About Data Protection: When the Retention becomes unlawful05 gennaio 2017 -
di Federica Pezza
Today’s ECJ ruling in Joined Cases C-203/15 and C-698/15 on the validity of UK and Swedish national rules on data retention under EU law, represents a milestone for data protection in EU.
The set of rules was the expression of a general obligation of data retention, required by the Directive 2006/24/EC. However, the same Court in 2014 in the Digital Rights Ireland ruling, decided for the invalidity of the Directive. As a result, two references were made to the ECJ concerning these national provisions. More specifically, according to the contested UK rules, the Secretary of State was able to require public telecommunication operators the retention of users’ data, for a period of 12 months and with the exclusion of their contents. Differently, Swedish law stretched these limits, requiring the providers “to retain systematically and continuously and with no exceptions all the data of their users with respect to all means of electronic communication”.
The main question was whether similar rules, imposing a general obligation to retain data on the providers and granting access to national authorities, were compliant with EU law and, in particular, the Directive 2002/58/EC on privacy and electronic communication and the Charter of Fundamental Rights of the European Union. The answer to this question is pretty clear: EU law “precludes any national rule prescribing general and indiscriminate retention of data”.
But what does “general and indiscriminate retention of data” mean?
According to “settled case law” and namely, to the above mentioned Digital Rights judgement of 2014,“derogations should apply only in so far as is strictly necessary”. Quite interestingly, the Court applied the same principle in another significant case last year, when ruling on Facebook Ireland and the transfer of some of its users data to servers located in the US. In the proceedings, initiated by Maximillian Schrems , the Court, having to decide whether the US safe harbor provisions were “adequate” under Directive 95/46 , ruled out their validity, expressly referring to the principles laid down in Digital Rights.
Specifically, there are two main points to be stressed in the reasoning of the Court.On one side, it assessed that “to establish the relevance of the violation it does not matter the nature of the data concerned”. This is because this data allows “very precise conclusions to be drawn concerning the private life of the persons concerned”. Thus,” the interference in the fundamental rights enshrined in Art and 8 of the Charter is very far reaching and must be considered to be particularly serious”. Secondly, the ECJ pointed out that “protection of fundamental right to respect for private life requires derogations and limitations to apply only in so far as it is strictly necessary”. As a result, legislation permitting public authorities to have access “on a generalized basis” to the content of electronic communication, without an “objective criterion” by which to determinate the limits of the access and the specific purposes, must be regarded as not compliant with EU law.
Altri Articoli della categoriaArchivio
- 22 luglio 2017 -Narrative perspectives in the field of probation
- 14 luglio 2017 -La sentenza n. 164/2017 della Corte Costituzionale sulla responsabilità civile dei magistrati
- 07 luglio 2017 -L’Araba Fenice riappare in Sicilia: la responsabilità civile dello Stato - giustizia e una sua recente applicazione ad opera del Tribunale di Messina
- 05 luglio 2017 -La diffusione dei servizi di cloud, tra digital divide e normativa sulla protezione dei dati personali: criticità e prospettive
- 28 giugno 2017 -St. Lawrence Communication v. Vodafone: the German Courts in an interesting case of application of the Huawei/ZTE teachings