Law enforcement agencies were dealt a blow today when the European Court of Justice in Luxembourg declared the current EU directive on data protection invalid.
Under the current arrangement, passed in 2006 and signed into law in most member states, Internet service providers and phone companies are obliged to hold on to customer data for periods from six months to a maximum of two years to aid in the investigation of ‘serious crime’ such as terrorism or organised crime.
The challenge, brought by Digital Rights Ireland and and the Government of the province of Carinthia in Austria, argued that the definition of ‘serious crime’ was vague and could extend to any piece of information about any citizen in the EU. The Court agreed with the argument that the current directive gave scope for agencies to compromise individuals’ right to privacy and develop detailed profiles of people based on their behaviour online.
While the Court said the length of data retention was not unreasonable, the vague criteria could leave any information, regardless of relevance to an investigation, open to analysis.
In a second point, the Court said there was little direction on the nature of offenses national authorities could invoke to justify interference with personal data.
Thirdly, the Court said that the lack of clarity on what data should be retained for what period of time could leave information open to abuse.
The Court also said the directive did not provide sufficient safeguards ensure against abuse and unlawful access to retained personal data or its irreversible destruction once its period of retention was complete. Nor does data on EU citizens have to be stored within member states for any new measure to apply. This could have serious ramifications for cross border anti-terrorism investigations involving the US, whose surveillance programs run contrary to the Court’s ruling.
“The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” a statement from the European Court of Justice read today. “…the directive does not fully ensure the control of compliance with the equirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.”
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers