Case Commentary - Digital Rights

Ireland Ltd v Minister for

Communications, Marine and Natural
Resources and others

Introduction

In the case of “Digital Rights Ireland Ltd v Minister for

Communications, Marine and Natural Resources and
others (Cases C-293/12 and C-594/12) EU:C:2014:238
(08 April 2014)” The European Court of Justice(ECJ)
held in its abovementioned judgement that In
accordance with Articles 7 and 8 of the European Union
Charter of Fundamental Rights, a directive from the
European Union mandating Internet service providers
(ISPs) to retain communications data to aid in the
prevention and prosecution of criminal activity was
declared unconstitutional.

There were multiple similar cases that were filed in

different countries such as Ireland and Austria
regarding the constitutionality of the directives in
respect of lawfulness of the step taken. The European
Court of Justice said that, the directives issued were
legitimate and has proper intention of and aim to curb
and fight the serious crimes, it it was held that the
measure was not able to pass the proportionality test,
which was applied to determine its effect with regard to
right of the people and appropriateness of the said
directives to achieve the end goal.

It was said that the said directives were in violation of

Article 7 and Article 8 of the Charter of the
Fundamental Rights which provided the “Right to
respect for private life and protection of personal data”

“As regards the necessity for the retention of

data required by Directive 2006/24, it must be
held that the fight against serious crime, in
particular against organised crime and terrorism,
is indeed of the utmost importance in order to
ensure public security and its effectiveness may
depend to a great extent on the use of modern
investigation techniques. However, such an
objective of general interest, however
fundamental it may be, does not, in itself, justify
a retention measure such as that established by
Directive 2006/24 being considered to be
necessary for the purpose of that fight.”
Facts

In the year of 2006, The European Parliament and the

Council of European Council (“EU”) gave the directives
of retention of data, it directed TSPs to maintain the
tack of location and traffic data, with the intention to
prevent the serious crimes and also to help the
authorities in their investigation. These directives were
also aimed to bring uniformity among European Union
laws and legislations in regard to information retention.

Later, Digital Rights, which is a digital advocacy group

in Ireland filed an petition in High of Ireland against the
legitimacy and constitutionality of the law regarding the
retention of data relating to electronic communications
by the authorities. They prayed in front to the High
Court to declare the Data Retention Directive and of
Part 7 of the Criminal Justice (Terrorist Offences) Act
2005 which mandated that telephone companies keep
customer traffic and location data for a set amount of
time in order to prevent, detect, investigate, and
prosecute criminal activity and protect public safety as
as invalid.

In its response, the High Court of Ireland held that it

cannot resolve the issues related to the national law,
until the same has been examined and scrutinized
properly, in regard to it the High court of Ireland put
the stay on the said proceedings and referred the same
to European Court of Justice for preliminary decision.

In Austria too, many cases were brought before the

Constitutional Court of Austria challenging the Austrian
law in regard to the directives of data retention from
the European Parliament and Council of European
Union.

Austrian Constitutional Court held that the retention of

data related to individuals whose behaviour in no way
supported such retention was impacted. So, people
were at more danger since the information could be
used by authorities to look into them, make inferences
about their personal life, and do a variety of other
things.
This issue of interfering with privacy in addition to that
fact that this data will be in possession of non-
calculable number of people for atleast six months The
Austrian Constitutional Court stated that there were
questions about the Data Retention Directive's ability to
accomplish the goals it set out to accomplish. The
matter was referred to the European Court of Justice
(ECJ) and the proportionality of the interference with
the relevant basic rights was also questioned.
The President of the Court issued an order joining the
two cases.

Issue
“Whether the Data Retention Directive which provided
for retention of personal data by TSPs for the purposes
of prevention and investigation of crimes was valid in
light of Article 7, Article 8 and Article 11 of the Charter
of Fundamental Rights.”

Judgement

In the present case, The Grand Chamber of the Court

of Justice similarly determined that the Directive was
unconstitutional. It followed the Advocate General's
lead regarding how difficult it is to determine whether
the measure is generally proportionate given its
contentious true goal. Contrary to the ruling in Ireland
v. Council and Parliament, the Court stated that the
Directive's primary goal was to unify data retention
laws without providing additional context “in order to
ensure that the data was available for the purpose of
the prevention, investigation, detection and
prosecution of serious crime”

Although the Court of Justice acknowledged that the

Directive allowed very precise conclusions to be drawn
concerning the private lives of the persons whose data
had been retained, which could impact on freedom of
expression, it assumed that the action directly and
specifically affected the protection of personal data
(Article of the Charter of Fundamental Rights) and the
right to private life (Article 7 of the Charter). The
Luxembourg judges, following in the footsteps of their
Strasbourg counterparts, determined that the data
retention requirement of the Directive (Articles 3 and 6
of the Charter of Fundamental Rights) constituted “in
itself an interference” with the right to privacy, and
that the Directive’s regulations regarding data access
(Articles 4 and 8 of the Charter of Fundamental Rights)
constituted a “further” interference (Article 5).
Additionally, the Court assumed that the Directive
infringed against the right to the protection of personal
data by allowing for the processing of personal data.
The interferences were described as "wide-ranging,"
"particularly serious," and "likely to generate in the
minds of the persons concerned everyone the feeling
that their private lives are the subject of constant
surveillance" without providing any specific
justification.
The Court next examined whether the Directive's
interference with the rights to data protection and
privacy under Article 52(1) of the Charter of
Fundamental Rights was lawful. It omitted the step of
the test quality of law, which the Advocate General had
gone into great detail about. Additionally, the Court
made a swift decision to uphold the "essence" of both
the right to personal data protection and the right to
privacy, as the Directive required adherence to certain
data security and protection rules and did not address
the nature of communications. The Court accepted that
data retention really served an objective of broad
interest since combating terrorism and serious crime
increased security, which made it a valid objective of
general interest. Based on data obtained from
intervening parties' responses to its questions, the
Court then conducted a comprehensive analysis of
proportionality. It first referred to its own prior legal
precedent, which had assessed whether measures did
not surpass the bounds of what is reasonable and
essential to accomplish those goals, before looking to
Strasbourg for guidance in defining the extent of
latitude afforded to the EU legislator when fundamental
rights are involved. In a strong statement of principle,
it declared that:
“When interferences with fundamental rights are at
issue, the extent of the EU legislature’s discretion may
prove to be limited, depending on a number of factors,
including, in particular the area concerned, the nature
of the right at issue guaranteed by the Charter, the
nature and seriousness of the interference and the
object pursued by the interference.”

The Court noted that the EU's long and indiscriminate

duration of retention, the Directive's blanket approach,
and the lack of EU-set restrictions on access to and use
of the data (or objective criteria to identify such limits)
were particularly problematic. First, the EU-imposed
data retention system infringed upon nearly every
European's fundamental right, given the expanding and
pervasive use of electronic communication. With no
distinction, restriction, or exception established in light
of the goal of combating severe crime, it applied
indiscriminately to all individuals, all electronic
communication devices, and traffic data. There was no
need to establish a connection between the individuals
whose communications data was stored and any
particular security risks. Additionally, professional
secrecy was not protected. Second, the Court of Justice
determined that the Directive did not provide
boundaries or objective standards for law enforcement
agencies' access to data and its subsequent use. It was
noteworthy that there were no substantive or
procedural restrictions on national authorities' access to
or use of the data, which should be exclusively limited
to the prevention and detection of specifically defined
serious offences or the pursuit of criminal prosecutions.
It did not define severe crime or provide any objective
standards to ensure that the number of individuals
permitted to view and use the data kept would be kept
to a minimum and would only be used in cases of
absolute need. Furthermore, it did not require a court
or other independent administrative authority to first
assess the material before access could be
granted. Lastly, it enforced lengthy data retention
durations without providing any objective reasoning or
discrimination based on security needs.

The Court thus concluded that the Directive,

“entailed a wide-ranging and particularly serious
interference with the fundamental rights
enshrined in … the Charter, without such an
interference being precisely circumscribed by
provisions to ensure that it is actually limited to
what is strictly necessary.”

The Court also discovered significant flaws in the

Directive's security and data protection guidelines for
private operators and providers, which were not
tailored to the large volume of data kept, its sensitive
nature, or the dangers of unauthorised access.A
sufficient level of protection and security was not
ensured by EU legislative instruments, particularly as
business entities could factor in financial considerations
when assessing the level of security. Furthermore,
there was a chance that no independent body would
have control over how these data were used and
accessed "when such a control, to be carried out on the
basis of EU law, was an essential component of the
protection of individuals with regard to the processing
of personal data." This was because the Directive did
not require that the data be stored in the European
Union. Therefore, in light of Articles 7, 8, and 52(1) of
the Charter, the Court logically concluded that the EU
legislature had gone beyond the bounds set by
adherence to the principle of proportionality. Without
addressing the other issues brought up, the Court
declared the Directive to be invalid, without regard to
time constraints. As a result, the Directive is regarded
as unconstitutional.

Analysis

Digital Rights Ireland is a historic case. It expands

upon the parameters of constitutional assessment in
cases involving the protection of basic rights. The
ruling, in particular, imposes strong scrutiny on EU
legislative actions that materially interfere with human
rights and gives the EU a new duty to safeguard human
rights. It also applies stringent proportionality
assessment in accordance with the Charter. In
addition, the decision makes clear the boundaries of
data protection and privacy in the European Union and
provides guidance to lawmakers on how to create data
retention policies that uphold human rights.
After assessing the Directive's compliance with Articles
7 and 8 of the Charter, the European Court of Justice
(ECJ) ruled that it was unconstitutional. The European
Court of Justice (ECJ) claimed that the Directive
infringed against both the right to the protection of
personal data under Article 8 and the right to respect
for one's private life under Article 7. Limitations on
these rights are only permissible under Article 52(1) of
the Charter if they are mandated by law, respectful of
the fundamental rights guaranteed by the Charter, and
commensurate with the legitimate goal being sought.

The European Court of Justice (ECJ) found that the

Directive was valid in that it sought to combat severe
crime, but it failed the proportionality test, which the
ECJ used to assess whether the actions used to
accomplish that purpose were reasonable. More
precisely, the European Court of Justice (ECJ)
determined that the Directive's implementation might,
for a limited amount of time, between six and twenty-
four months, interfere, to a considerable degree, with
the basic rights of all EU citizens. Regarding the terms
of data storage and the responsibilities of Internet
service providers and security agencies that access the
data, the Directive ought to have been more explicit.
Because the Directive did not provide any assurances
on the storage, management, or accessibility of
telecommunications data, the European Court of Justice
(ECJ) held that the Directive was incompatible with the
Charter.
Notably, the ECJ stated that EU legislators have very
little flexibility in deciding how much interference is
allowed with basic rights, like those guaranteed by
Articles 7 and 8. In certain situations, the judiciary has
the authority to review legislative actions that affect
basic rights in order to assess whether a particular
decision is consistent with upholding those rights.

Conclusion

For several reasons, Digital Rights Ireland's decision is

noteworthy. Initially, it places an additional degree of
accountability for safeguarding basic rights on the EU
legislature. It also puts it through a brand-new,
stringent judicial scrutiny test.
Thirdly, it deems a framework law for the EU illegal due
to a violation of the Charter of Rights. Fourthly, in an
era of growing securitization and exceptionalism, it
provides legislators at the EU and national levels with
important guidelines to ensure the rights to privacy and
data protection are appropriately protected. We
conclude that Digital Rights Ireland not only establishes
a stringent framework for laws and policies in the
future that interfere with personal data in Europe, but
it also has the ability to reshape inter-institutional
relations within the EU and elevate human rights and
constitutionalism to the centre of the European project,
potentially influencing the course of European
integration in the future.

By this decision, the Court not only upholds the rights

to privacy and data protection under the Charter
against the potential exploitation and abuse of personal
data that results from the keeping of data indefinitely.
Additionally, it demonstrates a strong will to limit the
securitization and state of exception trends that
permeate contemporary European anti-terrorist
legislation and attempts to reduce their interference
with significant fundamental rights. The fact that the
right to privacy—"the" human right in the digital age—
was the first to be subjected to the stringent scrutiny
test has a symbolic significance. It remains to be seen
if Digital Rights Ireland will be remembered as one of
the "great cases" in the history of European
integration, even though it undoubtedly represents a
significant step forward for the defence of basic rights
at the EU level as well as for data protection and the
right to privacy in Europe.