Digital Rights Ireland as an Opportunity to Foster a Desirable Approximation of Data Retention Provisions
| Published date | 01 June 2016 |
| DOI | 10.1177/1023263X1602300305 |
| Author | Francesca Galli |
| Date | 01 June 2016 |
| Subject Matter | Article |
460 23 MJ 3 (2016)
DIGITAL RIGHTS IRELAND
AS AN OPPORTUNITY TO FOSTER
A DESIRABLE APPROXIMATION
OF DATA RETENTION PROVISIONS
F G*
ABSTRACT
Directive 2006/24/EC sets out data retention rule s and is a useful tool for the investigation,
detection and prosecution of seriou s crimes. e implementation process has been c omplex
mainly due to concerns about data privacy rights, and led to ‘patchwork’ approximation
of data retention provisions within the EU. e CJEU’s ruling in Digital Rights Ireland
eventually invalidated the Directive so that EU policy makers must urgently reinvent
the entire framework. In this context, this article argues that approximation is the most
desirable policy option to ensure a balance between enhancing security and safeguarding
data privacy rights, and assesses what form the new instrument could take. It explores
selected factors that are likely to in uence the policy design: unresolved issues at the time
the Directive was negotiated; interplay between national/EU data retention frameworks;
CJEU’s stringent requirements set out in Digital Rights Ireland and Schrems; current
progress of the Data Protection Package.
Keywords: approximation; data priv acy rights; data retention; law enforcement
§1. INTRODUCTION
Discussions on the need to adopt common data retention provisions began well before
the issue of security was heightened pursuant to the terrorist attacks of 11September
2001. However the idea of using data collected by telecommunication services and
internet service providers (ISPs) for law enforcement purposes became a priority only
* Assistant Professor, Department of International and European Law, Facult y of Law, Maastricht
University, Maastr icht, the Netherland s.
Digital Right s Ireland as an Opport unity to Foster
a Desirable Approxi mation of Data Retention Provi sions
23 MJ 3 (2016) 461
a er the terrorist bombings in Madrid in 2004 a nd in London in 2005. It was t hen that
it became clear that telecommunications played a large role in the preparation of the
attacks, whereas law enforcement authoritie s had limited access to usefu l data to establish
records of transact ions and communications between and t he movement of individuals.1
e rst step towards t he establishment of a harmonized data retention framework
within the EU was Directive 2006/24/EC (the Data Retention Directive).2 Grounded on
ex Article95 TEC (now Article114 TFEU),3 the Direct ive required providers of publicly
available ele ctronic communications services or of public commu nications networks to
retain t ra c a nd location data, as well as related data necessa ry to identify the subscrib er
or user4 to ensure that such data i s available for the purpose of the invest igation, detection
and prosecution of serious crime (a concept de ned in national law).5
Data retention can be regarded as an exception to the right to privacy and to the
protection of personal data (data privacy rights). ose rights stipulate t hat personal data
can only be collected and retained for speci c stated purposes and with the concerned
individual’s consent according to Articles 7 and 8 of the EU Charter of Fundamental
Rights and Freedoms (EU Charter). Further use of the data is also subject to speci c
requirements.
e predecessor to the Data Retention Directive, the Directive on Privacy and
Electronic Communications (e-Privacy Directive)6 requires tra c and location data
to be erased or made anonymous by service providers when no longer needed for
the transmission of a communication but still needed for billing or interconnection
payments (Articles5, 6 and 9 e-Privacy Di rective). Member States are still able to restrict
this requirement (and thus require telecommunication companies to retain tra c and
location data) where necessary, appropriate and proportionate for speci c purposes,
including safeguarding national security, and preventing, investigating, detecting or
prosecuting criminal o ences (Article15 e-Privacy Direc tive).7
e implementation of the Data Retention Directive proved complex because the data
retention framework it entailed was vague and potentially i n con ict with data privacy
1 See Council of t he European Union, Declaration on C ombating Terrorism, 25March 20 04, 7906/04;
Council of the Eu ropean Union, Decla ration on the EU respons e to the London bombings, 13July 20 05,
11158/1/05 Rev 1.
2 Directive 20 06/24/EC on the retent ion of data generated or processe d in connection wit h the provision
of publicly availa ble electronic commun ications serv ices or of public communicat ions networks, [2006]
OJ L 105/54.
3 Proposal for a di rective on the retention of data proc essed in connection wit h the provision of public
electronic com munication servic es, COM(2005) 438 nal.
4 As de ned i n Directive 2006/2 4/EC, Article2 .
5 R. Panetta, ‘ e nee d for harmonized data retent ion regulation’, 15 E-Commerce Law & Poli cy (2013),
p.15.
6 Directive 20 02/58/EC concerning the proc essing of personal data a nd the protection of privac y in the
electronic commu nications sector, [2002] OJ L 201/37.
7 National data rete ntion provisions must sti ll comply with the pre -existing Di rective 2002/58/EC a nd in
particu lar with Art icle15 once the Data Retention Direc tive has been considered i nvalid.
To continue reading
Request your trial