European Court of Justice strikes blow for data rights

It’s appropriate that an Irish court challenge was central to the far-reaching decision yesterday by Europe’s top court that the EU data retention directive is invalid. It is, said the court, a too-onerous form of mass surveillance, and a violation of Europeans’ human rights and personal privacy.

For over a decade, Ireland’s approach to storing call and location data on its citizens has exemplified the many serious concerns that led the European Court of Justice to declare the directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data”.

Ireland’s road to data retention – with the first laws enacted in advance of the EU directive – began with a story published in this paper in 2001 that revealed Irish telecommunications providers had been retaining citizens’ call data for up to six years. On request, those data were also made available to the Garda.

That disclosure set in train an immediate challenge by the Data Protection Commissioner’s Office to the Irish government to provide appropriate legislation for the retention and handling of such data.

Government manoeuvring on the issue led to formal data retention being enacted via a last-minute amendment to another piece of legislation before a near-empty Dáil.

Vague guidelines
The resulting legislation was criticised for its vague guidelines, its long retention periods, and too-open provisions that could allow gardaí request call data on, say, an individual cited for cycling at night without a light. The government had insisted data requests would only ever be used for the most serious crime and terrorism offences.

Meanwhile an EU-level push was under way to introduce a data retention directive that would, supposedly, bring consistency across the widely varying data retention regimes across EU states.

When the directive was introduced, it was deeply controversial. It offered a reason to redo Irish legislation, though one of the only improvements, as far as privacy advocates were concerned, was that the EU directive forced Ireland to substantially reduce retention time periods (Ireland still chose the maximum allowed under the new option of six to 24 months, a time spread now criticised by the ECJ for arbitrariness).

Because the directive was so contentious, observers always predicted a court challenge would come. In the end, Ireland led the way with a constitutional challenge against the State, referred on to the ECJ by the High Court.

A handful of individuals in the small Irish digital privacy group Digital Rights Ireland thus took on not just the State, but Europe itself on this issue. In so doing, they proved what they and dozens of other privacy and human rights advocates had argued for years.

First, that data retention as presented in the directive was incompatible at numerous points with European data protection and communication privacy legislation, as well as protections guaranteed by the European Convention on Human Rights. The ECJ ruled the directive “entails an interference with the fundamental rights of practically the entire European population”.

Major implications
The court particularly noted that – contrary to arguments made by successive ministers for justice and governments here – it doesn't matter that "just" the metadata, or information about a call, is retained rather than the contents of a call, text or email. "Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained," the court said, a statement that has major implications for our fast-developing era of "Big Data" and the way in which governments and businesses handle, and combine, databases.

Hence, “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”

The court resoundingly damned the directive for being too broad, too poorly managed, too piecemeal and varied across EU states, and too intrusive – in short, it is not “proportionate” to the stated goal of solving and preventing serious crime.

Future legislation needs to be more precise, with reduced periods of retention and better oversight. It cannot operate on the current basis, that everyone is potentially guilty – thus justifying the gathering of sensitive information on every man, woman and child – until proven innocent.

In light of the ongoing Garda taping scandal, Irish citizens may especially welcome the court’s finding that “the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data”. Notably, the Government and Garda consistently defended the introduction of data retention here on the grounds that it would be administered as carefully and respectfully as phone taping legislation.

Swift action
European officials will meet at the end of this week to consider what happens next. Expect swift action to re-legislate for retention to address the ECJ's findings. However, much is set to change. Citizens and businesses should have greater safeguards on sensitive data. EU data must be held and managed in the EU – clearly a legacy of Edward Snowden's revelations.

And businesses and governments must begin to grapple with balancing Big Data with privacy protections. As the EU also considers strengthening data protection laws this year, Europe shows every indication of setting the world’s future, de-facto data handling standard.