Member States of the European Union have been reminded by the Council that the recent European Court of Justice decision concerning data protection is binding and has serious implications for privacy and data protection in the EU. The decision of the Court’s Grand Chamber was that the EU’s 2006 Data Protection Directive was invalid on the grounds that it was an unlawful interference with the right to privacy and a violation of rules concerning personal data protection contained in the Charter of Fundamental Rights. The judgment is the outcome of a case taken by Digital Rights Ireland, whose chairman TJ McIntyre welcomed it as a confirmation that “untargeted monitoring of the entire population is unacceptable in a democratic society”.
The Data Directive and the judgment have particularly relevance in Ireland, given the presence of several of the world’s largest information and technology companies and their connection with the NSA surveillance scandal. The European Court of Justice had noted that the Directive covered all phone, e-mail and internet “traffic data” and as such could be seen to amount to:
an interference with the fundamental rights of practically the entire European population
The Directive covered persons “in a generalised manner…without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime”. Therefore, the Court held, the Directive comprehensively affects:
all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.
A recent article by Derek Scally in the Irish Times addressed the subject of data protection in Ireland and the performance to date of the Data Protection Commissioner, Billy Hawkes (Ireland: Prisoner of Big Tech?). The Commissioner has been criticised for having taken a light-touch approach to regulation. This is partly the reason as to why large multinationals have based their European Headquarters in Ireland, according to Johannes Caspar, data protection regulator in Hamburg:
The problem we have with Facebook is that it appears to have chosen a location where not only the tax but also the data protection regime suits its business practices.
Derek Scally also interviewed Joachim Wahlbrink, the data protection commissioner in Lower Saxony, who commented on the insufficient resources given to data protection in Ireland that “[n]ot being adequately resourced shows me how the political wind blows in Ireland”. The European Court of Justice decision may force a change in this context. In its reminder to member States, the Council put it that:
…the Court of Justice will not satisfy itself with anything less than a strict assessment of the proportionality and necessity of measures that constitute serious restrictions to fundamental rights, however legitimate the objectives pursued by the EU legislature. [...] such measures do not stand a serious chance of passing the legality test unless they are accompanied by adequate safeguards in order to ensure that any serious restriction of fundamental rights is circumscribed to what is strictly necessary and is decided in the framework of guarantees forming part of Union legislation instead of being left to the legislation of Member States.
On the heels of the European judgment, the EU has to revisit this issue and national legislation will likely have to be changed. Digital Rights Ireland and others will be keeping a close eye.