According to an influential legal opinion in the European Court of Justice, the Directive breaches privacy rights and should be replaced with a new law.
The Court of Justice of the European Union is considering whether the European law about collecting and storing communications data (information about our communications) is compatible with the European Chater of Fundamental Rights. For background on this case, see our post from yesterday.
In an opinion published this morning (which you can read in full), the Advocate General (AG) concluded:
I propose that the Court should answer the questions referred by the High Court in Case C 293/12 and the Verfassungsgerichtshof in Case C 594/12 as follows:
(1)Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directive contains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.
(2)Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.
An AG opinion is an important indication of how the Court will rule in its final judgment.
It looks like there are three main take aways from this opinion. First, he says that the Directive does not define rules about access to the communications data, but it should because it covers the collection of and access to such detailed personal information. Second, he concludes that the period of time (2 years) that government's may require data to be retained is too long and not supported by evidence. From the press release:
...the Advocate General has not found, in the various views submitted to the Court of Justice defending the proportionality of the data retention period, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year.
Third, the AG says that there needs to be a new law that rectifies these issues, but adds that the current Directive can continue until that new law is agreed.
EDRi (which Digital Rights Ireland is a member of) say in their press release that this is a major blow to the European Commission who have consistently failed to recognise faults with the Directive, even where those faults were detailed in its own review of the evidence of Member State's implementation.
EDRi also note that the Commission took legal action against countries who had not implemented the Directive - and EDRi are calling for the Commission to pay back finanacial penalties imposed on those contries as a result. Read more of EDRi's reaction on their website.
It's also worth reading the reaction from Simon McGarr, of McGarr Solicitors who represented Digital Rights Ireland in this case.
The Court's press release, which summarises the opinion, is available as a pdf from their website.