Back to square one on data retention

It's official: the EU data retention directive has been declared invalid by Europe's highest court this week, after Irish privacy advocates, Digital Rights Ireland, represented by McGarr Solicitors, took its case against the State to the European Court of Justice (ECJ).

Challenging a directive that privacy advocates always felt ran contrary to communications data, human rights and privacy protections given under European law to EU citizens, has been a very long battle. Ultimately, these were precisely the concerns on which the ECJ ruled that the directive was incompatible with EU law.

The court did not reject the notion of data retention in full, but rather, the implementation in the directive. That means retention is likely to return in some carefully revised form. The EU will not wish to have to keep re-legislating on the issue, with all the political and legal battles that would entail.

At the same time, the court has, in the ruling, given views on what it expects, views that will have important and significant knock-on effects for how businesses and other data handlers such as government departments must operate.

Close relationship
That's because – as the ruling itself makes clear – data retention and data protection have a close relationship. Just as existing EU data and privacy protection law is cited at great length as the context for considering the now-overturned 2006 data retention directive, the details of this ruling on retention are likely to influence views on data protection.

This is especially significant as the EU considers fresh legislation this year to replace the bloc’s increasingly creaky data protection directive, which dates back to an almost pre-web 1995 and has scant application to many of today’s internet and computer-focused concerns on privacy.

While the European Commission formally responded to the news with a bland press release, the commissioner behind the proposed new data protection regulation, Viviane Reding, tweeted in a way that showed exactly where she stood.

“#CJEU confirms: #security not a ‘super right’ overruling the protection of personal data. #EUDataP” read one. Another ran: “#EU citizens + #EU Charter of Fundamental Rights win. Guaranteeing security + respecting #dataProtection must go hand in hand. #dataRetention.”

Several elements of the decision have direct relevance to businesses. Telecoms operators will welcome the decision, as the directive had placed additional costs, responsibilities, and storage and management burdens on them. In Ireland, unlike many other jurisdictions, the Government chose to place all data retention management costs on phone companies and ISPs.

Big data
Companies in big data and cloud computing will be looking closely at the ruling. The ECJ expresses specific concern about how even data about data – metadata – can be revealing of a person's identity, movements, daily activities and interests, and so must be handled with due regard.

The court argues too that data on Europeans, gathered for any retention programme, must remain in Europe, under EU laws and protections. Not, in other words, stored in the cloud if this means, as it usually does, that it might be moved around the world. Such data also may not be outsourced to third parties such as (it is implied) US multinationals, which might place EU data in US-based server farms, subject to US surveillance practices as revealed by Edward Snowden.

This would seem to raise a more general question about where data generated in the EU by companies should be stored, especially as, right now, data held for data retention purposes is actually managed by the same companies that provide internet and phone connections.

Initially this data forms the transaction and activity records that comprise basic account and billing information. What implications for the internet of things, when our net-connected car or bicycle or watch also generates location and communications data? Who stores and manages it, and will it be subject to data retention?

The ruling certainly introduces more questions for business and society than it answers, but they are issues that need to be more openly recognised, discussed and, if needed, legislated for.