On 8 April 2014, the Court of Justice of the European Union has declared the Data Retention Directive (2006/24/EC) invalid.
The Court, in a very comprehensive judgment, has ruled that the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality by adopting the Data Retention Directive.
The retention of traffic data may be appropriate for attaining the objectives of fighting serious crime and terrorism, “but the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue are not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary”.
1. The directive covers all individuals, all means of electronic communication, and all traffic data without any differentiation, limitation or exception.
2. The directive fails to lay down any objective criterion that the data can only be accessed for the intended purposes by by the competent authorities.
3. The blanket retention period (to be decided on a member state basis between 6 months and 24 months) is incompatible with the notion of data minimization (only retain what is strictly necessary).
4. There are insufficient safeguards against abuse and unlawful access to the data.
5. The directive fails to require the data to be retained within the EU, and hence effective oversight by an independent EU authority is not guaranteed.
Source Press Release no 54/14, Luxembourg, 8 April 2014