This judgment has its origin in requests, made in national proceedings before the courts of Ireland and Austria, for a determination of the validity of Directive 2006/24/EC on the retention of data by reference to the fundamental rights to respect for private life and the protection of personal data. In Case C-293/12, proceedings were brought before the High Court (Ireland) by Digital Rights, a company, against the Irish authorities regarding the legality of national measures concerning the retention of data relating to electronic communications. In Case C-594/12, a number of constitutional cases came before the Verfassungsgerichtshof (Constitutional Court, Austria), in which annulment was sought of national legislation transposing Directive 2006/24/EC into Austrian law.
By their requests for a preliminary ruling, the Irish and Austrian courts referred questions to the Court of Justice about the validity of Directive 2006/24/EC in the light of Articles 7, 8 and 11 of the Charter. More specifically, the referring courts asked the Court of Justice whether the obligation which that directive places on providers of publicly available electronic communications or public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications and to allow the competent national authorities to access those data entailed an unjustified interference with those fundamental rights. The types of data concerned include data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for internet services. Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period.
The Court, first of all, held that, by imposing such obligations on those providers, Directive 2006/24/EC constituted a particularly serious interference with the fundamental rights to respect for private life and the protection of personal data, guaranteed by Articles 7 and 8 of the Charter. In that context, the Court found that that interference may be justified where it pursues an objective of general interest, such as the fight against organised crime. The Court stated in that regard, in the first place, that the retention of data required by the directive was not such as to adversely affect the essence of the fundamental rights to respect for privacy and the protection of personal data, in so far as it did not permit the acquisition of knowledge of the content of the electronic communications as such and provided that providers of services or of networks must respect certain principles of data protection and data security. In the second place, the Court observed that the retention of data for possible transmission to the competent national authorities genuinely satisfied an objective of general interest, namely the fight against serious crime and, ultimately, public security (paragraphs 38-44).
However, the Court found that, by adopting the directive on data retention, the EU legislature had exceeded the limits imposed by compliance with the principle of proportionality. Accordingly, it declared the directive invalid, on the ground that the wide-ranging and particularly serious interference with fundamental rights that it entailed was not sufficiently circumscribed to ensure that that interference was limited to what was strictly necessary (paragraph 65). Directive 2006/24/EC covered, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting serious crime (paragraphs 57-59). The directive also failed to lay down any objective criterion by which to ensure that the competent national authorities would have access to the data and be able to use them for the sole purpose of preventing, investigating and prosecuting offences capable of being considered to be sufficiently serious to justify such an interference, or the substantive and procedural conditions relating to such access or such use (paragraphs 60-62). Finally, so far as the data retention period was concerned, the directive required that data be retained for a period of at least six months, without any distinction being made between the categories of data according to the persons concerned or on the basis of the possible usefulness of the data for the purposes of the objective pursued (paragraphs 63, 64).
Furthermore, as regards the requirements arising under Article 8(3) of the Charter, the Court held that Directive 2006/24/EC did not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access to and use of the data, nor did it require that the data be retained within the European Union.
Consequently, the directive did not fully ensure control by an independent authority of compliance with the requirements of protection and security, as explicitly required by the Charter (paragraphs 66-68).