The ECJ has declared the Data Retention Directive to be invalid – but what actual effect will it have?
Today the European Court of Justice has declared the Data Retention Directive to be incompatible with the European Convention on Human Rights, and therefore invalid. (See here for details.) Privacy activists are delighted. Jan Philipp Albrecht called it “a major victory for civil rights in Europe.” Privacy International said, “It is right and overdue that this terrible directive was struck down.”
But there is a severe latency between European decisions and national action, especially where the national preference is for inaction. After all, the decision made today doesn’t even settle the complaint against the directive commenced in 2006 (the Irish High Court will have to settle the case, but guided by the ECJ’s decision).
I wondered, then, what real effect this decision would have on the various European national governments’ predilection for collecting their citizens’ metadata. I asked Alexander Hanff, a long-standing privacy activist and CEO of Think Privacy Inc (a provider of privacy enhancing technologies and privacy consultancy services). I can do nothing better than to repeat what he told me verbatim.
The declaration by the ECJ is long overdue but welcomed and reiterates what many privacy and human rights experts have been arguing for many years. However, what this means for the UK and other EU member states is as yet unclear. For example, the Data Retention Directive is transposed in different ways in different member states’ laws, and is not limited to a single definition in a single statute.
In the UK it is my understanding that the directive is implemented in a couple of regulations and acts such as Privacy and Electronic Communication (EC Directive) Regulations and the Regulation of Investigatory Powers Act. Which means both would need to be changed – but before that can happen the Directive itself would need to be changed to fall in line with the ECJ declaration (or “repealed” in its entirety).
As you know, the wheels of the machine turn incredibly slowly which means it could be some time before we see the relevant changes in the EU Directive – I presume this would make it difficult for citizens to challenge their governments implementation of the Directive into the national laws and regulations, as these member states would simply say they have ratified the existing Directive and cannot change their laws until the Directive itself is changed – in other words, member states are likely to say “Not our problem gov, we are just doing what Strasbourg/Brussels are telling us to do!”
That said, even if a challenge was successfully filed, it would take a great deal of time for anything to happen – look at the situation with the UK and RIPA for example – it took around 2 years from the EU Commission officially commencing infringement proceedings to the UK changing RIPA to comply with EU regulations on interception of communications.
It is of course possible that the UK government (and other member states) will voluntarily repeal the various clauses in various pieces of legislation which relate to data retention or better define them to be compatible with the ECJ declaration – but I would think that is highly unlikely given the intelligence value of this data (which everyone is now very painfully aware of since the Snowden revelations).
It may also be possible for citizens (in the UK at least and potentially other member states) to challenge their Governments in their national courts – given that (again in the UK at least) Court judgments must consider their impact on human rights under what is known as the “horizontal effect” from the Human Rights Act (as the court is a public body) so a challenge against the Government under HRA with the weight of HRA itself having a direct influence on the decision of the Court could lead to an interesting decision. But again, such a challenge would be expensive and take a significant period of time to reach a conclusion – during which time the Government could well pass secondary legislation which creates obstacles (such as some specific national security legislation, anti-terror expansion etc.).
It is too early to know how this will play out, but it is certainly interesting and will worth keeping a watchful eye on.
We should be pleased with today’s result; but there is still much to do and much to prevent. We are still a long way from changing anything in the UK.
Share this:
Related
Leave a comment Cancel reply
Freelance author and journalist. One time news reporter for Infosecurity Magazine. See Sample Work for sample work; and Editorial Services for, well, editorial services. Then contact me.
This blog is moving to ITsecurity.co.uk, where it will be bigger and better than ever. Please join us.
The all-time most popular stories on this site
Is it safe to carry on using Dropbox? Yes and No: Part II
FBI, CIPAV spyware, and the anti-virus companies
Anonymous owns the California State Law Enforcement Association (CSLEA) website
Recent Posts
- What’s with the TrueCrypt warning?
- ITsecurity.co.uk went live
- We’re moving and expanding!
- More on the Avast breach and the hash used
- Avast forum hack demonstrates we need password storage disclosure
- Hector ‘Sabu’ Monsegur to be sentenced while Hammond sits in prison
- The eBay hack, the loss of 140 million records, and the PR fiasco
- The Master Troll, Weev, delivers a masterpiece of trolling
- FBI indicts five members of the Chinese military for hacking US companies
- Worldwide crackdown on BlackShades RAT users
Blogroll
Archives
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
However, all jurisdictions will reject the application of the directive as well as individual who are entitled to contest the application of the directive and any other regulation based on it.
LikeLike