The EDPS welcomes the ruling of the Court of Justice of the EU in Digital Rights Ireland and Seitlinger and Others (Joined cases C-293/12, C-594/12) on the invalidity of the Data Retention Directive (Directive 2006/24/EC). It follows the input given by the EDPS in these proceedings.
We consider this a landmark judgment that limits the blanket government surveillance of communications data (telephone, texts, email, internet connections etc.) permitted under the Directive. It highlights the value placed on the protection of fundamental rights at the core of EU policy in this critical area.
We are particularly satisfied that the Court has underlined that the Data Retention Directive constitutes a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights. When an act imposes obligations which constitute such interference, the EU legislature should provide for the necessary guarantees rather than leaving this responsibility to the member states.
We are pleased that the Court has ruled that the retention of communications data should have been duly specified and the EU legislator should also have ensured that such data can only be used in very specific contexts.
The retention of communications data for the purposes of the combat of crime should always be precisely defined and clearly limited. The EU cannot leave the full responsibility for the use of the data with the member states.
Among other things, the concept of serious crimes should have been more precisely described in the Directive and at the very least, basic principles governing access to and the use of the retained data should have been set out.
We anticipate that the Commission, taking into account the Court's judgment, will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive.
The judgment also means that the EU should take a firm position in discussions with third countries, particularly the U.S.A. on the access and use of communications data of EU residents.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by: