Directive 2006/24/EC on data retention has been considered in breach of privacy according to ECJ Joined Cases C-293/12 and C-594/12 decision from 8 July 2014. The European Court of Justice (ECJ) annulled the data retention directive, but this did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid.
The table is looking to see how the national members states have reacted to this decision and if there is a constitutional complaint on the national data retention laws.
|Country||Data retention law in force?||Challenged under constitutional law?||Constitutional Court or similar body decision||Is the court decision taking into consideration the ECJ ruling?||Government reaction to the ECJ ruling|
|Austria||No||Yes||VfGH G47/2012 ua.||Yes|
Abolition of the challenged parts of the amendments in Austrian law; no challenged parts had been preserved.
In relation to CJEU’s Judgment in Joined Cases C-293/12 and C-594/12 of Digital Rights Ireland and Seitlinger and Others of 8th April 2014 and by virtue of Decision No 2 of 12th March 2015, the Constitutional Court of the Republic of Bulgaria declared void the provision of the Electronic Communications Act regarding data retention, i.e. Article 250a to Article 250f, Article 251 and Article 251a of the Electronic Communications Act.
It could therefore be said that presently there is no data retention law in force in Bulgaria.
Currently Art. 6, para 2 of the Electronic Document and Electronic Тrust Services Act envisages that the so-called intermediary of electronic statements (who, by assignment of the signatory, author or recipient, sends, receives, records or stores an electronic statement or performs other services) should keep data, on which basis can be determined the exact time and source of the transmitted electronic statement. This information should be stored for a period of one year.
Yes, the Electronic Communications Act was challenged at the Constitutional Court (Case 8/2014 of 15 April 2014).
|Yes. Decision No 2 of 12 March 2015.||Yes||After the judgement of the Bulgarian Constitutional Court the Ministry Council proposed a set of amendments and supplements to the Electronic Communications Act (ECA), which passed in the Bulgarian Parliament. The new legislative texts (Article 251b to Article 251i ECA) follow a similar pattern but have key differences in comparison to the annulled provisions. Dissimilarities between the two include: a shortening of the data retention period (6 months); obtained data is used exclusively in relation to grave intentional crimes (the previous regulation allowed data utilization for the search of persons or the investigation of non-grave crimes); a narrowing of the number of official bodies with rights to request data access; the introduction of a judiciary oversight on the overall procedure and control on the erasure of data. The Supplement and Amendment Act and the motives behind it are available in Bulgarian here.|
|Czech Republic||Yes (both of them)|
Czech law 127/2005 which contained data retention regulation came into force before the 2006/24/EC directive. Data retention section (§97/3+4), was challenged constitutionally and abolished in 2011 as unconstitutional (reasons: the regulation was too vague and benevolent). In 2012 came into force a law as an amendment 273/2012 of the regulation which is still valid.
On 20 December 2017, civil society organisation Iuridicum Remedium (IuRe) filed a request with the Constitutional Court of the Czech Republic to revoke the Czech data retention related legislation.
The first decision is NOT taking in to consideration the ECJ ruling.
The second decision is aspected in about one year time (end of 2018/beginning of 2019).
None for the first one.
Article L 34-1 Code on Postal and Electronic Communication
Latest Decree n° 2014-1576 of 4 December 2014
|No||Not applicable||Not applicable|
CNIL (French Data protection authority) assures that national legislation in place is still applicable and proportionate (articles L. 34-of the Code on Postal and Electronic Communication for judiciary investigations and L. 34-1-1 of the CPCE for administrative ones. Nevertheless it is important that the competent authorities take duly assess the impacts of this ECJ’s decision on French national law.
|The new data retention law was subject to a procedure at the federal constitutional court, requesting a provisional order (to render the law inoperative until the court’s final decision) against the data retention law. However, the provisional orders have been declined by the court on 8 June 2016. It has to be noted that this is not a final decision on the data retention law itself, but only on the request for a provisional order. A decision on the law in general is still pending, and several constitutional complaints have been raised so far (e.g. Az. 1 BvR 847/16, Az. 1 BvR 1258/1, Az. 1 BvR 1560/16, Az. 1 BvR 2023/16, Az. 1 BvR 2683/16, Az. 1 BvR 2840/16).|
The predecessor of the current law was challenged in the constitutional court. See decision BVerfG, 02.03.2010, 1 BvR 256/08.
Representatives of the Federal Government stated during a press conference that they aimed at being compliant with legal requirements both on European and national level. They assumed that their law is compliant in this regard, as it offered stricter safeguards than the law subject to the ECJ ruling. However, they also stated that they would carefully look into the ruling and amend the data retention law in Germany wherever necessary. While this is the position of the Federal Government, it has to be noted that there is a rather controversial political debate on whether data retention should be considered necessary and if it could be implemented lawfully.
|Italy||Yes Law no. 109 of May 30th , 2008. The Data Retention directive has been adopted by the introduction of art. 132 in the Italian Data Protection Code. This article doesn’t mention the criteria of proportionality and of seriousness of the violation for data storage.||The Data Retention Law is still valid. The National Data Protection Authorities commented the CJUE decision, strengthening the importance of a correct balance between privacy protection and security: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3059819 ; http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3043767||There are several procedures that are using data stored on the basis of the Data Retention directive. Even if the Italian law is still valid, the judges are asked to adapt their judgments to the CLJUE decision. The National Data Protection Authority informed the Italian Government about the need to modify the existing rule (principle of proportionality; guarantee of citizens’ rights). Only in some cases during the procedures the CJUE decision is mentioned.||There is not a reaction of the Italian Government to the CJUE decision. There are some comments by jurists, lawyers, cyber-security experts on the impact of such decision on the Italian law system stressing the need for an intervention by the legislator. See: http://www.corrierecomunicazioni.it/tlc/26995_data-retention-scorza-il-legislatore-intervenga-subito.htm|
S.L. 440.01 (as amended by L.N. 198 of 2008) Processing of Personal Data (Electronic Communications Sector) Regulations
More information on the status of the law can be found here.
|Yes, by a new law suit litigated in Jan. 2015 to challenge the law.||Pending||Unknown|
Not implemented yet. The Dutch government decided in November largely to maintain the national data retention law but with a few adjustments deemed necessary.
Now, the Dutch government is considering adding a new data retention bill.
|Romania||No||Yes||Yes. Two Constitutional Court decisions: Decision 1258 of 8 October 2009 and Decision 440 of 8 July 2014||Yes||Intense political willingness to reintroduce a new law. In this sense, a proposal to modify the ePrivacy law is under debate in Parliament. The law introduces new data retention obligations.|
Yes, Law 25/2007 18 Oct. updated with the Telecommunications General Law, May 10 2014
|Yes, by the Asociación de Internautas||Ruled against (sentencia 44/2008 de 5 de febrero)||No||None|
Yes. Six months of data retention.
The Swiss Federal Data Protection Act (DPA) entered into force on July 1, 1993 and has been amended several times. The competent authority is the Federal Data Protection and Information Commission (DPIC). The DPA applies to data processing by both private entities and federal bodies. All Swiss cantons have their own laws regulating data processing by cantonal and municipal bodies. Each canton also appoints a cantonal data protection commissioner to supervise compliance by the authorities with the applicable cantonal laws.
|Yes. As of March 2017, the case is pending at Switzerland's highest court.||-||Not applicable||The government claims that the ECJ ruling is irrelevant to Swiss data retention.|
|United Kingdom||Yes||Yes||Appealed. Referred to ECJ||ECJ ruling||Reaction to the new Investigatory Powers Bill has been focused on snooping and decryption powers, not on data retention.|
Last updated 28 February 2018.
Suggestions? Corrections? Additions? Please send us an email at observatory (at) mappingtheinternet (dot) eu. Or suggest via this webform.
The Open Rights Group has prepared a table showing the status of data retention in the EU, following the CJEU's decision in the Digital Rights Ireland case. For more information and data retention status check click here.