrorism.
It is questionable whether such far-reaching interference may be justified on economic grounds, in this case the enhanced functioning of the internal market. The adoption of an act outside the scope of Community competence, the primary and undisguised purpose of which is the fight against crime and terrorism, would be a more appropriate solution, providing a more proportionate justification for interference with the right of individuals to protection of their privacy.
The Court decides to separate these issues. The Commission had stated that “the reference to the investigation, detection and prosecution of serious crime falls under Community law because it serves to indicate the legitimate objective of the restrictions imposed by that directive on the rights of individuals with regard to data protection.” The Court does not address this specific question explicitly but states that “the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24.” Implicitly, it seems to agree with the Commission and the AG (who had adopted the Commission’s position on this matter).
If we combine this argument with the Court’s conclusion that the directive is not about access to the data, the result is striking. The references to the investigation, detection and prosecution of serious crime in the directive no longer serves as a restriction with regard to the purposes of the retained data but merely as an indication that national law can legitimately retain these data for that purpose. Hence the directive does not obligate the member states to restrict lawful access to certain cases, but it also does not obligate them to provide access in certain cases. The preliminary ruling of the German Constitutional Court is thereby legal under European law.
However, it is clear that merely giving an indication of the purpose of an interference is not enough to respect the proportionality and subsidiarity required by Article 8 ECHR. Interferences need to be narrowly targeted. Thus access to the data need to be restricted in some manner, depending on the line that is drawn as a result of this test. The lack of access restrictions in the directive moves the burden to establish the proportionality and subsidiarity entirely to the member states. In my opinion this significantly weakens the already weak case for the proportionality and subsidiarity of the European legislature’s interference with fundamental rights through the enactment of the Directive.