Case Commentary - Digital Rights

Ireland Ltd v Minister for

Communications, Marine and Natural
Resources and others

Introduction

In the case of “Digital Rights Ireland Ltd v Minister for

Communications, Marine and Natural Resources and
others (Cases C-293/12 and C- 594/12) EU:C:2014:238
(08 April 2014)” The European Court of Justice(ECJ)
held in its abovementioned judgement that In
accordance with Articles 7 and 8 of the European Union
Charter of Fundamental Rights, a directive from the
European Union mandating Internet service providers
(ISPs) to retain communications data to aid in the
prevention and prosecution of criminal activity was
declared unconstitutional.

There were multiple similar cases that were filed in

different countries such as Ireland and Austria
regarding the constitutionality of the directives in
respect of lawfulness of the step taken. The European
Court of Justice said that, the directives issued were
legitimate and has proper intention of and aim to curb
and fight the serious crimes, it it was held that the
measure was not able to pass the proportionality test,
which was applied to determine its effect with regard to
right of the people and appropriateness of the said
directives to achieve the end goal.

It was said that the said directives were in violation of

Article 7 and Article 8 of the Charter of the
Fundamental Rights which provided the “Right to
respect for private life and protection of personal data”

“As regards the necessity for the retention of

data required by Directive 2006/24, it must be
held that the fight against serious crime, in
particular against organised crime and terrorism,
is indeed of the utmost importance in order to
ensure public security and its effectiveness may
depend to a great extent on the use of modern
investigation techniques. However, such an
objective of general interest, however
fundamental it may be, does not, in itself, justify
a retention measure such as that established by
Directive 2006/24 being considered to be
necessary for the purpose of that fight.”
Facts

In the year of 2006, The European Parliament and the

Council of European Council (“EU”) gave the directives
of retention of data, it directed TSPs to maintain the
tack of location and traffic data, with the intention to
prevent the serious crimes and also to help the
authorities in their investigation. These directives were
also aimed to bring uniformity among European Union
laws and legislations in regard to information retention.

Later, Digital Rights, which is a digital advocacy group

in Ireland filed an petition in High of Ireland against the
legitimacy and constitutionality of the law regarding the
retention of data relating to electronic communications
by the authorities. They prayed in front to the High
Court to declare the Data Retention Directive and of
Part 7 of the Criminal Justice (Terrorist Offences) Act
2005 which mandated that telephone companies keep
customer traffic and location data for a set amount of
time in order to prevent, detect, investigate, and
prosecute criminal activity and protect public safety as
as invalid.

In its response, the High Court of Ireland held that it

cannot resolve the issues related to the national law,
until the same has been examined and scrutinized
properly, in regard to it the High court of Ireland put
the stay on the said proceedings and referred the same
to European Court of Justice for preliminary decision.

In Austria too, many cases were brought before the

Constitutional Court of Austria challenging the Austrian
law in regard to the directives of data retention from
the European Parliament and Council of European
Union.

Austrian Constitutional Court held that the retention of

data related to individuals whose behaviour in no way
supported such retention was impacted. So, people
were at more danger since the information could be
used by authorities to look into them, make inferences
about their personal life, and do a variety of other
things.
This issue of interfering with privacy in addition to that
fact that this data will be in possession of non-
calculable number of people for atleast six months The
Austrian Constitutional Court stated that there were
questions about the Data Retention Directive's ability to
accomplish the goals it set out to accomplish. The
matter was referred to the European Court of Justice
(ECJ) and the proportionality of the interference with
the relevant basic rights was also questioned.
The President of the Court issued an order joining the
two cases.

Issue
“Whether the Data Retention Directive which provided
for retention of personal data by TSPs for the purposes
of prevention and investigation of crimes was valid in
light of Article 7, Article 8 and Article 11 of the Charter
of Fundamental Rights.”

Judgement

In the present case, The Grand Chamber of the Court

of Justice similarly determined that the Directive was
unconstitutional. It followed the Advocate General's
lead regarding how difficult it is to determine whether
the measure is generally proportionate given its
contentious true goal. Contrary to the ruling in Ireland
v. Council and Parliament, the Court stated that the
Directive's primary goal was to unify data retention
laws without providing additional context “in order to
ensure that the data was available for the purpose of
the prevention, investigation, detection and
prosecution of serious crime”

The Court of Justice assumed that the action directly

and specifically affected the protection of personal data
(Article of the Charter of Fundamental Rights) and the
right to private life (Article 7 of the Charter), even
though it acknowledged that the Directive allowed for
very precise conclusions to be drawn about the private
lives of the people whose data had been retained,
which could impact on freedom of expression. The
Luxembourg judges, following in the footsteps of their
Strasbourg counterparts, determined that the data
retention requirement of the Directive (Articles 3 and 6
of the Charter of Fundamental Rights) constituted “in
itself an interference” with the right to privacy, and
that the Directive’s regulations regarding data access
(Articles 4 and 8 of the Charter of Fundamental Rights)
constituted a further interference (Article 5).
Additionally, the Court assumed that the Directive
infringed against the right to the protection of personal
data by allowing for the processing of personal data.
The interferences were described as wide-ranging,
particularly serious, and "likely to generate in the
minds of the persons concerned everyone the feeling
that their private lives are the subject of constant
surveillance" without providing any specific
justification.
The Court examined whether the Directive's
interference with the rights to data protection and
privacy under Article 52(1) of the Charter of
Fundamental Rights was lawful. It omitted the step of
the test quality of law, which the Advocate General had
gone into great detail about. Additionally, the Court
made a swift decision to uphold the "essence" of both
the right to personal data protection and the right to
privacy, as the Directive required adherence to certain
data security and protection rules and did not address
the nature of communications. The Court accepted that
data retention really served an objective of broad
interest since combating terrorism and serious crime
increased security, which made it a valid objective of
general interest. Based on data obtained from
intervening parties' responses to its questions, the
Court then conducted a comprehensive analysis of
proportionality. It first referred to its own prior legal
precedent, which had assessed whether measures did
not surpass the bounds of what is reasonable and
essential to accomplish those goals, before looking to
Strasbourg for guidance in defining the extent of
latitude afforded to the EU law makers when
fundamental rights of people are involved. In a bold
remark of the said principle, it declared that:
“When interferences with fundamental rights are
at issue, the extent of the EU legislature’s
discretion may prove to be limited, depending on
a number of factors, including, in particular the
area concerned, the nature of the right at issue
guaranteed by the Charter, the nature and
seriousness of the interference and the object
pursued by the interference.”

The Court noted that the EU's long and indiscriminate

duration of retention, the Directive's uncontrolled
approach, and the lack of EU-set restrictions on
approach to and use of the data (or its main criteria to
identify such boundries) were particularly problematic.
First, the EU-imposed data retention system infringed
upon nearly every European's fundamental right, given
the expanding and pervasive use of electronic
communication. With no distinction, restriction, or
exception established in light of the goal of combating
severe crime, it applied indiscriminately to all
individuals, all electronic communication devices, and
traffic data. There was no need to establish a
connection between the individuals whose
communications data was stored and any particular
security risks. Additionally, professional secrecy was
not protected. Second, the Court of Justice determined
that the Directive did not provide boundaries or
objective standards for law enforcement agencies'
access to data and its subsequent use. It was
noteworthy that there were no substantive or
procedural restrictions on national authorities' access to
or use of the data, which should be exclusively limited
to the prevention and detection of specifically defined
serious offences or the pursuit of criminal prosecutions.
It did not define severe crime or provide any objective
standards to ensure that the number of individuals
permitted to view and use the data kept would be kept
to a minimum and would only be used in cases of
absolute need. Furthermore, it did not require a court
or other independent administrative authority to first
assess the material before access could be
granted. Lastly, it enforced lengthy data retention
durations without providing any objective reasoning or
discrimination based on security needs.
The ECJ further says and concluded that the Directive,
“entailed a wide-ranging and particularly serious
interference with the fundamental rights
enshrined in … the Charter, without such an
interference being precisely circumscribed by
provisions to ensure that it is actually limited to
what is strictly necessary.”

Hon’ble European Court of justice also discovered

significant flaws in the Directive's security and data
protection guidelines for private operators and
providers, which were not made to have the large
volume of data kept, its delicate and confidential
nature, or the dangers of unauthorised access. A
sufficient level of protection and security was not
ensured by EU legislative instruments, particularly as
business entities could factor in financial considerations
when assessing the level of security. Furthermore,
there was a chance that no independent body would
have control over how these data were used and
accessed "when such a control, to be carried out on the
basis of EU law, was an essential component of the
protection of individuals with regard to the processing
of personal data." This was because the Directive did
not put any mandatory obligation that the data is to be
stored the European Union. Therefore, in light of
Articles 7, 8, and 52(1) of the Charter, the Court
logically concluded that the EU legislature had gone
beyond the bounds set by adherence to the principle of
proportionality. Without addressing the other issues
brought up, the Court declared the Directive to be
invalid, without regard to time constraints. As a result,
the Directive is regarded as unconstitutional.

Analysis

“Digital Rights Ireland case” is a historic

judgement. It expands upon the basis of constitutional
assessment in cases involving the protection of basic
rights. The ruling, in particular, imposes strong scrutiny
on EU legislative actions that materially interfere with
human rights and gives the EU a new duty to safeguard
human rights. It also applies stringent proportionality
assessment in accordance with the Charter. In
addition, the decision makes clear the boundaries of
data protection and privacy in the European Union and
provides guidance to lawmakers on how to create data
retention policies that uphold human rights.

After assessing the Directive's compliance with Articles

7 and 8 of the Charter, the European Court of Justice
(ECJ) ruled that it was unconstitutional. The European
Court of Justice (ECJ) claimed that the Directive
infringed against both the right to the protection of
personal data under Article 8 and the right to respect
for one's private life under Article 7. Limitations on
these rights are only permissible under Article 52(1) of
the Charter if they are mandated by law, respectful of
the fundamental rights guaranteed by the Charter, and
commensurate with the legitimate goal being sought.

The European Court of Justice (ECJ) found that the

Directive was valid in that it sought to combat severe
crime, but it failed the proportionality test, which the
ECJ used to assess whether the actions used to
accomplish that purpose were reasonable. More
precisely, the European Court of Justice (ECJ)
determined that the Directive's implementation might,
for a limited amount of time, between six and twenty-
four months, interfere, to a considerable degree, with
the basic rights of all EU citizens. Regarding the terms
of data storage and the responsibilities of Internet
service providers and security agencies that access the
data, the Directive ought to have been more explicit.
Because the Directive did not provide any assurances
on the storage, management, or accessibility of
telecommunications data, the European Court of Justice
(ECJ) held that the Directive was incompatible with the
Charter.
Notably, the ECJ stated that EU legislators have very
little flexibility in deciding how much interference is
allowed with basic rights, like those guaranteed by
Articles 7 and 8. In certain situations, the judiciary has
the authority to review legislative actions that affect
basic rights in order to assess whether a particular
decision is consistent with upholding those rights.

Conclusion

Digital Rights Ireland's ruling is significant for a number

of reasons.
First of all, it gives the EU legislature an extra level of
responsibility for protecting fundamental rights.
It also subjects it to a rigorous, new judicial scrutiny
standard.
Thirdly, it declares a European Union framework law to
be unlawful because it violates the Charter of Rights.
Fourthly, it offers legislators at the EU and national
levels crucial principles to guarantee the rights to
privacy and data protection are effectively maintained
in an era of growing exceptionalism and securitization.
In conclusion, I would argue that the current case of
Digital Rights Ireland not only creates a strict
framework for laws and policies in the future that
interfere with personal data in Europe, but it also has
the power to influence future European integration by
reshaping inter-institutional relations within the EU and
placing human rights and constitutionalism at the
centre of the European project.

By its ruling, the Court protects individuals' rights to

privacy and data protection under the Charter, as well
as preventing the possible misuse and exploitation of
personal information that arises from data retention
that is kept indefinitely. It also shows a great desire to
curtail the state of exception and securitization trends
that are present in modern European anti-terrorist laws
and to lessen their interference with important
fundamental rights. There is symbolic significance in
the fact that the right to privacy—"the" human right in
the digital age—was the first to pass the rigorous
scrutiny test. Even though Digital Rights Ireland surely
marks a major step forward for the defence of
fundamental rights at the EU level as well as for data
protection and the right to privacy in Europe, it remains
to be seen if it will be remembered as one of the "great
cases" in the history of European integration.

Submitted by-

Name – Parth Sharma

Division – D
PRN – 20010422095