The key objective of the Data Retention Directive (DRD) is to ensure that "certain data are available for the purposes of investigation, detection and prosecution of serious crime." But this objective is, and always has been, subject to respect for recognised rights. The CJEU's judgment now means that member state lawmakers need to think even more so in these terms – they must ensure that all of their laws set the balance between respect for privacy and crime prevention in a way that is compatible with the EU's Charter of Fundamental Rights, and perhaps as importantly, the CJEU's views on how to achieve that balance.
At EU level, reforms are being proposed which will introduce another law to support the DRD's underlying objective, much of which is set out in the European Commission's proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities. The European Parliament has adopted an amended version of this law which would, if introduced, exist alongside a much more widely reported new General Data Protection Regulation.
Whilst very little has been written about the proposed Directive, it sets out much of the same rules in relation to data processing and protection as the draft Regulation does, only it does so in respect of the specific purpose of public authorities investigating criminal activities, while the Regulation sets out those details in respect of public and private sector businesses handling data generally.
While the new potential legislation does not define the scope of what data may be collected or accessible by public authorities, it is not silent on the matter either. The Commission's version provides some detail in recital 19 for example: "For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to retain and process personal data, collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context to develop an understanding of criminal phenomena and trends, to gather intelligence about organised criminal networks, and to make links between different offences detected."
Although the European Parliament has not accepted recital 19, its inclusion by the Commission highlights that there remains uncertainty as to the scope of the obligations and restrictions that could be imposed by the draft Directive. It remains to be seen what similar provisions regarding scope may be included by the Council of Ministers and what the Commission will be willing to accept. The Parliament and the Council must both agree on and vote to formally approve the same wording for the Directive before it can become law.
The interpretation of the Directive and member state laws made under it about what public authorities can and cannot do with data may be affected by the interpretation given by the CJEU as to the legitimacy of the Data Retention Directive.
The interpretation may also impact on the legitimacy of other current laws which impose retention obligations on organisations. It is possible that public authority powers under member states laws will need to be revised as a result of the CJEU's views as to the proportionality of the DRD in meeting its objectives.
The CJEU has reasoned that laws which require data to be retained that do not include limitations as to which persons they apply to, the time period and geographical zone to which data required to be retained relate, and which lack clear restrictions on access, are generally incompatible with the EU Charter. Businesses and individuals affected by laws relating to, for instance, their finances or other matters which do not meet these criteria, likely now have reason to review their validity.
There is also the issue regarding the interplay between the 'right to be forgotten' and erasure obligations under current and proposed data protection laws and retention of data obligations. The right to be forgotten, as proposed by the Commission would not apply where retention is 'lawful'.
Policies that businesses put in place as to when they must respond to data subject requests in connection with the right to be forgotten if it is eve given the force of law, will need to reflect laws on retention of data. In light of the CJEU’s judgment, in many cases where a business could have been under the impression that it may have been entitled to refuse a request for erasure, it now may not be entitled to do so.
Generally, businesses should be very clear as to how they classify data. Clear data classification protocols and having policies in place based on clearly understood distinctions will make it easier for businesses to respond to changes in law in relation to retention obligations and access to data. It will also help businesses avoid complication when requests for data are made by regulators and data subjects.
Luke Scanlon is a technology law expert for Pinsent Masons, the law firm behind Out-Law.com