National data retention rules — what is the EC’s stance?

5 Oct 2015

As people become more aware of the amount of data that is out there about them, they are also becoming more concerned about just who is hanging on to this information – and for how long. Mason Hayes & Curran explains the EC’s stance on this issue and what it means for member states.

Since the 2014 decision of Europe’s highest court – the Court of Justice of the European Union (CJEU) – in Digital Rights Ireland, various member states have seen changes to their national data retention laws. In the Digital Rights Ireland case, the court found the EU Data Retention Directive to be invalid. In particular, the court found the directive incompatible with the fundamental right to privacy and viewed European lawmakers as having gone beyond what was proportionate to tackle serious crime.

In the 18 months following the case, a number of challenges to national data retention laws have taken place, including in the UK. Interestingly, despite the application to the CJEU having its roots in an Irish case, Irish data retention laws still remain untouched and the case is still pending before the Irish courts.

Recently, the European Commission (EC) issued a statement on national data retention laws, providing some additional insight into the views at EU level.

What has the EC said?

In a recent press release, the EC has clarified its continued position regarding national data retention laws, saying: “the decision of whether or not to introduce national data retention laws is a national decision”.

Despite any contrary expectations, the EC goes on to state that it is not due to announce any new initiatives around data retention.

Germany in the firing line?

This recent statement followed allegations that the EC was gearing up to sue Germany over concerns around its national data retention law.

In 2012, the EC brought Germany before the CJEU for failure to fully transpose the directive into German law. Despite this previous action, however, the EC has confirmed that no such action is being planned.

The position for member states

In the absence of a directive, the EC notes that member states are free to either keep their current data retention systems or create new ones. The EC reminds member states that the core issue is ensuring these systems comply with EU law, including the ePrivacy Directive. This largely aligns with the opinion from the European Parliament’s Legal Service, which indicates that member states should examine their national data retention measures to see whether they comply with the decision of the court.

In short, the EC is “neither opposing, nor advocating the introduction of national data retention laws”. Instead, it is down to each member state to decide.

Political sensitivities

The EC is clear about its reservations around entering into debates regarding data retention, noting that such debates are often very sensitive and political in nature. While the EC has specifically left it to member states to decide the fate of their respective national data retention laws, it has not expanded further on how to ensure compliance with EU law nor has it indicated any plans for reform at an EU level. For many member states, this is likely to be unsatisfactory.

Presumably, in line with the CJEU’s views, the proportionality of the national laws will be key in determining ongoing compliance at national level. In addition, another core measure of compliance is likely to be the extent of safeguards imposed on data collection and retention.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out for more.

Main image via Shutterstock