The European Union's Data Retention Directive was not procedurally flawed and should not be repealed, an Advocate General to the European Court of Justice (ECJ) has said. Ireland's argument that the law was wrongly adopted has been rejected.
The Data Retention Directive orders all EU member states to pass laws telling telecoms companies to keep records of phone and internet use for between six and 24 months.
Though it has not objected to the substance of the Directive, Ireland objected to the way in which it was adopted and asked the ECJ, Europe's highest court, to repeal it. An Advocate General's opinion is only advisory, but is followed in around 80% of cases by the ECJ itself.
The Directive was passed so that the records of phone calls and other telecoms activity would be available for use by the authorities when investigating crime. The UK, France and Sweden proposed the measure and said that it should be used in particular to investigate terrorism offences.
Ireland argued that the European Union cannot pass Directives in areas of crime and security. EU countries can agree to co-ordinate laws on those areas, but European Commission-crafted Directives cannot be the vehicle for that, it argued.
Ireland said that to base the Data Retention Directive on the EC Treaty via a Directive was wrong, and that it should have been adopted via specific measures designed for issues of crime, security and justice. That area of government is collected together for EU purposes and called the third pillar.
The EU has reduced responsibilities for issues in the third pillar because of its origins as an economic, and not political, organisation.
"It is established that measures based on [the EC Treaty] must have as their centre of gravity the harmonisation of national laws in order to improve the functioning of the internal market," said the opinion produced by Advocate General Yves Bot, explaining Ireland's position. "The provisions of [the Directive] concern the fight against serious crime and are not intended to address defects in the internal market."
Ireland said that any action in relation to data retention for crime prevention should have been taken under the third pillar, based on the EU Treaty and not the EC Treaty.
Bot said that he believed that the creation of the Directive helped reduce a risk that was emerging as countries adopted different standards and requirements in the field of data retention. Imposing a standard methodology helped the market for telecoms services and therefore helped the Directive qualify as appropriate under the EC Treaty, he said.
"As is clear from recital 6 in the preamble to [the Directive], such disparities between the laws of the Member States 'present obstacles to the internal market for electronic communications, since service providers are faced with different requirements regarding the types of traffic and location data to be retained and the conditions and periods of retention," he said.
"In so far as [the Directive] proceeds with harmonisation of national laws on the obligation to retain data (Article 3), the categories of data to be retained (Article 5), periods of retention of data (Article 6), and data protection and data security (Article 7), I take the view that it facilitates the development of the internal market for electronic communications by providing common requirements for service providers," said Bot.
"In the light of those factors, the intervention of the Community legislature on the basis of Article 95 EC appears to me to be justified," said his ruling
Bot said that the main purpose of the Directive was the functioning of the internal market, and that this was not changed by the fact that security and crime were one part of its function.
"Contrary to Ireland's submissions, I take the view that the mere fact that a measure refers to an objective such as the investigation, detection and prosecution of serious crime is not sufficient to shift such a measure from the first to the third pillar," he said. "In other words, the existence of such a purpose is not, in my view, sufficient to constitute an act coming within the area covered by 'police and judicial cooperation in criminal matters'."
He said that the scope of Title VI of the EU Treaty, which outlines what the third pillar is, is carefully defined and does not include the action spoken of in the Data Retention Directive. The Directive covers, instead, activity that happens before law enforcement authorities are involved.
"The measures provided for by [the Directive] do not involve any direct intervention by the law-enforcement authorities of the Member States," he said "[The Directive] contains measures which relate to a stage prior to the implementation of police and judicial cooperation in criminal matters."
"It does not harmonise either the issue of access to data by the competent national law-enforcement authorities or that relating to the use and exchange of those data by such authorities, for example in the context of criminal investigations. Those matters, which come, in my view, within the area covered by Title VI of the EU Treaty, were properly excluded from the provisions of [the Directive]," he said.
Bot said that the Directive explicitly gives member states the freedom to make their own decisions about what to do with the information held by telecoms companies, and how to govern authorities' access to it.
Civil rights groups had also submitted documents to the court arguing that the Data Retention Directive should be repealed on grounds of substance, not procedure. The Advocate General made no reference to those in his opinion.
Ireland has introduced more restrictive laws than the Directive allows. It tells countries to order telecoms providers to keep data for between six and 24 months. Ireland's data retention laws tell telecoms firms to keep data for three years.
The UK has implemented parts of the Data Retention Directive. The Data Retention (EC Directive) Regulations 2007 came into force on 1st October 2007 and mandate the retention of non-internet data. These Regulations are expected to be replaced on 15th March 2009 by a wider set of rules that extend the current regime to cover internet data as well.