EU – Data Retention Directive invalidated

On 8 April 2014, the Court of Justice of the European Union (the "CJEU") declared invalid the Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (the "Data Retention Directive").

The Data Retention Directive required telecom operators to store a certain number of data necessary to trace and identify the source of an Internet or telephone communication and its destination (e.g. date, time, duration, type of communication, traffic data, IP addresses, etc.) for between six months to two years and to make them available in the case of an investigation, detection or prosecution of serious crime by a public authority.
The Directive was adopted in the aftermath of the terrorist attacks in Madrid in 2004 and in London in 2005 in order to harmonise the European efforts to prevent, investigate, detect and prosecute, in particular, organised crime and terrorism.

The Data Retention Directive was challenged by the High Court of Ireland and the Austrian Constitutional Court, before the CJEU on the grounds of infringement of the right to private life and the right to the protection of personal data, as guaranteed by the Charter of Fundamental Rights of the European Union.

The CJEU observed that the retained data may provide very precise information on the private life of the persons whose data are retained, such as places of residence, daily habits or information regarding their social relationships and their social environment.

For the CJEU, "by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data".

This decision will for sure indirectly impact EU Member States national measures based on the Data Retention Directive.

Luxembourg Minister of Justice Félix Braz announced after the ruling in his statement dated 26 September 2014 that Luxembourg legislation has to be adapted with respect to the CJEU requirements, especially regarding:

-issues related to access to data by judicial authorities and to the definition of serious crime;

-the introduction of an obligation of irretrievable destruction of the collected data after the retention period; and

-the increase of the security measures regarding the collected data by the telecom operators.

Accordingly, a draft law modifying the Luxembourg Criminal Procedure Code and the Act of 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector as amended, was proposed to the Luxembourg Chamber of Deputies on 7 January 2015 by the Ministry of Justice.