The Data Retention Directive orders all EU member states to pass
laws telling telecoms companies to keep records of phone and
internet use for between six and 24 months.
Though it has not objected to the substance of the Directive,
Ireland objected to the way in which it was adopted and asked the
ECJ, Europe's highest court, to repeal it. An Advocate General's
opinion is only advisory, but is followed in around 80% of cases by
the ECJ itself.
The Directive was passed so that the records of phone calls and
other telecoms activity would be available for use by the
authorities when investigating crime. The UK, France and Sweden
proposed the measure and said that it should be used in particular
to investigate terrorism offences.
Ireland argued that the European Union cannot pass Directives in
areas of crime and security. EU countries can agree to co-ordinate
laws on those areas, but European Commission-crafted Directives
cannot be the vehicle for that, it argued.
Ireland said that to base the Data Retention Directive on the EC
Treaty via a Directive was wrong, and that it should have been
adopted via specific measures designed for issues of crime,
security and justice. That area of government is collected together
for EU purposes and called the third pillar.
The EU has reduced responsibilities for issues in the third
pillar because of its origins as an economic, and not political,
organisation.
"It is established that measures based on [the EC Treaty] must
have as their centre of gravity the harmonisation of national laws
in order to improve the functioning of the internal market," said
the opinion produced by Advocate General Yves Bot, explaining
Ireland's position. "The provisions of [the Directive] concern the
fight against serious crime and are not intended to address defects
in the internal market."
Ireland said that any action in relation to data retention for
crime prevention should have been taken under the third pillar,
based on the EU Treaty and not the EC Treaty.
Bot said that he believed that the creation of the Directive
helped reduce a risk that was emerging as countries adopted
different standards and requirements in the field of data
retention. Imposing a standard methodology helped the market for
telecoms services and therefore helped the Directive qualify as
appropriate under the EC Treaty, he said.
"As is clear from recital 6 in the preamble to [the Directive],
such disparities between the laws of the Member States ‘present
obstacles to the internal market for electronic communications,
since service providers are faced with different requirements
regarding the types of traffic and location data to be retained and
the conditions and periods of retention," he said.
"In so far as [the Directive] proceeds with harmonisation of
national laws on the obligation to retain data (Article 3), the
categories of data to be retained (Article 5), periods of retention
of data (Article 6), and data protection and data security (Article
7), I take the view that it facilitates the development of the
internal market for electronic communications by providing common
requirements for service providers," said Bot.
"In the light of those factors, the intervention of the
Community legislature on the basis of Article 95 EC appears to me
to be justified," said his ruling.
Bot said that the main purpose of the Directive was the
functioning of the internal market, and that this was not changed
by the fact that security and crime were one part of its
function.
"Contrary to Ireland’s submissions, I take the view that the
mere fact that a measure refers to an objective such as the
investigation, detection and prosecution of serious crime is not
sufficient to shift such a measure from the first to the third
pillar," he said. "In other words, the existence of such a purpose
is not, in my view, sufficient to constitute an act coming within
the area covered by ‘police and judicial cooperation in criminal
matters’."
He said that the scope of Title VI of the EU Treaty, which
outlines what the third pillar is, is carefully defined and does
not include the action spoken of in the Data Retention Directive.
The Directive covers, instead, activity that happens before law
enforcement authorities are involved.
"The measures provided for by [the Directive] do not involve any
direct intervention by the law-enforcement authorities of the
Member States," he said "[The Directive] contains measures which
relate to a stage prior to the implementation of police and
judicial cooperation in criminal matters."
"It does not harmonise either the issue of access to data by the
competent national law-enforcement authorities or that relating to
the use and exchange of those data by such authorities, for example
in the context of criminal investigations. Those matters, which
come, in my view, within the area covered by Title VI of the EU
Treaty, were properly excluded from the provisions of [the
Directive]," he said.
Bot said that the Directive explicitly gives member states the
freedom to make their own decisions about what to do with the
information held by telecoms companies, and how to govern
authorities' access to it.
Civil rights groups had also submitted documents to the court
arguing that the Data Retention Directive should be repealed on
grounds of substance, not procedure. The Advocate General made no
reference to those in his opinion.
Ireland has introduced more restrictive laws than the Directive
allows. It tells countries to order telecoms providers to keep data
for between six and 24 months. Ireland's data retention laws tell
telecoms firms to keep data for three years.
The UK has implemented parts of the Data Retention Directive.
The Data Retention (EC Directive) Regulations 2007 came into force
on 1st October 2007 and mandate the retention of non-internet data.
These Regulations are expected to be replaced on 15th March 2009 by
a wider set of rules that extend the current regime to cover
internet data as well.
