Iscriviti al sito e alla newsletter di Filodiritto

Welcome kit in omaggio

ISCRIVITI

La pubblicazione di contributi, approfondimenti, articoli e in genere di tutte le opere dottrinarie e di commento (ivi comprese le news) presenti su Filodiritto è stata concessa (e richiesta) dai rispettivi autori, titolari di tutti i diritti morali e patrimoniali ai sensi della legge sul diritto d'autore e sui diritti connessi (Legge 633/1941). La riproduzione ed ogni altra forma di diffusione al pubblico delle predette opere (anche in parte), in difetto di autorizzazione dell'autore, è punita a norma degli articoli 171, 171-bis, 171-ter, 174-bis e 174-ter della menzionata Legge 633/1941. È consentito scaricare, prendere visione, estrarre copia o stampare i documenti pubblicati su Filodiritto nella sezione Dottrina per ragioni esclusivamente personali, a scopo informativo-culturale e non commerciale, esclusa ogni modifica o alterazione. Sono parimenti consentite le citazioni a titolo di cronaca, studio, critica o recensione, purché accompagnate dal nome dell'autore dell'articolo e dall'indicazione della fonte, ad esempio: Luca Martini, La discrezionalità del sanitario nella qualificazione di reato perseguibile d'ufficio ai fini dell'obbligo di referto ex. art 365 cod. pen., in "Filodiritto" (http://www.filodiritto.com), con relativo collegamento ipertestuale. Se l'autore non è altrimenti indicato i diritti sono di Inforomatica S.r.l. e la riproduzione è vietata senza il consenso esplicito della stessa. È sempre gradita la comunicazione del testo, telematico o cartaceo, ove è avvenuta la citazione.

About Data Protection: When the Retention becomes unlawful

05 gennaio 2017 -

di Federica Pezza

 

Today’s ECJ ruling in Joined Cases C-203/15 and C-698/15[1] on the validity of UK and Swedish national rules on data retention under EU law, represents a milestone for data protection in EU.

The set of rules was the expression of a general obligation of data retention, required by the Directive 2006/24/EC[2]. However, the same Court in 2014 in the Digital Rights Ireland ruling[3], decided for the invalidity of the Directive. As a result, two references were made to the ECJ concerning these national provisions. More specifically, according to the contested UK rules, the Secretary of State was able to require public telecommunication operators the retention of users’ data, for a period of 12 months and with the exclusion of their contents. Differently, Swedish law stretched these limits, requiring the providers “to retain systematically and continuously and with no exceptions all the data of their users with respect to all means of electronic communication”.

The main question was whether similar rules, imposing a general obligation to retain data on the providers and granting access to national authorities, were compliant with EU law and, in particular, the Directive 2002/58/EC on privacy and electronic communication[4] and the Charter of Fundamental Rights of the European Union[5]. The answer to this question is pretty clear:  EU law “precludes any national rule prescribing general and indiscriminate retention of data”.

But what does “general and indiscriminate retention of data” mean?

According to “settled case law” and namely, to the above mentioned Digital Rights judgement of 2014,“derogations should apply only in so far as is strictly necessary”[6]. Quite interestingly, the Court applied the same principle in another significant case last year, when ruling on Facebook Ireland and the transfer of some of its users data to servers located in the US.[7] In the proceedings, initiated by Maximillian Schrems , the Court, having to decide whether the US safe harbor provisions were “adequate” under Directive 95/46[8] ,  ruled out their validity, expressly referring to the principles laid down in Digital Rights[9].

Specifically, there are two main points to be stressed in the reasoning of the Court.On one side, it assessed that “to establish the relevance of the violation it does not matter the nature of the data concerned[10]. This is because this data allows “very precise conclusions to be drawn concerning the private life of the persons concerned”. Thus,” the interference in the fundamental rights enshrined in Art and 8 of the Charter is very far reaching and must be considered to be particularly serious”. Secondly, the ECJ pointed out that “protection of fundamental right to respect for private life requires derogations and limitations to apply only in so far as it is strictly necessary[11]. As a result, legislation permitting public authorities to have access “on a generalized basis” to the content of electronic communication, without an “objective criterion” by which to determinate the limits of the access and the specific purposes, must be regarded as not compliant with EU law.[12]

However, “Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary”.[13] In other words, four conditions have to be satisfied for a lawful retention: a) It has to provide for sufficient guarantees[14], c)  being based on objective evidence, d) and it has to clearly define the modalities and the circumstances under which the competent authorities are to be granted access to the data.[15] Finally, data is to be stored within the EU. A condition, the latter, which, deriving from the Schrems ruling, witnesses the inadequacy of non-EU legislations to promote the respect of private life and personal data, according to the EU Charter.

What’s next?

In the current situation, it is hard to anticipate what will be the future developments for data protection in Europe and elsewhere. New legal conflicts might follow on the validity of national and international laws, connected to innovative technologies; the same notion of authorised restriction might change. Recently, following the Schrems success, a class action has been initiated against Facebook from 25000 users all over the world. The Austrian supreme court[16] has now asked the CJEU to rule on the procedural validity of such a claim under EU law. A positive outcome could further modify the current EU legal framework.In other words, it is too early for conclusions to be drawn at this stage.Meanwhile, today’s ruling has to be read as further recognition of data protection relevance, raising awareness on the need of carefully shaping the limitations allowed, not only when coming to non-EU countries but also when considering EU national rules.

 

Redatto il 22 dicembre 2016



About

  • Contatti
  • Redazione
  • Pubblicità
  • Avvertenze
  • Privacy
  • Cookie

Newsletter

Rimani aggiornato sulle novità e gli articoli più interessanti della redazione di Filodiritto, inserisci la tua mail:

Iscriviti alla newsletter

© Filodiritto 2001-2017

Filodiritto è un marchio di InFOROmatica S.r.l.
P.Iva 02575961202
Direttore responsabile: Antonio Zama
Tribunale Bologna 24.07.2007,
n.7770 - ISSN 2239-7752

Sempre aggiornato

Scrivi la tua mail per ricevere le ultime novità, gli articoli e le informazioni su eventi e iniziative selezionati dalla redazione di Filodiritto.

*  Email:

Leggi l'informativa sulla privacy

Sede legale e amministrativa InFOROmatica S.r.l. - Via Castiglione 81, 40124 - Bologna
Tel. 051.98.43.125 - Fax 051.98.43.529

Credits webit.it