Author: Paulius Galubickas, attorney-at-law, patent consultant at METIDA
Under this directive and the national laws implementing it, telephone, Internet and other electronic communications service providers must protect free of charge the so-called meta-data about their customers for a certain period of time, as well as provide them to the competent law enforcement authorities in the fight against serious crime and for public safety purposes. From the so-called meta-data, which encompasses data traffic, location and other relevant data, it is very easy to determine who a person phoned to, how often certain numbers were dialled, how long the calls lasted, where the phone calls were made, what webpages were visited and etc. In Lithuania telephone and Internet providers are currently required to protect such data for six months. In other EU countries the protection of such data can take up to 24 months.
The Court of Justice acknowledged that the collection of such data is a serious infringement of the fundamental human rights to privacy and protection of personal data, therefore, it is disproportionate and breaches the EU law. This data collection can make one feel that she or he is constantly followed, as it can show a person’s life habits, living and visiting places, daily movements, activities, social relations and other personal information.
The Court of Justice held that although the retention of data required by the directive may be regarded beneficial for attaining the objective pursued by it, the large-scale and serious interference of the directive with the fundamental human rights has not been sufficiently circumscribed to ensure that this restriction does not go beyond what is strictly necessary.
First of all, the directive generally applies to all individuals, all electronic means of communication and the traffic of data without differentiation among them, without any limitations or exceptions subject to the fight against serious crime.
Secondly, the directive does not have any objective criterion which could ensure that competent national authorities have access to the data as well as the opportunity to use them for crime prevention, investigation, detection and prosecution of serious crime that in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be serious enough to justify such an interference . In contrast, the directive only generally refers to ‘serious crime‘ which is defined by each member state’s national law. In addition, the directive does not ensure substantive and procedural conditions for the competent national authorities to access the data and use it later. Among other things, the access to the data is not linked to the control of a prior judicial or independent administrative body.
Thirdly, the directive imposes at least a six-month data protection period without differentiating it by the categories of data, its subjects or the expected data utility to the intended purpose. In addition, the directive, where the protection period is set between six and 24 months, does not anticipate the objective criteria that would help to determine which period of retention should be chosen. These criteria could help to ensure that the protection period does not exceed what is strictly necessary.
In addition, the Court of Justice held that the directive does not provide sufficient guarantees ensuring the effective data protection against misuse as well as any unauthorised access to the data and the risk of its illegal use. The court also states that the directive allows service providers to take into account the economic considerations applied to the determination of the level of security (particularly, in relation to the cost of implementing security measures) and it does not guarantee that at the end of the protection period the data will be irreversibly destroyed.
Several years ago the German Constitutional Court has also recognised that such data collection and retention are against the German constitutional law, and thus Germany still has not fully transposed this directive into the national law.
With this decision the EU Court of Justice has dispelled any doubts regarding the legitimacy of the management of data traffic and concluded that this kind of practice is illegal. The EU member states’ legislators will have to withdraw electronic service providers’ obligation to protect the traffic data for some time or will have to find another legal basis justifying such practice.