CRUZ VILLALÓN
delivered on 12 December 2013 ( 1 )
Case C‑293/12
Digital Rights Ireland Ltd
v
Minister for Communications, Marine and Natural Resources
Minister for Justice, Equality and Law Reform
Commissioner of the Garda Síochána
Ireland
and
The Attorney General
(Request for a preliminary ruling from the High Court of Ireland)
and
Case C‑594/12
Kärntner Landesregierung
Michael Seitlinger
and
Christof Tschohl
Andreas Krisch
Albert Steinhauser
Jana Herwig
Sigrid Maurer
Erich Schweighofer
Hannes Tretter
Scheucher Rechtsanwalt GmbH
Maria Wittmann-Tiwald
Philipp Schmuck
Stefan Prochaska
and Others
(Request for a preliminary ruling from the Verfassungsgerichtshof (Austria))
‛Electronic communications — Directive 2006/24/EC — Retention of data generated or processed in connection with the provision of electronic communications services — Validity — Article 5(4) TEU — Proportionality of action of the European Union — Charter of Fundamental Rights — Article 7 — Respect for privacy — Article 8 — Protection of personal data — Article 52(1) — Interference — Quality of the law — Proportionality of limits on the exercise of fundamental rights’
1. |
In the present cases, the Court has before it two references for a preliminary ruling on the validity of Directive 2006/24/EC, ( 2 ) offering it the opportunity to rule on the circumstances in which it is constitutionally possible for the European Union to impose a limitation on the exercise of fundamental rights within the specific meaning of Article 52(1) of the Charter of Fundamental Rights of the European Union, ( 3 ) by means of a directive and the national measures transposing it. ( 4 ) The limitation at issue takes the form of an obligation imposed on economic operators to collect and retain, for a specified time, a considerable amount of data generated or processed in connection with electronic communications effected by citizens throughout the territory of the European Union, with the objective of ensuring that such data are available for the purpose of the investigation and prosecution of serious criminal activities and ensuring the proper functioning of the internal market. I propose to provide a three-part answer to that question. |
2. |
In the first part, I shall address the issue of the proportionality of Directive 2006/24 within the meaning of Article 5(4) TEU. In the second part, I shall ascertain whether the requirement, laid down in Article 52(1) of the Charter, that any limitation on the exercise of fundamental rights must be ‘provided for by law’ may be regarded as having been fulfilled. Finally, in the third part, I shall examine whether Directive 2006/24 observes the principle of proportionality, again within the meaning of Article 52(1) of the Charter. |
3. |
However, before starting the examination of those three issues, I shall address a series of three questions which I consider essential for a proper understanding of the problems raised by the references for a preliminary ruling on validity from the High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court) (Austria). |
I – Legal context
A – European Union law
4. |
The main provisions of European Union law which are relevant to the examination of the questions referred to the Court in the present cases are, in addition to the provisions of Directive 2006/24 whose validity is called into question in the two cases and those of the Charter, those of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( 5 ) and of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). ( 6 ) Those directives and their main provisions will be presented in the course of the following reasoning as and when required for the purposes of the discussion. |
B – National law
1. Irish law (Case C‑293/12)
5. |
Article 29.4.6 of the Constitution of Ireland provides that no provision of the Constitution invalidates laws enacted, acts done or measures adopted by the State which are necessitated by the obligations of membership of the European Union or of the Communities, or prevents laws enacted, acts done or measures adopted by the European Union or by the Communities or by institutions thereof, or by bodies competent under the Treaties, from having the force of law. |
6. |
Part 7 of the Criminal Justice (Terrorist Offences) Act 2005, ( 7 ) now repealed, included provisions on the retention of data relating to communications by telephone. It required providers of telephone communication services to retain traffic and location data for a period laid down by law, in order to prevent, detect, investigate and prosecute crime and to safeguard the security of the State. For those purposes the 2005 Criminal Justice Act allowed the competent authorities of the State, in particular the Commissioner of the Garda Síochána, to request the disclosure of such data by following a particular procedure and it established guarantees by means of a complaints procedure, presided over by an independent quasi-judicial body. |
7. |
The Communications (Retention of Data) Act 2011, adopted in order to transpose Directive 2006/24, repealed Part 7 of the 2005 Criminal Justice Act and established a new data retention scheme. |
2. Austrian law (Case C‑594/12)
8. |
Paragraph 1 of the Federal Law on the protection of personal data, ( 8 ) which has constitutional status, provides for a fundamental right to data protection. |
9. |
Directive 2006/24 was transposed into Austrian law by a federal law ( 9 ) introducing a new Paragraph 102a into the Law on telecommunications of 2003, ( 10 ) which imposes on providers of publicly available communications services the obligation to retain the data listed therein. ( 11 ) |
II – The facts of the main proceedings
A – Case C‑293/12 Digital Rights Ireland
10. |
The plaintiff in the main proceedings, Digital Rights Ireland Ltd, ( 12 ) is a limited liability company whose statutes specify that its object is to promote and protect civil rights and human rights, in particular in the field of modern communication technologies. |
11. |
DRI, which states that it is the owner of a mobile phone registered on 3 June 2006 which it has been using since that date, brought an action against two ministers of the Irish Government, the Minister for Communications, Marine and Natural Resources and the Minister for Justice, Equality and Law Reform, the Irish chief of police (the Commissioner of the Garda Síochána), Ireland, and the Attorney General of Ireland, submitting, in essence, that the Irish authorities have unlawfully processed, retained and exercised control over data related to its communications. |
12. |
As a result, it is seeking, first, the annulment of several measures of domestic law that empower the Irish authorities to adopt measures requiring providers of telecommunications services to retain telecommunications data, taking the view that they are incompatible with the Irish Constitution and European Union law. Second, it is calling into question the validity of Directive 2006/24 in the light of the Charter and/or the European Convention for the Protection of Human Rights and Fundamental Freedoms ( 13 ) and asked the national court to refer to the Court several questions on the validity of that directive. |
B – Case C‑594/12 Seitlinger and Others
13. |
On 6 April 2012 the Kärntner Landesregierung, on the basis of Article 140(1) of the Austrian Federal Constitutional Law (Bundes-Verfassungsgesetz), ( 14 ) brought an action before the Verfassungsgerichtshof for the annulment of several provisions of the TKG 2003, in particular Paragraph 102a, as drafted following the transposition of Directive 2006/24 and which entered into force on 1 April 2012. |
14. |
On 25 May 2012, Mr Michael Seitlinger brought an action before the Verfassungsgerichtshof on the basis of Article 140(1) of the B-VG claiming that Paragraph 102a of the TKG 2003 was unconstitutional in so far as it affected his rights. He considers that the latter provision, which imposes upon his communication network operator the obligation to retain data without any reason, technical need or billing purpose and against his will, constitutes, inter alia, an infringement of Article 8 of the Charter. |
15. |
Finally, on 15 June 2012, a further action was brought before the Verfassungsgerichtshof on the basis of Article 140 of the B-VG by 11130 applicants claiming that the unconstitutionality of the obligation to retain data laid down by Paragraph 102a of the TKG 2003 infringed their rights and, in particular, Article 8 of the Charter. |
III – The questions referred and the procedure before the Court of Justice
A – Case C‑293/12 Digital Rights Ireland
16. |
In Case C‑293/12, the High Court has referred the following questions to the Court for a preliminary ruling:
|
B – Case C‑594/12 Seitlinger and Others
17. |
In Case C‑594/12, the Verfassungsgerichtshof has referred the following questions to the Court for a preliminary ruling:
|
C – Procedure before the Court of Justice
18. |
Written observations have been submitted in Case C‑293/12 by the Irish Human Rights Commission, ( 15 ) Ireland, the French, Italian, Polish and United Kingdom Governments, the European Parliament, the Council of the European Union and the European Commission. |
19. |
Written observations have been submitted in Case C‑594/12 by Mr Seitlinger, Mr Tschohl, the Spanish, French, Austrian and Portuguese Governments, the Parliament, the Council and the Commission. |
20. |
By decision of the President of the Court of 6 June 2013, the two cases were joined for the purposes of the oral procedure and the judgment. |
21. |
With a view to the holding of a joint hearing in the two cases, the Court, pursuant to Article 61 of its Rules of Procedure, invited the parties wishing to appear to consult one another on their respective positions, to focus their pleadings on the compatibility of Directive 2006/24 with Articles 7 and 8 of the Charter and to answer certain questions. It also invited the European Data Processing Supervisor ( 16 ) to provide information, pursuant to the second paragraph of Article 24 of the Statute of the Court of Justice. |
22. |
DRI and the IHRC (Case C‑293/12) and Mr Seitlinger and Mr Tschohl (Case C‑594/12), as well as Ireland, the Spanish, Italian, Austrian and United Kingdom Governments, the Parliament, the Council, the Commission and the EDPS, presented oral argument at the joint hearing in open court held on 9 July 2013. |
IV – Admissibility
23. |
In their written observations in Case C‑293/12, the Parliament, the Council and the Commission argue, in essence, that the High Court has not sufficiently set out the reasons leading it to question the validity of Directive 2006/24, in particular in the light of Article 21 TFEU and Articles 11 and 41 of the Charter. The vagueness of the request for a preliminary ruling from the High Court thereby noted cannot, however, lead the Court to dismiss that request as inadmissible. |
V – Substance
24. |
The separate requests for a preliminary ruling from the High Court in Case C‑293/12 and the Verfassungsgerichtshof in Case C‑594/12 raise four sets of issues. |
25. |
The first set of issues, consisting of the first question in Case C‑293/12, concerns the validity of Directive 2006/24 in the light of Article 5(4) TEU. The High Court asks very specifically whether Directive 2006/24 is, in general, proportionate within the meaning of Article 5(4) TEU, that is to say, whether it is necessary and appropriate to achieve the objectives which it pursues, which are to ensure that certain data are available for the purposes of investigation, detection and prosecution of serious crime and/or to ensure the proper functioning of the internal market. |
26. |
The second set of issues, which comprises the second question in Case C‑293/12 and the first question in Case C‑594/12, relates to the compatibility of several provisions of Directive 2006/24 with a number of provisions of the Charter, primarily Article 7 on the right to privacy and Article 8 on the right to the protection of personal data, and, more broadly, to the proportionality of the measures which it imposes, within the meaning of Article 52(1) of the Charter. That question of validity is indisputably central to the problems raised by these cases. |
27. |
The second question referred by the Verfassungsgerichtshof in Case C‑594/12 raises a third set of issues, concerning the interpretation of the general provisions of the Charter governing its interpretation and application, in the present instance the interpretation and application of Articles 52(3), (4) and (7) and 53. More specifically, the Verfassungsgerichtshof raises, in essence, the question of the relationship between, on the one hand, Article 8 of the Charter, enshrining the right to the protection of personal data, and, on the other hand, (i) the provisions of Directive 95/46 and Regulation No 45/2001, in connection with Article 52(1) and (3) of the Charter (questions 2.1, 2.2 and 2.3), (ii) the constitutional traditions of the Member States (question 2.4), in connection with Article 52(4) of the Charter, and (iii) the law of the ECHR, in particular Article 8 thereof, in connection with Article 52(3) of the Charter (question 2.5). |
28. |
Finally, the third question of the High Court in Case C‑293/12, which comprises the fourth and final set of issues, concerns the interpretation of Article 4(3) TEU and more specifically whether national courts are required, under the duty of sincere cooperation, to examine and assess the compatibility of national provisions transposing Directive 2006/24 with the provisions of the Charter, in particular Article 7 thereof. |
29. |
It should be noted at the outset that most of my discussion will focus on the first two sets of questions and that, in light of the answer to them which will be provided, it will not be necessary to provide specific answers to the last two sets of questions. Before addressing those questions, it is necessary to begin, however, by making a number of preliminary comments. |
A – Preliminary remarks
30. |
In order to be in a position to provide comprehensive answers on the various issues raised by the national courts, attention must be drawn to three elements which play a decisive part for the purpose of analysing the present cases, that is to say, first, the specific nature of Directive 2006/24 in functional terms, secondly, the classification of the interference with the fundamental rights at issue and, thirdly and finally, the impact on the present cases of the judgment in Ireland v Parliament and Council, ( 17 ) by which the Court dismissed the action for annulment of that directive brought on the ground that it was adopted on an incorrect legal basis. |
1. The ‘functional duality’ of Directive 2006/24 and its relationship with Directive 95/46 and Directive 2002/58
31. |
It is necessary to begin by placing Directive 2006/24 in its context, outlining the legislative framework of which it forms part, which is primarily made up of Directive 95/46 and Directive 2002/58. |
32. |
The object of Directive 95/46, which like Directive 2006/24 is based on Article 114 TFEU, is to impose on Member States the obligation to guarantee the right to privacy of individuals with respect to the processing of personal data relating to them, ( 18 ) with a view to allowing the free flow of such data between the Member States. ( 19 ) For that purpose, it establishes, inter alia, a set of rules determining the conditions under which the processing of personal data is lawful, laying down the rights of persons in relation to whom data are collected and processed, in particular the right to information, ( 20 ) the right of access, ( 21 ) the right to object ( 22 ) and the right to a remedy, ( 23 ) and guaranteeing the confidentiality and security of processing. |
33. |
The system of protection established by Directive 95/46 is accompanied by exemptions and restrictions laid down in Article 13. The rights and obligations which it provides for as regards data quality (Article 6(1)), the transparency of processing (Articles 10 and 11(1)), rights of access of individuals in relation to whom data are being processed (Article 12) and the publicising of processing operations (Article 21) may be the subject of legislative measures restricting their scope where this is necessary to safeguard, in particular, national security, defence, public security or the prevention, investigation, detection and prosecution of criminal offences. |
34. |
Directive 2002/58, which repeals and replaces Directive 97/66/EC, ( 24 ) particularises and complements ( 25 ) the system of protection of personal data established by Directive 95/46 by means of specific rules applicable to the electronic communications sector. ( 26 ) It includes, in particular, rules requiring the Member States to ensure, subject to certain exceptions, ( 27 ) the confidentiality of not only the communications but also the traffic data of subscribers to and users of electronic communications services. ( 28 ) Article 6 imposes on providers of communications services the obligation to erase or make anonymous the traffic data which they process and store relating to their subscribers and users. |
35. |
It is of particular importance to the reasoning that follows that Article 15(1) of Directive 2002/58 also provides, in the same terms as Article 13(1) of Directive 95/46 to which it refers, that the Member States may ( 29 ) adopt legislative measures to restrict the scope of the rights and obligations provided for in the directive as regards, inter alia, the confidentiality of communications (Article 5) and the erasure of traffic data (Article 6). Article 15(1) states that Member States may, to that end, adopt, inter alia, legislative measures providing for the retention of data for a limited period on one of the grounds listed, in accordance with fundamental rights. |
36. |
Directive 2006/24 in fact alters profoundly the law applicable to electronic communications data as it stood following the adoption of Directives 95/46 and 2002/58 ( 30 ) by providing for the establishment by the Member States of an obligation to collect and retain traffic and location data which falls within the scope of the restrictions on the right to the protection of personal data that are provided for in Article 13(1) of Directive 95/46 and Article 15(1) of Directive 2002/58. |
37. |
Directive 2006/24 is characterised first of all by its objective of harmonisation, in this instance of the rules of Member States on the retention of traffic and location data relating to electronic communications. However, in the light of the matter to be harmonised and the circumstances, that objective requires the simultaneous imposition, on Member States which not having such legislation, of an obligation to collect and retain such data. It follows that Directive 2006/24 has a dual function which it is essential to take into consideration in order properly to address the problem raised by the present requests for a preliminary ruling. |
38. |
The primary objective of Directive 2006/24 is to harmonise national rules which already impose on providers of publicly available electronic communications services or of public communications networks ( 31 ) obligations to retain the traffic and location data which it determines, in order to ensure their availability ‘for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law’. ( 32 ) In so doing, Directive 2006/24 accordingly harmonises in part the rules adopted by certain Member States on the basis of the option provided by Article 15(1) of Directive 2002/58. ( 33 ) |
39. |
Directive 2006/24 thus establishes a scheme derogating ( 34 ) from the principles established by Directive 95/46 and Directive 2002/58. To be entirely accurate, it derogates from the derogating rules which are laid down by Article 15(1) of Directive 2002/58 and govern the Member States’ option of restricting, on the grounds provided for in Article 13(1) of Directive 95/46, the scope of the right to the protection of personal data and, more generally, of the right to privacy, in the specific context of the provision of electronic communications services or public communications networks. |
40. |
Moreover, it is significant that Article 11 of Directive 2006/24 inserts paragraph 1a into Article 15 of Directive 2002/58, which states that paragraph 1 of Article 15 is not to apply to data specifically required to be retained by Directive 2006/24. |
41. |
As the Court pointed out in Ireland v Parliament and Council, Directive 2006/24 is directed essentially at the activities of providers of electronic communications services, ( 35 ) since it harmonises the national rules by means of provisions which are essentially limited ( 36 ) to the retention of data, the categories of data to be retained, the periods of retention, and data protection, data security and data storage. ( 37 ) |
42. |
It is precisely because of that limited harmonising function, as will be seen below, that the Court was able to rule, in Ireland v Parliament and Council, that Directive 2006/24 could be adopted on the basis of Article 95 EC. It was necessary, in pursuit of the objective of safeguarding the proper functioning of the internal market, ( 38 ) to end the divergent development of the existing rules, ( 39 ) while preventing divergent development in the future. ( 40 ) |
43. |
The harmonisation under Directive 2006/24 was, here, necessarily carried out on the basis of insertion of an obligation to collect and retain data imposed on providers of electronic communications services, at least with respect to the Member States that had no legislation in that regard, an obligation which sets in particular the minimum and maximum periods for which the data must be retained. |
44. |
It may, in that regard, be pointed out that the fact that a number of Member States did not yet have legislation on data retention was specifically one of the key factors justifying the adoption of Directive 2006/24 on the basis of Article 95 EC. ( 41 ) |
45. |
Accordingly, Directive 2006/24, within the context of its objective of harmonisation, imposes on Member States the obligation either to make their existing system compatible with the provisions of Directive 2006/24 or to establish, in due course, the collection and retention scheme provided for by Directive 2006/24 and, in any event, the obligation to ensure compliance with the provisions of that directive, in particular those governing the requirements and detailed rules for access to the retained data. |
46. |
In summary, Directive 2006/24 is characterised by its functional duality. It is, on the one hand, an entirely traditional directive which seeks to harmonise ( 42 ) national laws that are disparate ( 43 ) or likely to become so, and was adopted in the interests of the functioning of the internal market and precisely calibrated for that purpose, as the Court ruled in Ireland v Parliament and Council. However, it is also, on the other hand, a directive which, even in its harmonising function, seeks to establish, ( 44 ) where appropriate, obligations – in particular data retention obligations – which constitute, as I shall show later, serious interference with the enjoyment of the fundamental rights guaranteed to European citizens by the Charter, in particular the right to privacy and the right to the protection of personal data. |
47. |
Finally, although it is clear that the answers to the questions referred in the present cases must in particular take into account this ‘second function’, that is to say, what I would describe as the ‘creating’ effect of the obligation that data be retained, that obligation’s specific effect of harmonising existing national rules in the field must not be disregarded. |
2. The fundamental right essentially at issue and classification of the interference
48. |
It is necessary, secondly, to address at this stage the issue of classification of the interference with the exercise of fundamental rights which arises from the collection and retention of data under Directive 2006/24, once it has been accepted that the actual existence of that interference is not in dispute. First of all, I shall identify the fundamental right primarily affected by Directive 2006/24 and then I shall classify the interference with the exercise of that right which the directive constitutes. |
a) The fundamental rights affected
i) The various fundamental rights relied upon
49. |
The High Court, in Case C‑293/12, and the Verfassungsgerichtshof, in Case C‑594/12, ask the Court to rule on the compatibility of Directive 2006/24 with various fundamental rights, first of all the right to privacy, as guaranteed by Article 7 of the Charter, and the right to the protection of personal data, as guaranteed by Article 8 of the Charter, but also the right to freedom of expression, as guaranteed by Article 11 of the Charter. |
50. |
The High Court also asks the Court to rule on the compatibility of Directive 2006/24 with Article 21 TFEU, on the right of movement and residence of European citizens, and with Article 41 of the Charter, laying down the right to good administration. |
51. |
In that connection, it is possible to begin by simplifying this issue. |
52. |
First of all, it is true that it must not be overlooked that the vague feeling of surveillance ( 45 ) which implementation of Directive 2006/24 may cause is capable of having a decisive influence on the exercise by European citizens of their freedom of expression and information and that an interference with the right guaranteed by Article 11 of the Charter therefore could well also be found to exist. ( 46 ) It may be noted, however, that, quite apart from the fact that the Court does not have sufficient material to enable it to give a ruling in that regard, that effect would be merely a collateral consequence of interference with the right to privacy, which is the subject-matter of a very careful and detailed examination below. |
53. |
In addition, the High Court does not provide the slightest explanation of its reasons for considering Article 21 TFEU (right of residence and movement of European citizens) and Article 41 of the Charter (right to good administration) relevant in assessing the validity of Directive 2006/24, or even the slightest indication of the impact which that directive could have on the free movement of citizens or on the principle of good administration, contrary to the requirements now laid down in Article 94 of the Rules of Procedure of the Court. Accordingly, the Court also has insufficient material to give any ruling in that regard. |
54. |
It is therefore primarily the compatibility of Directive 2006/24 with Articles 7 and 8 of the Charter that should, in principle, be examined. |
ii) The combination of the right to privacy and the right to protection of personal data
55. |
Article 8 of the Charter enshrines the right to the protection of personal data as a right which is distinct from the right to privacy. Although data protection seeks to ensure respect for privacy, it is, in particular, subject to an autonomous regime, primarily determined by Directive 95/46, Directive 2002/58, Regulation No 45/2001 and Directive 2006/24 and, in the field of police and judicial cooperation in criminal matters, by Framework Decision 2008/977/JHA. ( 47 ) |
56. |
Directive 2006/24 significantly affects the right to the protection of personal data, since Article 5 imposes on Member States the obligation to ensure the retention of data which allow or may allow identification of a person, ( 48 ) be he the source or the destination of a communication, and of his position in space and time, whether by reference to his telephone number in respect of telephony or to his identification number or any another information specific to him such as an IP address in respect of Internet services. |
57. |
Article 1(2) of Directive 2006/24 indeed expressly states that the directive is to apply, inter alia, to data necessary to identify subscribers to or registered users of publicly available electronic communications services or public communications networks. Those data thus fall within the category of data whose disclosure is subject to the express authorisation of each individual, in respect of which he has a ‘right to informational self-determination’. ( 49 ) |
58. |
Directive 2006/24 appears at first sight to be an interference with the right to the protection of personal data, clearly falling within the scope of the provisions of Article 8(2) and (3) of the Charter. Indeed, Directive 2006/24 states that not only Directive 95/46 and Directive 2002/58 ( 50 ) but also the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ( 51 ) are fully applicable to the data retained in accordance with its provisions. |
59. |
However, it is not the processing of the data retained, whether in terms of the manner in which the data are collected by the providers of electronic communications services or the manner in which they are used by the competent authorities authorised by the Member States, which requires the utmost vigilance, but the actual collection and retention of the data at issue, as well as the data’s impact on the right to privacy, for reasons which I shall now explain. |
60. |
First of all, the fact that Directive 2006/24 may satisfy fully the requirements of Article 8(2) and (3) of the Charter and be considered not to be incompatible with Article 8 of the Charter in no way means that it is fully compatible with the requirements resulting from the right to privacy guaranteed by Article 7 of the Charter. |
61. |
Since the ‘private sphere’ forms the core of the ‘personal sphere’, it cannot be ruled out that legislation limiting the right to the protection of personal data in compliance with Article 8 of the Charter may nevertheless be regarded as constituting a disproportionate interference with Article 7 of the Charter. |
62. |
It is true that the right to the protection of personal data is based on the fundamental right of respect for private life, ( 52 ) with the result that, as the Court has had the opportunity to point out, ( 53 ) Articles 7 and 8 of the Charter are so closely linked ( 54 ) that they may be regarded as establishing a ‘right to respect for private life with regard to the processing of personal data’. ( 55 ) |
63. |
However, this cannot apply systematically. The link which unites those two rights depends, in essence, on the nature of the data at issue, even if they are always personal, that is to say, relate to the person, to the individual. |
64. |
There are data that are personal as such, that is to say, in that they individually identify a person, such as data which, in the past, could appear on a safe-conduct, by way of example. Such data frequently have a certain permanence and are frequently somewhat neutral too. They are personal but no more than that and, in general, it could be said that they are those for which the structure and guarantees of Article 8 of the Charter are best suited. |
65. |
There are, however, data which are in a sense more than personal. These are data which, qualitatively, relate essentially to private life, to the confidentiality of private life, including intimacy. In such cases, the issue raised by personal data commences, so to speak, further ‘upstream’. The issue which arises in such cases is not yet that of the guarantees relating to data processing but, at an earlier stage, that of the data as such, that is to say, the fact that it has been possible to record the circumstances of a person’s private life in the form of data, data which can consequently be subject to information processing. |
66. |
It is in that sense that it is possible to argue that, when such data are involved, they raise an issue which essentially precedes that of their processing, relating primarily to the privacy guaranteed by Article 7 of the Charter and only secondarily to the guarantees concerning the processing of personal data referred to in Article 8 of the Charter. |
67. |
As is clear from the foregoing reasoning, which places the fundamental rights forming the combination constituted by the right to privacy (Article 7 of the Charter) and the right to the protection of personal data (Article 8 of the Charter) in their correct positions, it is necessary to assess the validity of Directive 2006/24 primarily from the perspective of interference with the right to privacy. |
b) A particularly serious interference with the right to privacy
68. |
First of all, there is hardly any doubt that Directive 2006/24 itself constitutes an ‘interference’ with the right to privacy. ( 56 ) This is in fact established by the directive, which defines itself as an ‘instrument on data retention’ constituting a ‘[necessary measure] that complies with the requirements of Article 8 of the ECHR’ ( 57 ) and Article 7 of the Charter. The Court, moreover, uses that term in relation to the directive. ( 58 ) |
69. |
The European Court of Human Rights has for its part repeatedly held that the storing by a public authority of data relating to the private life of an individual amounts to an interference with the right to respect for his private life guaranteed by Article 8(1) of the ECHR ( 59 ) and that the use made of them has no bearing on that finding. ( 60 ) |
70. |
The issue here is to attempt to classify that interference. In that regard, and as I shall demonstrate in more detail below, it is possible to argue that Directive 2006/24 constitutes a particularly serious ( 61 ) interference with the right to privacy. |
71. |
It is true that Directive 2006/24 excludes from its scope, in a manner which is as express as it is insistent, ( 62 ) the content of telephone or electronic communications, the information communicated itself. |
72. |
However, the fact remains that the collection ( 63 ) and, above all, the retention, ( 64 ) in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union ( 65 ) constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance ( 66 ) created raises very acutely the question of the data retention period. |
73. |
In that regard, it is first of all necessary to take into account the fact that the effects of that interference are multiplied by the importance acquired in modern societies by electronic means of communication, whether digital mobile networks or the Internet, and their massive and intensive use by a very significant proportion of European citizens in all areas of their private or professional activities. ( 67 ) |
74. |
The data in question, it must be emphasised once again, are not personal data in the traditional sense of the term, relating to specific information concerning the identity of individuals, but ‘special’ personal data, the use of which may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity. |
75. |
The intensity of that interference is exacerbated by factors which increase the risk that, notwithstanding the obligations imposed by Directive 2006/24 both on the Member States themselves and on providers of electronic communications services, the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious. |
76. |
Indeed, the data are not retained by the public authorities themselves, or even under their direct control, but by the providers of electronic communications services themselves, ( 68 ) upon which most of the obligations guaranteeing data protection and security are imposed. |
77. |
It is true that Directive 2006/24 requires ( 69 ) the Member States to ensure that data are retained in accordance with that directive. It is interesting to note though that it is required to carry this out only in such a way that those data and any other necessary information relating to them ‘can be transmitted upon request to the competent authorities without undue delay’. Directive 2006/24 provides, moreover, that the Member States must ensure that providers of electronic communications services observe minimum principles concerning the protection and security of the data retained. |
78. |
However, no provision of Directive 2006/24 lays down the requirement for those service providers themselves to store the data to be retained in the territory of a Member State, under the jurisdiction of a Member State, a fact which considerably increases the risk that such data may be accessible or disclosed in infringement of that legislation. |
79. |
That ‘outsourcing’ of data retention admittedly allows the retained data to be distanced from the public authorities of the Member States and thus to be placed beyond their direct grip and any control, ( 70 ) but by that very fact it simultaneously increases the risk of use which is incompatible with the requirements resulting from the right to privacy. |
80. |
Directive 2006/24 therefore constitutes, as is clear from the foregoing reasoning, a particularly serious interference with the right to privacy and it is in the light of the requirements resulting from that fundamental right that its validity, and in particular its proportionality, must primarily be examined. |
3. The significance of Ireland v Parliament and Council in assessing the validity of Directive 2006/24
81. |
Having reached this stage of the preliminary reasoning, the effect of Ireland v Parliament and Council on the two requests for a preliminary ruling on the validity of Directive 2006/24 remains to be considered. |
82. |
In that case, a direct action was brought before the Court seeking annulment of Directive 2006/24 in which it was exclusively argued that the directive was adopted on an incorrect legal basis. Accordingly, the Court expressly stated, in paragraph 57 of its judgment, that ‘the action brought by Ireland relate[d] solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24’. |
83. |
However, since the requests for a preliminary ruling in the two cases raise the issue of the proportionality of the provisions of Directive 2006/24, within the meaning of Article 5(4) TEU (first question in Case C‑293/12), on the one hand, and within the meaning of Article 52(1) of the Charter (second question in Case C‑293/12 and first question in Case C‑594/12), on the other hand, it is possible to interpret the reservation thus expressed by the Court in two ways, which may prove to be complementary. |
84. |
The first possible interpretation, the interpretation which ultimately applies in any event, is that the Court, bound by the very specific claims for annulment made by Ireland, was not called upon to examine the compatibility of Directive 2006/24 with the fundamental rights guaranteed by the Charter, primarily the right to privacy guaranteed by Article 7 of the Charter. The Court itself sought to point this out in paragraph 57 of its judgment: accordingly, it had no need to consider that question as to the directive’s compatibility in the light of the requirements contained in Article 52(1) of the Charter, in particular those relating to quality of the law and proportionality. |
85. |
The second meaning which it is possible to attribute to that reservation, which it is much more difficult to explore, would be to consider that, notwithstanding the validation of the legal basis of Directive 2006/24 by Ireland v Parliament and Council, the Court did not examine the proportionality, within the meaning of Article 5(4) TEU, of that directive, that is to say, examine it in relation to the interference with fundamental rights, as the High Court is requesting formally in its first question in Case C‑293/12. This would, in essence, involve examining whether, taking into account its legal basis, the interference with the right to privacy constituted by Directive 2006/24 retains a reasonable relationship of proportionality, for the purposes of that provision, with the objectives which it pursues. |
86. |
I shall begin by identifying the issues deriving from the principle of proportionality within the meaning of Article 5(4) TEU, which requires, as noted, an exploration of the possibilities opened up by that second possible interpretation of paragraph 57 of the judgment in Ireland v Parliament and Council. I shall then, on the basis of the first – non-problematic – interpretation of that paragraph, examine what lies at the heart of the questions raised by the two national courts, relating to the conditions governing limits on the exercise of fundamental rights. |
B – The proportionality, within the meaning of Article 5(4) TEU, of the adoption of Directive 2006/24 (first question in Case C‑293/12)
87. |
By its first question in Case C‑293/12, the High Court asks the Court whether, in the light of Article 5(4) TEU, Directive 2006/24 is proportionate to the objectives which it pursues, be it the objective of ensuring that the data retained are available for the purpose of the detection and prosecution of serious crime or that of ensuring the proper functioning of the internal market or both of them. |
88. |
An answer to that question is required only in so far as it can be accepted that in Ireland v Parliament and Council the Court ruled only on the validity of the choice of Article 95 EC as the legal basis for Directive 2006/24, while leaving untouched the question of the proportionality of that directive itself in the light of the objectives which it may seek to achieve pursuant to that legal basis. The following reasoning must therefore be understood as being dependent upon an interpretation of Ireland v Parliament and Council which might, none the less, be open to debate. |
89. |
Inasmuch as the request for a preliminary ruling from the High Court raises both the issue of the proportionality of Directive 2006/24, the European Union measure itself, within the meaning of Article 5(4) TEU, and that of the proportionality of the limitations on the exercise of fundamental rights within the meaning of Article 52(1) of the Charter, it must be borne in mind that the reviews carried out under those two provisions are different in nature. ( 71 ) Proportionality within the meaning of Article 5(4) TEU is, in conjunction with the principle of subsidiarity, a general principle governing action of the European Union and setting a framework for the adoption of all measures by the institutions. It is more specifically intended to channel action by the European Union with due respect for Member State competence. Proportionality within the meaning of Article 52(1) of the Charter is a requirement for the legitimacy of any limitation on the exercise of fundamental rights. Although the reviews carried out under the two provisions may follow the same course, they are not conducted with the same stringency. |
90. |
That having been made clear, it should be recalled that, in an area of shared competence, such as that of the internal market, ( 72 ) it is for the European Union legislature to determine the measures which it considers necessary to achieve the intended objectives, while observing the principles of subsidiarity and proportionality enshrined in Article 5 TEU. ( 73 ) |
91. |
In the present instance, in accordance with Article 5 of the Protocol on the application of the principles of subsidiarity and proportionality, the Commission provided a statement of reasons for the adoption of Directive 2006/24 in the light of the principle of proportionality, as is clear from its proposal of 21 September 2005. ( 74 ) |
92. |
The question raised by the High Court is, however, not whether the Commission, in this instance, fulfilled its obligations, but whether Directive 2006/24 itself complies with the requirements of Article 5(4) TEU. |
93. |
According to the settled case-law of the Court, an act of the European Union may be regarded as proportionate only provided that the measures which it implements are appropriate for attaining the objectives pursued and do not go beyond what is necessary to achieve those objectives. ( 75 ) |
94. |
The question referred by the High Court raises in that regard a very particular difficulty. The issue which arises is, here, that of whether the proportionality, within the meaning of Article 5(4) TEU, of the measures adopted by Directive 2006/24 must be assessed in the light of the two objectives which it states that it pursues, that is to say, harmonising national rules in order to ensure the proper functioning of the internal market and ensuring the availability of data for the purposes of the prevention of crime, or, on the contrary, in the light of the only objective directly related to the legal basis upon which it was adopted. |
95. |
In that regard, it is necessary to draw a distinction between its predominant ( 76 ) objective, namely the functioning of the internal market, and the ultimate ends which it pursues, which may be described in various ways but which are not in any event predominant. More specifically, it is necessary, in the first place, to examine the proportionality of Directive 2006/24 – in so far as it imposes on providers of electronic communications services obligations to collect and retain data and make them available which create a new legal position – in relation to the needs for harmonisation of those obligations. |
96. |
In that regard, it must be remembered, first of all, that the intensity of the judicial review which the Court carries out concerning the appropriateness of a measure adopted by the European Union legislature is directly linked to the discretion available to the latter. ( 77 ) The Court has repeatedly held that, in areas in which its action involves choices of a political, economic or social nature and requiring complex assessments and evaluations, such as in the areas of the common agricultural policy ( 78 ) or the common commercial policy, ( 79 ) the European Union legislature has broad discretion ( 80 ) and the powers of review of the Court are therefore limited. It is not for the Court to determine whether the measure adopted was the only one or the best one possible, but to determine that it is based on objective factors ( 81 ) and is not manifestly inappropriate in relation to the objective pursued. ( 82 ) |
97. |
It is, in that regard, not disputed that Directive 2006/24 constitutes an appropriate means of achieving the first, formal, objective which it pursues, namely ensuring the proper functioning of the internal market. It is undoubtedly finely adjusted to preclude present and future legal and technical differences ( 83 ) between national rules that impose obligations on providers of electronic communications services to retain data. |
98. |
It may also be accepted, having regard to the discretion of the institutions, that the harmonisation achieved by Directive 2006/24 was actually necessary for the purpose of reducing legal and technical differences between the requirements imposed on providers of electronic communications services concerning the types of data to be retained and the periods and conditions of retention. ( 84 ) |
99. |
Finally, it remains to be examined whether Directive 2006/24 may be regarded as proportionate in the strict sense. |
100. |
Having reached this final stage of the examination of the proportionality of Directive 2006/24 within the meaning of Article 5(4) TEU, it must be stated that the intensity of the intervention in the area of regulation of fundamental rights, constituted by the interference with the right to privacy which, through the implementation of Directive 2006/24, is imposed on the Member States, is manifestly disproportionate to the objective relating to the need to ensure the functioning of the internal market which the directive predominantly pursues ( 85 ) and which justified its adoption on the basis of Article 95 EC. The impact which Directive 2006/24, by virtue of its ‘creating’ effect, has on the Member States’ powers to regulate and guarantee the content of fundamental rights cannot, in that regard, be underestimated. |
101. |
Directive 2006/24, as I have shown above, imposed an obligation to collect and retain data on providers of electronic communications services which, derogating from the principles laid down by Directive 95/46 and Directive 2002/58, constitutes a serious interference with the right to privacy, in particular, while leaving to the Member States the task of actually guaranteeing respect for fundamental rights. |
102. |
The serious interference with the right to privacy which, as a consequence of the ‘creating’ effect of Directive 2006/24, the Member States are meant to incorporate into their own legal systems thus appears to be disproportionate to the need solely to ensure the functioning of the internal market, even if that collection and retention must also be considered an appropriate and even necessary means of achieving the ultimate objective pursued by the directive of ensuring that the data are available for the purpose of the investigation and prosecution of serious crime. In summary, Directive 2006/24 would fail the proportionality test for the very reasons which justified its legal basis. The reasons for its legitimacy in terms of its legal basis would, paradoxically, be the reasons for its illegitimacy in terms of proportionality. |
103. |
Nevertheless, the issue is not so simple, since it is necessary to take into account that a ‘predominant’ objective is not the same as an ‘exclusive’ objective, even if that predominant objective played a decisive role in identifying the correct legal basis. It is necessary, from that point of view, to acknowledge that, in the context of examining the proportionality of Directive 2006/24 within the meaning of Article 5(4) TEU, there is actually room for taking into account the ultimate objective of preventing serious crime pursued by it. From this viewpoint, it might readily be accepted that Directive 2006/24, as an act of the European Union and taking care to leave aside the examination of proportionality within the meaning of Article 52(1) of the Charter, could, applying the test of proportionality in the precise sense of Article 5(4) TEU, be found to be appropriate, necessary and even proportionate in the strict sense. |
104. |
The issue which ultimately arises is whether the problems of proportionality in the strict sense which an act of the European Union occasions in relation to the predominant objective which it pursues can be remedied by taking into consideration a ‘background’ objective. That issue is all the more difficult to resolve since it arises in a context in which the legal basis of the measure in question has been validated specifically by reference to its predominant objective. |
105. |
However, since Directive 2006/24 must still, as a measure limiting the exercise of fundamental rights, be subject to an examination of proportionality under Article 52(1) of the Charter, I take the view that it is not necessary definitively to settle that matter in the present cases. |
C – The requirements under Article 52(1) of the Charter (second question in Case C‑293/12 and first question in Case C‑594/12)
106. |
As I have already pointed out above, Directive 2006/24, which harmonises the rules adopted by the Member States in the context of an option provided for in Article 15(1) of Directive 2002/58, establishes a regime that partially derogates from the principles which are laid down by Directive 2002/58 and Directive 95/46 and guarantee the right to the protection of personal data and, more broadly, the right to privacy. |
107. |
More generally, the interference with the right to privacy constituted by Directive 2006/24 is permissible only to the extent that it complies with the conditions laid down by Article 52(1) of the Charter, that is to say, if it is ‘provided for by law’ and, more specifically, it meets the quality of law requirements, it respects the essence of the right to privacy and it is proportionate, that is to say, is necessary and genuinely meets objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. |
1. The quality of the law
108. |
It is, in this instance, hardly worth pointing out that, since the collection and retention of data for the purpose of making them available are provided for by Directive 2006/24, the interference with the right to privacy which the directive constitutes must be regarded as being formally provided for by law, within the meaning of Article 52(1) of the Charter. |
109. |
That said, the Court’s concept of the requirement of being ‘provided for by law’ must, having regard to Article 52(3) of the Charter, be close to that adopted by the European Court of Human Rights, that is to say, it must go beyond a purely formal requirement and cover also the lack of precision of the law (‘quality of the law’), ( 86 ) to express it in the simplest terms possible. ( 87 ) |
110. |
It is true that such an examination could equally be placed in the context of a detailed analysis of the proportionality of the limitation. ( 88 ) However, in order to remain faithful to the approach of the case-law of the European Court of Human Rights, should other reasons not suffice, I consider that the first option must be preferred. |
111. |
When applying a more than formal interpretation of the requirement that any limitation must be provided for by law, the question which arises is whether the limitations on the exercise of fundamental rights which Directive 2006/24 contains are accompanied by the necessary degree of detail that is required to be displayed by the guarantees with which such limitations must be coupled. |
112. |
Article 4 of Directive 2006/24 provides that it is for the Member States to adopt measures to ensure that data retained are provided only to the competent national authorities in specific cases and in accordance with national law. The second sentence states that ‘[t]he procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights’. |
113. |
The difficulty which Directive 2006/24 raises, I would again like to repeat, is that it is a directive which seeks only to impose an obligation on the providers of electronic communications services to collect and retain traffic and location data for electronic communications, not to lay down the safeguards which must govern access to the retained data and their use. As stated above, Directive 2006/24 leaves this matter, in a general way, to the Member States. ( 89 ) |
114. |
Thus presented, the issue which arises is nothing other than whether the requirement that any limitation on fundamental rights must be ‘provided for by law’ may be fulfilled by such a general referral, even if accompanied by express mention of the rights guaranteed by Directive 95/46 and Directive 2002/58. |
115. |
It is necessary in that regard, first of all, to explain that a situation in which the European Union restricts itself to adopting legislation harmonising provisions invariably adopted by the majority of the Member States is not comparable to a situation in which the European Union decides, additionally, to make such legislation applicable generally. |
116. |
In the first case, the European Union can proceed as it did with Directive 2002/58, that is to say, essentially leave to the national legislatures the task of ensuring that the legislation adopted on their own initiative and entailing a limitation on fundamental rights contains all the guarantees necessary to ensure that the limitations and their application (‘access’) comply with all the quality of law requirements and the principle of proportionality. |
117. |
In the second case, on the other hand, where the limitation on fundamental rights stems from the legislation of the European Union itself and is therefore attributable to it, the European Union legislature’s share of the responsibility is quite different. In the case of directives, it is clear that it will be for the Member States to set out in detail the guarantees necessary to regulate the limitation on fundamental rights in an instance such as the present one. However, the European Union legislature must also play a leading role in defining those guarantees. It is from that perspective that it is necessary to examine compliance with the quality of the law requirement. |
118. |
In other words, the transition from an optional regime, such as that capable of being established on the basis of Article 15 of Directive 2002/58, to a regime prescribing a deadline, such as that laid down by Directive 2006/24, should have been accompanied by a simultaneous development as regards guarantees and therefore have led the European Union legislature to regulate in outline the very broad authority conferred on the Member States with regard to access to the data and their use, by the adoption of specifications in the form of principles. |
119. |
It should be pointed out first of all in that regard that both Directive 95/46 and Directive 2002/58 state that the measures limiting guaranteed rights which the Member States are allowed to adopt must be legislative in nature. ( 90 ) However, Directive 2006/24 refers only marginally to that formal requirement, ( 91 ) thereby weakening the level of the guarantees laid down by the directives from which it derogates. ( 92 ) |
120. |
The European Union legislature cannot, when adopting an act imposing obligations which constitute serious interference with the fundamental rights of citizens of the Union, entirely leave to the Member States the task of defining the guarantees capable of justifying that interference. It cannot content itself either with assigning the task of defining and establishing those guarantees to the competent legislative and/or administrative authorities of the Member States called upon, where appropriate, to adopt national measures implementing such an act or with relying entirely on the judicial authorities responsible for reviewing its practical application. It must, if it is not to render the provisions of Article 51(1) of the Charter meaningless, fully assume its share of responsibility by defining at the very least the principles which must govern the definition, establishment, application and review of observance of those guarantees. |
121. |
It has been stated and repeated that Directive 2006/24, as indicated in Article 4 thereof, ( 93 ) regulates neither access ( 94 ) to the data collected and retained nor their use, and indeed it could not in the light of the division of areas of competence between the Member States and the European Union. ( 95 ) However, the issue which now arises is precisely that of whether the European Union may ( 96 ) lay down a measure such as the obligation to collect and retain, over the long term, the data at issue without at the same time regulating it with guarantees on the conditions to which access and use of those data are to be subject, at least in the form of principles. It is this very regulation of the conditions for access and use of the collected and stored data which makes it possible to assess the scope of what that interference entails in practical terms and which may, therefore, determine whether or not the interference is constitutionally acceptable. |
122. |
There is, in fact, an intimate relationship between the specific configuration of the obligation to collect and retain data and the circumstances in which those data are, where appropriate, made available to the competent national authorities and used by them. It must even be considered that, without knowing how that access and use may take place, it is not really possible to reach an informed judgment on the interference resulting from the collection and retention at issue. |
123. |
While taking into consideration the fact that the legal basis of Directive 2006/24 was that of ensuring the proper functioning of the internal market and that all the detailed rules for access to the data and their use could not be included in its provisions, the ‘creating’ effect of the obligation that data be collected and retained which it contains meant that it should have been accompanied by a series of guarantees in the form of principles, as a necessary and essential addition. To that end, the general referral to the Member States is insufficient and cannot be remedied by the system of protection laid down by Directive 95/46 ( 97 ) or by Framework Decision 2008/977, ( 98 ) since they are not applicable. |
124. |
Even accepting the division suggested by Advocate General Bot in his Opinion in Ireland v Parliament and Council, and while sharing his view that it was, at that time at least, difficult to incorporate guarantees regarding access to the data retained, there was nothing to prevent the European Union legislature, in defining the obligation to collect and retain data, from accompanying that obligation with a series of guarantees at least in the form of principles, to be developed by the Member States, that were intended to regulate use of the data and, thereby, to define the exact extent and complete profile of the interference which that obligation entails. |
125. |
Accordingly, and without intending the following list to be exhaustive, it was for the European Union legislature to define the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use, including those which follow. |
126. |
The European Union legislature, in light of the intensity of the interference, should have provided a more precise description than ‘serious crime’ ( 99 ) as an indication of the criminal activities which are capable of justifying access of the competent national authorities to the data collected and retained. |
127. |
It should have guided the Member States’ regulation of authorisation to access the data collected and retained, by limiting access, if not solely to judicial authorities, at least to independent authorities, ( 100 ) or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary. |
128. |
Similarly, it could have been expected to lay down the principle that Member States may provide for exceptions preventing access to retained data in certain exceptional circumstances or may prescribe more stringent requirements for access in situations in which access may infringe fundamental rights guaranteed by the Charter, as in the context of the right to medical confidentiality. |
129. |
The European Union legislature should have established the principle that the authorities authorised to access the data are required, first, to erase them once their usefulness has been exhausted and, second, to notify the persons concerned of that access, at least retrospectively, after the elimination of any risk that such notification might undermine the effectiveness of the measures justifying the use of those data. |
130. |
The need for the various guarantees in the non-exhaustive list above is confirmed by the fact that the European Union legislature itself, after the adoption of Directive 2006/24, adopted Framework Decision 2008/977, which guarantees the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, and provided for guarantees of that very kind, albeit in the context of data transmitted between Member States. Framework Decision 2008/977 in fact excludes from its scope those data which are not exchanged between Member States, as is clear in particular from recital 9 in its preamble. ( 101 ) |
131. |
In conclusion, Directive 2006/24 is as a whole incompatible with Article 52(1) of the Charter, since the limitations on the exercise of fundamental rights which that directive contains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use. |
132. |
It is also to be noted in that regard that the fact that Member States have frequently, on their own initiative and on the basis of requirements specific to their own legal systems, established the guarantees which Directive 2006/24 does not itself endeavour to outline ( 102 ) is admittedly a factor to be taken into account, as will be shown below, but this clearly cannot absolve the European Union legislature. |
2. Proportionality within the meaning of Article 52(1) of the Charter
133. |
Article 52(1) of the Charter requires not only that any limitation on the exercise of fundamental rights be ‘provided for by law’, but also that it be strictly subject to the principle of proportionality. That requirement of proportionality, as already pointed out, acquires, in the context of the Charter, a particular force, which it does not have under Article 5(4) TEU. Indeed, what is postulated here is not proportionality as a general principle of action by the European Union but, much more specifically, proportionality as a condition for any limitation on fundamental rights. |
134. |
In this context, the pursuit by the institutions of the European Union of the stated objective of Directive 2006/24, that is to say, to ensure that the data retained are available for the purpose of the prosecution of serious crime, is permissible only if it is compatible with, inter alia, the right to privacy. ( 103 ) |
135. |
However, it must be noted here that, having regard to the requirements examined above, dictating that the ‘law’ regulate with sufficient guarantees, at least in the form of principles, access to the data collected and retained by providers of electronic communications services and their use, the proportionality of the actual retention of data imposed by Directive 2006/24 no longer requires, with one exception, a particularly detailed examination beyond that which follows. |
136. |
Directive 2006/24 pursues a perfectly legitimate objective, that is to say, that of ensuring that the data collected and retained are available for the purpose of the investigation, detection and prosecution of serious crime, and may be regarded, given the limited powers of review that the Court may exercise in that regard, as appropriate and even, subject to the guarantees with which it should be coupled, as necessary for achieving that ultimate objective. ( 104 ) It is those guarantees which, in particular, may justify the, certainly very long, list of categories of data to be retained, laid down in Article 5 of Directive 2006/24. |
137. |
It is true that the fact that it may be possible to escape the application of Directive 2006/24 by using certain methods of communication is undoubtedly such as to limit considerably the actual effectiveness of the system of collection of traffic and location data which it imposes, in particular in relation to organised crime and terrorism. Nevertheless, that fact does not make it possible to regard the collection and retention of data as per se totally inappropriate for achieving the objectives pursued. Nor can it enable the Court to conclude that the collection and retention of data relating to everyday electronic communications are manifestly and entirely devoid of any purpose. |
138. |
It is important, however, from the perspective of the necessity of the measure, to emphasise here the significance of the provisions of Article 14 of Directive 2006/24, which imposes on the Commission the obligation to prepare a ( 105 ) report ( 106 ) on the directive’s implementation, based in particular on the statistics to be compiled by the Member States under Article 10 thereof, and to propose on that basis any necessary amendments, in particular with regard to the list of categories of data to be collected and retained and the period of retention. |
139. |
To that effect, and since Directive 2006/24 contains no provision which provides for the lapsing of the directive (‘sunset clause’), it is the duty of the legislature of the European Union to conduct a periodic reassessment of the circumstances that justify the serious limitation on the exercise of the right to privacy contained in the directive, thereby enabling it to examine whether those circumstances continue to be present and consequently to adapt or even repeal that limitation. |
140. |
That having been made clear, the exception which I have just referred to concerns the proportionality of Article 6 of Directive 2006/24, which determines the period of retention of the data collected. |
141. |
Article 6 of Directive 2006/24 lays down one of the basic elements of data retention as harmonised or, as the case may be, established by that directive, that is to say, its temporal scope. All data retained must in principle be destroyed in due course and it cannot be otherwise. However, in contrast to the principle laid down by Directive 2002/58, Article 6(1) of which provides for the traffic data processed and stored to be erased or made anonymous as soon as they are no longer needed for the purpose of the transmission of a communication, ( 107 ) the obligation to ensure the destruction of those data applies not almost immediately, but only after a certain period of time. The Member States are required to ensure that the data collected are retained for a period which may under no circumstances be less than six months and which, subject to the derogation provided for in Article 12 of Directive 2006/24, cannot be more than two years, the national legislatures being responsible for actually determining that period. |
142. |
Through that provision, the data retention under examination acquires a dimension of temporal continuity which plays a decisive role in the classification of the interference with the right to privacy contained in Directive 2006/24 as serious, in particular in contrast to the interference that would result from subsequent retention (‘data preservation’), which is known as ‘quick freeze’. ( 108 ) The idea that the data in question must remain accumulated for a period of time is one of the key aspects of a measure intended to make the public authorities better able to respond to certain forms of serious crime. The question is, however, whether the provisions of Article 6 of Directive 2006/24, laying down a minimum period of six months and a maximum period of two years, adequately comply with the requirements of the principle of proportionality. |
143. |
In that connection, once it may be regarded as established that the measure is in itself legitimate and appropriate, it remains to be ascertained whether it is necessary and, specifically, whether a measure less disruptive to the enjoyment of the fundamental rights at issue would allow the objective pursued to be attained. From that point of view, I would clarify that it is not sufficient merely to take the view that the Member States bear sole responsibility for any determination of a retention period of two years. From the moment when Directive 2006/24, in its function as a harmonising measure, establishes the upper limit for data retention at two years, that provision must itself be subject to a review of its proportionality. It is, in that regard, hardly necessary to point out that the question is not whether, from the point of view of the prevention of serious criminal activities, a longer retention and availability period is preferable to a shorter period, but whether, in the context of an examination of its proportionality, there is a specific need for it. |
144. |
It should, in that regard, be pointed out in the first place that an accumulation of data at indeterminate locations in cyberspace such as the accumulation at issue, which always concerns actual and particular persons, tends, whatever its duration, to be perceived as an anomaly. In principle, such a state of ‘retention’ of data relating to the private lives of individuals, even if it remains just that, should never exist and, where it does, should exist only having regard to other requirements of society. Such a situation can only be exceptional and therefore cannot extend in time beyond the period necessary. |
145. |
The period of retention which may be considered permissible in light of the principle of proportionality cannot be determined without according some discretion to the legislature. Nevertheless, this does mean that all review of proportionality, albeit difficult, is to be precluded in that respect. |
146. |
In that regard, I think that it may be helpful to point out that a human being lives out his existence over a period which is by definition limited where the past, his own history and in the final analysis his memory, and the present, the more or less immediate lived experience, the awareness of what he is in the process of living through, converge. ( 109 ) Although it is difficult to define, a line, which is certainly different for each person, separates the past from the present. What appears unquestionable is the possibility of distinguishing between the perception of present time and the perception of the past. In each of those perceptions, an individual’s awareness of his own life, his ‘private life’ particularly, as a ‘recorded’ life may play a part. Further, there is a difference according to whether that ‘recorded life’ is the one which is perceived as his present or the one which is experienced as his own history. |
147. |
I am of the view that those considerations can be applied to the analysis of the proportionality of Article 6 of Directive 2006/24. If the principle of retaining all that personal documentation for a certain period of time is considered lawful, it remains to ask whether it is inevitable, that is to say, necessary, for it to be imposed on individuals over a period which covers not only ‘the present time’ but also ‘historical time’. |
148. |
In that regard, and with full awareness of the subjectivity which this entails, it may be considered that a retention period for personal data ‘which is measured in months’ is to be clearly distinguished from a period ‘which is measured in years’. The first period would correspond to that falling within what is perceived as present life and the second to that falling within life perceived as memory. The interference with the right to privacy is, from that perspective, different in each case and the necessity of both types of interference must be capable of being justified. |
149. |
Although the necessity of the interference in the dimension of present time seems to be sufficiently justified, I have found no justification for an interference extending to historical time. Expressed more directly, and without denying that there are criminal activities which are prepared well in advance, I have not found, in the various views defending the proportionality of Article 6 of Directive 2006/24, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year. In other words, and with all the caution that this aspect of the review of proportionality always requires, no argument was able to convince me of the need to extend data retention beyond one year. |
150. |
Finally, it must also be pointed out that Directive 2006/24 itself provides an additional argument in the form of the system it contains for extending the maximum period of data retention. Article 12 of that directive allows Member States facing particular circumstances, which in this instance are not defined, to extend the maximum retention period established under Article 6 thereof. However, such an extension is possible only for a limited period, the grounds for introducing it must be stated and it must be notified to the Commission, which has a period of six months to reach a decision on the planned measures, that is to say, to determine whether they are a means of arbitrary discrimination or a disguised restriction of trade between Member States and whether they constitute an obstacle to the functioning of the internal market. |
151. |
Even though the Commission may, in accordance with Article 12(2) of Directive 2006/24, reject those measures only on limited grounds, the existence of that system of extension supports my view that the determination, by Article 6 of that directive, of a maximum data retention period of up to two years in the absence of exceptional circumstances is not necessary and that it must be regarded as incompatible with the requirements under Articles 7 and 52(1) of the Charter. |
152. |
It follows that Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter in so far as it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period of up to two years. |
D – The third question in Case C‑293/12
153. |
In view of the answers given to the two first sets of questions from the national courts, concerning the validity of Directive 2006/24, it does not seem necessary to provide an answer to the third question referred by the High Court in Case C‑293/12, concerning the requirements to examine and assess national measures implementing a directive in the light of the protections afforded by the Charter to which the national courts are subject. Nevertheless, and so far as is relevant, it seems to me that, as was stated by all the parties which submitted observations in this regard, that question clearly requires, having regard to the provisions and in the context of Article 51(1) of the Charter, an answer in the affirmative. ( 110 ) |
VI – The temporal effects of the finding of invalidity
154. |
Having regard to the conclusions to which I am led by the foregoing reasoning, it remains for me to examine the temporal consequences of the declaration of invalidity of Directive 2006/24. |
155. |
It must be recalled that, when the Court rules, in proceedings under Article 267 TFEU, that a measure adopted by the European Union institutions is invalid, its decision has the legal effect of requiring them to take the necessary measures to remedy that illegality, as the obligation laid down in Article 266 TFEU in the case of a judgment annulling a measure applies in such a situation by analogy. ( 111 ) |
156. |
However, where it is justified by overriding considerations of legal certainty, the second paragraph of Article 264 TFEU, which is applicable by analogy to a reference under Article 267 TFEU for a preliminary ruling on the validity of a measure of the European Union, confers on the Court a discretion to decide, in each particular case, which specific effects of the relevant measure must be regarded as definitive. ( 112 ) |
157. |
In cases in which the finding that an act of the European Union is invalid is based on an infringement of fundamental rights, the various interests involved must be very carefully weighed up. In the present instance, the relevance and even urgency of the ultimate objectives of the limitation on fundamental rights at issue are, on the one hand, not in doubt. The findings of invalidity, on the other hand, are of a very particular nature. First, Directive 2006/24 is invalid as a result of the absence of sufficient regulation of the guarantees governing access to the data collected and retained and their use (quality of the law), an absence which nevertheless may have been corrected in the implementing measures adopted by the Member States. Secondly, the Member States have, in general, as is apparent from the information provided to the Court, exercised their powers with moderation with respect to the maximum period of data retention. |
158. |
It is appropriate, in those circumstances, to suspend the effects of the finding that Directive 2006/24 is invalid pending adoption by the European Union legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period. |
VII – Conclusion
159. |
In light of the foregoing considerations, I propose that the Court should answer the questions referred by the High Court in Case C‑293/12 and the Verfassungsgerichtshof in Case C‑594/12 as follows:
|
( 1 ) Original language: French.
( 2 ) That is to say, the directive of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).
( 3 ) ‘the Charter’.
( 4 ) It must be noted that the transposition of Directive 2006/24 has resulted in several actions for a declaration that a Member State has failed to fulfil its obligations, and that an action founded on Article 260(3) TFEU is still pending (Case C‑329/12 Commission v Germany).
( 5 ) OJ 1995 L 281, p. 31. With regard to the litigation generated by the transposition of that directive, see Case C-518/07 Commission v Germany [2010] ECR I-1885 and Case C-614/10 Commission v Austria [2012] ECR; see also, more generally, Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989; Case C-101/01 Lindqvist [2003] ECR I-12971; Case C-524/06 Huber [2008] ECR I-9705; Case C-73/07 Satakunnan Markkinapörssi and Satamedia [2008] ECR I-9831; Case C-553/07 Rijkeboer [2009] ECR I-3889; Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECR I-11063; Case C-70/10 Scarlet Extended [2011] ECR I-11959; Joined Cases C-468/10 and C-469/10 ASNEF and FECEMD [2011] ECR I-12181; and Case C‑342/12 Worten [2013] ECR.
( 6 ) OJ 2002 L 201, p. 37. With regard to the litigation generated by the transposition of that directive, see the judgments of 28 April 2005 in Case C‑375/04 Commission v Luxembourg and Case C‑376/04 Commission v Belgium and the judgment of 1 June 2006 in Case C‑475/04 Commission v Greece; see also, more generally, Case C-275/06 Promusicae [2008] ECR I-271; the order in Case C-557/07 LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten [2009] ECR I-1227; Case C-543/09 Deutsche Telekom [2011] ECR I-3441; Scarlet Extended; Case C‑461/10 Bonnier Audio and Others [2012] ECR; and Case C‑119/12 Probst [2012] ECR.
( 7 ) ‘The 2005 Criminal Justice Act’.
( 8 ) Datenschutzgesetz 2000, BGBl. I 165/1999, in the version published at BGBl. I 112/2011; ‘the DSG’.
( 9 ) Bundesgesetz, mit dem das Telekommunikationsgesetz 2003 – TKG 2003 geändert wird, BGBl. I 27/2011.
( 10 ) Telekommunikationsgesetz 2003; ‘the TKG 2003’.
( 11 ) See, with regard to the wording of that article, Annex I, point III.2.
( 12 ) ‘DRI’.
( 13 ) ‘The ECHR’.
( 14 ) ‘The B-VG’.
( 15 ) ‘The IHRC’.
( 16 ) ‘The EDPS’.
( 17 ) Case C-301/06 [2009] ECR I-593.
( 18 ) See Article 1(1) of Directive 95/46.
( 19 ) See Article 1(2) of Directive 95/46.
( 20 ) See Articles 10 and 11 of Directive 95/46.
( 21 ) See Article 12 of Directive 95/46.
( 22 ) See Article 14 Directive 95/46.
( 23 ) See Article 22 of Directive 95/46.
( 24 ) Directive of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (OJ 1998 L 24, p. 1).
( 25 ) To use the actual wording of Article 1(2) of Directive 2002/58.
( 26 ) See Article 1(1) of Directive 2002/58.
( 27 ) See, in particular, in addition to Article 5(2), Article 15(1) of Directive 2002/58.
( 28 ) See Article 5(1) of Directive 2002/58.
( 29 ) Emphasis added.
( 30 ) See, inter alia, recitals 1 to 6 in the preamble to Directive 2006/24.
( 31 ) For ease of reference, I shall simply refer, in the following reasoning, to ‘providers of electronic communications services’.
( 32 ) See recital 21 in the preamble to Directive 2006/24 and Article 1(1) thereof.
( 33 ) See recitals 4 and 5 in the preamble to Directive 2006/24.
( 34 ) Article 3(1) of Directive 2006/24 states that the obligation to retain data laid down by that provision derogates from Articles 5, 6 and 9 of Directive 2002/58.
( 35 ) See paragraph 84.
( 36 ) Following the words used by the Court in paragraph 80 of Ireland v Parliament and Council.
( 37 ) See paragraphs 80 and 81.
( 38 ) See paragraph 72.
( 39 ) See paragraphs 63 and 65 to 69.
( 40 ) See paragraphs 64 and 70.
( 41 ) It was a question, in this instance, of preventing the divergences between the various national rules from growing; see Ireland v Parliament and Council, paragraphs 64 and 70.
( 42 ) Emphasis added.
( 43 ) Recital 5 in the preamble to Directive 2006/24 states that national laws ‘vary considerably’.
( 44 ) Emphasis added.
( 45 ) See below, in point 72, my reasoning concerning that feeling.
( 46 ) In accordance with the ‘chilling effect’ doctrine. US Supreme Court, Wiemann v. Updegraff, 344 US 183 (1952); European Court of Human Rights, Altuğ Taner Akçam v. Turkey, no. 27520/07, § 81, 25 October 2011; see, inter alia, ‘The Chilling Effect in Constitutional Law’, Columbia Law Review, 1969, Volume 69, No 5, p. 808.
( 47 ) Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ 2008 L 350, p. 60).
( 48 ) As I have already had the opportunity to explain in points 74 to 80 of my Opinion in Scarlet Extended.
( 49 ) With regard to that concept, see, in particular, Hoffmann-Riem, W., ‘Informationelle Selbstbestimmung in der Informationsgesellschaft – auf dem Wege zu einem neuen Konzept des Datenschutzes’, Archiv des öffentlichen Rechts, 1998, Volume 123, p. 513, and Poullet, Y., and Rouvroy, A., ‘Le droit à l’autodétermination informationnelle et la valeur du développement personnel. Une réévaluation de l’importance de la vie privée pour la démocratie’, in État de droit et virtualité, Benyekhlef, K., and Trudel, P., eds, Thémis, Montreal, 2009, p. 158.
( 50 ) See recital 15 in the preamble to Directive 2006/24.
( 51 ) See recital 20 in the preamble to Directive 2006/24.
( 52 ) See, to that effect, point 51 of the Opinion of Advocate General Kokott in Promusicae.
( 53 ) Volker und Markus Schecke and Eifert. This connection is also expressly established in the explanations on the Charter; see Explanation on Article 8 – Protection of personal data, which states that Article 8 of the Charter is, inter alia, based on Article 8 of the ECHR, guaranteeing the right to privacy.
( 54 ) That link means in particular that the case-law of the European Court of Human Rights on the interpretation of Article 8 of the ECHR (‘right to respect for private and family life’) that relates to the protection of personal data retains, in accordance with Article 52(3) of the Charter, all its relevance for the purpose of interpretation of Article 8 of the Charter.
( 55 ) Volker und Markus Schecke and Eifert, paragraph 52.
( 56 ) The European Court of Human Right has repeatedly held that it is ‘not possible or necessary to attempt an exhaustive definition of the notion of “private life”’; see, inter alia, Niemietz v. Germany, 16 December 1992, § 29, Series A no. 251-B. It is, in any event, a ‘broad’ concept; see Pretty v. United Kingdom, no. 2346/02, ECHR 2002-III. On the concept of private life, see in particular Rubenfeld, J., ‘The Right of Privacy’, Harvard Law Review, 1989, Vol. 102, p. 737; De Schutter, O., ‘La vie privée entre droit de la personnalité et liberté’, Revue trimestrielle des droits de l’homme, 1999, p. 827; Wachsmann, P., ‘Le droit au secret de la vie privé’, in Sudre, F., Le droit au respect de la vie privée au sens de la Convention européenne des droits de l’homme, Bruylant, 2005, p. 119; and Rigaux, F., ‘La protection de la vie privée en Europe’, in Le droit commun de l’Europe et l’avenir de l’enseignement juridique, de Witte, B., and Forder, C., eds, Metro, Kluwer, 1992, p. 185.
( 57 ) See recital 9 in the preamble to Directive 2006/24.
( 58 ) See Ireland v Parliament and Council, paragraph 57, and, below, my reasoning in relation thereto.
( 59 ) See, inter alia, Leander v. Sweden,26 March 1987, § 48, Series A, no. 116.
( 60 ) See, inter alia, Amann v. Switzerland [GC], no. 27798/95, §§ 65, 69 and 80, ECHR 2000-II.
( 61 ) Emphasis added.
( 62 ) See recital 13 and Articles 1(2) and 5(2).
( 63 ) See, to that effect, Nettesheim, M., Grundrechtsschutz der Privatheit, in Der Schutzauftrag des Rechts, Veröffentlichungen der Vereinigung der Deutschen Staatsrechtslehrer, 2011, Volume 70, p. 7.
( 64 ) Concerning the interference resulting merely from the retention of information, which was, moreover, collected prior to the entry into force of the ECHR, see European Court of Human Rights, Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V.
( 65 ) Recital 13 in the preamble to Directive 2006/24 states that the retention obligation is concerned only with ‘data which are accessible’, which means that, for data relating to Internet e-mail and Internet telephony, it may apply ‘only in respect of data from the providers’ or the network providers’ own services’.
( 66 ) To use the expression employed by the Bundesverfassungsgericht (German Federal Constitutional Court) in its judgment of 2 March 2010, No 1 BvR 256/08, 1 BvR 263/08 and 1 BvR 586/08, http://www.bundesverfassungsgericht.de/entscheidungen/rs20100302_1bvr025608.html.
( 67 ) With regard to taking account of the multiplier effect of modern information technologies and particularly the Internet, see, in particular, European Court of Human Rights, Mouvement raëlien suisse v. Switzerland, no. 16354/06, § 54 et seq., 13 January 2011; Akdaş v. Turkey, no. 41056/04, § 28, 16 February 2010; and Willem v. France, no. 10883/05, § 36 and 38, 16 July 2009.
( 68 ) See Article 3(1) of Directive 2006/24, which defines the retention obligation.
( 69 ) See Article 8 of Directive 2006/24, entitled ‘Storage requirements for retained data’.
( 70 ) Which the Bundesverfassungsgericht pointed out in its judgment of 2 March 2010, cited above (paragraph 214).
( 71 ) To that effect, Bast, J., and von Bogdandy, A., in Grabitz, Hilf and Nettesheim, Das Recht der Europäischen Union, Beck, 50. Lieferung 2013, Artikel 5, and Streinz, R., in Streinz, R., (ed.), EUV/AEUV, Beck, 2nd edition, 2012, Artikel 5.
( 72 ) See Article 4(2)(a) TFEU.
( 73 ) See Case C‑504/09 P Commission v Poland [2012] ECR, paragraph 79, and Case C‑505/09 P Commission v Estonia [2012] ECR, paragraph 81.
( 74 ) Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58 (COM(2005) 438 final).
( 75 ) See, inter alia, Joined Cases C-453/03, C-11/04, C-12/04 and C-194/04 ABNA and Others [2005] ECR I-10423, paragraph 68; Case C-58/08 Vodafone and Others [2010] ECR I-4999, paragraph 51; and Volker und Markus Schecke and Eifert, paragraph 74.
( 76 ) The description used by the Court in Ireland v Parliament and Council, paragraph 85.
( 77 ) See, in particular, Case C-34/08 Azienda Agricola Disarò Antonio and Others [2009] ECR I-4023, paragraphs 76 to 83.
( 78 ) Ibid., paragraph 76 and the case-law cited.
( 79 ) See, in particular, Case C-150/94 United Kingdom v Council [1998] ECR I-7235.
( 80 ) See, inter alia, Case C-266/05 P Sison v Council [2007] ECR I-1233, paragraphs 32 to 34; Case C-127/07 Arcelor Atlantique et Lorraine and Others [2008] ECR I-9895, paragraph 57; and Vodafone and Others, paragraph 52.
( 81 ) See Vodafone and Others, paragraph 53.
( 82 ) See, inter alia, Case C-189/01 Jippes and Others [2001] ECR I-5689, paragraphs 82 and 83; Case C-491/01 British American Tobacco (Investments) and Imperial Tobacco [2002] ECR I-11453, paragraph 123; Joined Cases C-154/04 and C-155/04 Alliance for Natural Health and Others [2005] ECR I-6451, paragraph 52; and Case C-309/10 Agrana Zucker [2011] ECR I-7333, paragraph 84.
( 83 ) See recital 6 in the preamble to Directive 2006/24.
( 84 ) See recital 6 in the preamble to Directive 2006/24. See also the Evaluation report on the Data Retention Directive (Directive 2006/24/EC) of 18 April 2011, delivered by the Commission to the European Parliament and to the Council (COM(2011) 225 final; ‘the Evaluation report on Directive 2006/24’), point 3.2.
( 85 ) See Ireland v Parliament and Council, paragraph 85.
( 86 ) The Court, it must be pointed out, has not yet had the opportunity to rule either on the content of the minimum requirements of the ‘quality of the law’ or on the respective obligations of the institutions and the Member States of the European Union in that regard.
( 87 ) See, in that regard, points 88 to 100 of my Opinion in Scarlet Extended.
( 88 ) As it was by the Bundesverfassungsgericht in its judgment of 2 March 2010, cited above, paragraphs 197 to 203.
( 89 ) To that effect, see also Ireland v Parliament and Council.
( 90 ) See recital 54 in the preamble to Directive 95/46 and Article 13(1) and (2) thereof, as well as Article 15(1) of Directive 2002/58.
( 91 ) The sole reference made by Directive 2006/24 to that requirement is contained in recital 17, which states that it is essential that Member States adopt legislative measures to ensure that data retained are provided to the competent national authorities only in accordance with national legislation in full respect of the fundamental rights of the persons concerned. However, this point is not contained in the corresponding provisions of Article 4 of Directive 2006/24.
( 92 ) It must be recalled here that, as the Court has pointed out, it is apparent in particular from recital 10 in the preamble to, and from Article 1 of Directive 95/46, that the latter seeks also not to weaken the protection guaranteed by the existing national rules, but on the contrary to ensure, in the European Union, a high level of protection of fundamental rights and freedoms with respect to the processing of personal data; see Case C‑518/07 Commission v Germany, paragraph 22.
( 93 ) Article 4 of Directive 2006/24 states that it is for the Member States to ensure that data retained ‘are provided only to the competent national authorities in specific cases and in accordance with national law’ and, more specifically, to define in their national law ‘[t]he procedures to be followed and the conditions to be fulfilled in order to gain access to retained data’.
( 94 ) Emphasis added.
( 95 ) In that respect, see point 122 et seq. of the Opinion of Advocate General Bot in Ireland v Parliament and Council. See also the first indent of Article 3(2) of Directive 95/46, and Framework Decision 2008/977.
( 96 ) Emphasis added.
( 97 ) With regard to the processing of personal data concerning activities of the State relating to the areas of criminal law, public security or national security, see the first indent of Article 3(2) of Directive 95/46.
( 98 ) See Article 1(2) of Framework Decision 2008/977 and recitals 7 and 9 in the preamble thereto.
( 99 ) See recital 21 in the preamble to and Article 1(1) of Directive 2006/24.
( 100 ) Under Article 4 of Directive 2006/24, only the competent national authorities are allowed access to the data retained, which means that it is not necessarily only the judicial authorities that have such access.
( 101 ) See also Article 1(2) of Framework Decision 2008/977 and recital 7 in the preamble thereto.
( 102 ) It must, in that regard, be pointed out that the transposition of Directive 2006/24 in the various Member States has not been without difficulties and continues to cause difficulties of various kinds, as is demonstrated by the decisions delivered by the Curtea Constituțională (Romanian Constitutional Court, see the decision of 8 October 2009, No 1.258; for a translation into English, see http://www.ccr.ro/files/products/D1258_091.pdf), by the Bundesverfassungsgericht (see the judgment of 2 March 2010), by the Ústavní Soud (Czech Constitutional Court, see the judgment of 22 March 2011, Pl. ÚS 24/10; for a translation into English, see http://www.usoud.cz/en/decisions/?tx_ttnews%5Btt_news%5D=40&cHash=bbaa1c5b1a7d6704af6370fdfce5d34c), by the Varhoven administrativen sad (Supreme Administrative Court of Bulgaria, decision of 11 December 2008, No 13627) or by the Anotato Dikastirio tis Kipriakis Dimokratias (Supreme Court of Cyprus, decision of 1 February 2011, No 183(Ι)/2007). It appears that an action has been brought before the Alkotmánybíróság (Hungarian Constitutional Court, see ‘Hungarian Data Retention Law – Challenged at the Constitutional Court’, EDRI-Gram No 6.11, 4 June 2008) and another is pending before the Ustavno sodišče (Slovenian Constitutional Court, see ‘Slovenia: Information Commissioner challenges the Data Retention Law’, EDRI-Gram No 11.6, 27 March 2013).
( 103 ) See Volker und Markus Schecke and Eifert, paragraph 76.
( 104 ) Recital 9 in the preamble to Directive 2006/24 states in that regard that the directive constitutes ‘a necessary and effective investigative tool for law enforcement in several Member States, and in particular concerning serious matters such as organised crime and terrorism’. In that regard, see the Evaluation report on Directive 2006/24.
( 105 ) Emphasis added.
( 106 ) The Commission fulfilled its obligation in that regard with the publication of the Evaluation report on Directive 2006/24.
( 107 ) With regard to the omnipresence of the erasure principle in Directive 2002/58, see more generally recitals 22, 23, 26, 27 and 28 in the preamble thereto.
( 108 ) It is that subsequent retention which is provided for by, inter alia, Article 16 of the Council of Europe Convention on Cybercrime, signed at Budapest on 23 November 2001. With regard to that concept, see the Evaluation report on Directive 2006/24.
( 109 ) Elias, N., Du temps, Fayard, 1998; Rosa, H., Accélération. Une critique sociale du temps, La Découverte, 2013.
( 110 ) See, inter alia, Case C-145/09 Tsakouridis [2010] ECR I-11979, paragraphs 50 to 52; Case C‑472/11 Banif Plus Bank [2013] ECR, paragraph 29; and Case C‑617/10 Åkerberg Fransson [2013] ECR, paragraphs 21 and 25 to 30.
( 111 ) See, inter alia, Joined Cases C‑120/06 P and Case C-121/06 P FIAMM and Others v Council and Commission [2008] ECR I-6513, paragraph 123.
( 112 ) See, inter alia, Case C-228/99 Silos [2001] ECR I-8401, paragraph 35, and Case C-333/07 Regie Networks [2008] ECR I-10807, paragraph 121.