Digital Rights Ireland Ltd V. Minister For Communications, Marine ...

Case Summary and Outcome

The European Court of Justice (ECJ) held that a European Union directive requiring Internet Service Providers (ISPs) to store telecommunications data in order to facilitate the prevention and prosecution of crime was found to be invalid under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Parallel cases were raised in Ireland and Austria following passage of the directive regarding the lawfulness of the measure. Each court forwarded the question to the ECJ where they were consolidated. The ECJ deemed the directive was legitimate in its aims of fighting serious crime, but did not pass the proportionality test applied to evaluate the appropriateness of the measures undertaken to achieve the goal.

Facts

In 2006, the European Parliament and the Council of the European Union adopted Directive 2006/24/EC (Directive), which regulated Internet Service Providers’ storage of telecommunications data and could be used to fight serious crime in the European Union (EU). The Directive’s aim was to harmonize the different regulations in EU countries with respect to the retention of information concerning the source, destination, and time of communications taking place within the EU.

Parallel cases were raised in Ireland and Austria regarding the lawfulness of the measures that were adopted in order to implement this Directive. Civil rights organization Digital Rights Ireland argued that the Directive was becoming the basis for mass surveillance laws that violated fundamental human rights. The High Court of Ireland and the Austrian Constitutional Court argued that they could not evaluate such measures until the validity of the Directive itself was assessed. Each court then forwarded its questions to the European Court of Justice, where they were joined.

Decision Overview

The European Court of Justice (ECJ) evaluated the compatibility of the Directive with Articles 7 and 8 of the Charter and declared the Directive to be invalid. According to the ECJ, the Directive interfered with the right to respect for private life under Article 7 and with the right to the protection of personal data under Article 8. Under Article 52(1) of the Charter, limitations of such rights can only be justified when they are provided by law, respectful of the essence of the rights protected by the Charter, and proportionate to the legitimate aim pursued.

Although the ECJ deemed that the Directive was legitimate in its aim of fighting serious crime, it did not pass the proportionality test that the ECJ applied to evaluate the appropriateness of the measures undertaken to achieve that goal. More specifically, the ECJ found that the implementation of the Directive could potentially interfere, to a great extent, with the fundamental rights of the entire EU population for an unspecified length of time, falling between six and twenty-four months. The Directive should have been more specific about the conditions of data storage and the obligations of both Internet Service Providers and security agencies accessing the data. Therefore, the ECJ held that the Directive was incompatible with the Charter because of the Directive’s lack of guarantees regarding how telecommunications data would be kept, managed, and accessed.

Also of note, the ECJ articulated that EU legislators have only limited discretion in determining the extent of interferences with fundamental rights, such as those protected by Articles 7 and 8. In these cases, the judiciary can examine the legislators’ decisions that impact fundamental rights so as to evaluate a decision’s compatibility with the protection of fundamental rights.