Data retention legislation in Europe

Directive 2006/24/EC on data retention has been considered in breach of privacy according to ECJ Joined Cases C-293/12 and C-594/12 decision from 8 July 2014. The European Court of Justice (ECJ) annulled the data retention directive, but this did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid.

The table is looking to see how the national members states have reacted to this decision and if there is a constitutional complaint on the national data retention laws.

CountryData retention law in force?Challenged under constitutional law?Constitutional Court or similar body decisionIs the court decision taking into consideration the ECJ ruling?Government reaction to the ECJ ruling
AustriaNoYesVfGH G47/2012 ua.Yes

Abolition of the challenged parts of the amendments in Austrian law; no challenged parts had been preserved.

Bulgaria

In relation to CJEU’s Judgment in Joined Cases C-293/12 and C-594/12 of Digital Rights Ireland and Seitlinger and Others of 8th April 2014 and by virtue of Decision No 2 of 12th March 2015, the Constitutional Court of the Republic of Bulgaria declared void the provision of the Electronic Communications Act regarding data retention, i.e. Article 250a to Article 250f, Article 251 and Article 251a of the Electronic Communications Act.

It could therefore be said that presently there is no data retention law in force in Bulgaria.


As to present day, the said provisions still have not been explicitly repealed, although they should not be enforceable by virtue of the Constitutional Court’s decision.

Yes, the Electronic Communications Act was challenged at the Constitutional Court (Case 8/2014 of 15 April 2014).

Yes. Decision No 2 of 12 March 2015.YesAfter the judgement of the Bulgarian Constitutional Court the Ministry Council proposed a set of amendments and supplements to the Electronic Communications Act (ECA), which passed in the Bulgarian Parliament. The new legislative texts (Article 251b to Article 251i ECA) follow a similar pattern but have key differences in comparison to the annulled provisions. Dissimilarities between the two include: a shortening of the data retention period (6 months); obtained data is used exclusively in relation to grave intentional crimes (the previous regulation allowed data utilization for the search of persons or the investigation of non-grave crimes); a narrowing of the number of official bodies with rights to request data access; the introduction of a judiciary oversight on the overall procedure and control on the erasure of data. The Supplement and Amendment Act and the motives behind it are available in Bulgarian here.
Czech Republic

Law No. 127/2005 and Law No. 273/2012

YesCzech law 127/2005 which contained data retention regulation came into force before the 2006/24/EC directive. Data retention section (§97/3+4), was challenged constitutionally and abolished in 2011 as unconstitutional (reasons: the regulation was too vague and benevolent). In 2012 came into force a law as an amendment 273/2012 of the regulation which is still valid. There are hints that some civil society organisations may be preparing a constitutional court appeal as a reaction to the CJUE decision.NoNone
France

Yes

Article L 34-1 Code on Postal and Electronic Communication

Latest Decree n° 2014-1576 of 4 December 2014

NoNot applicableNot applicable

CNIL (French Data protection authority) assures that national legislation in place is still applicable and proportionate (articles L. 34-of the Code on Postal and Electronic Communication for judiciary investigations and L. 34-1-1 of the CPCE for administrative ones. Nevertheless it is important that the competent authorities take duly assess the impacts of this ECJ’s decision on French national law.

Germany

Yes, Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten.

 

The new data retention law was subject to a procedure at the federal constitutional court, requesting a provisional order (to render the law inoperative until the court’s final decision) against the data retention law. However, the provisional orders have been declined by the court on 8 June 2016. It has to be noted that this is not a final decision on the data retention law itself, but only on the request for a provisional order. A decision on the law in general is still pending.

The predecessor of the current law was challenged in the constitutional court. See decision BVerfG, 02.03.2010, 1 BvR 256/08.

No

 

ItalyYes Law no. 109 of May 30th , 2008. The Data Retention directive has been adopted by the introduction of art. 132 in the Italian Data Protection Code.  This article doesn’t mention the criteria of proportionality and of seriousness of the violation for data storage. The Data Retention Law  is still valid. The National Data Protection Authorities commented the CJUE decision, strengthening the importance of a correct balance between privacy protection and security: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3059819 ; http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3043767There are several procedures that are using data stored on the basis of the Data Retention directive. Even if the Italian law is still valid, the judges are asked to adapt their judgments to the CLJUE decision. The National Data Protection Authority informed the Italian Government about the need to modify the existing rule (principle of proportionality;  guarantee of citizens’ rights). Only in some cases during the procedures the CJUE decision is mentioned.There is not a reaction of the Italian Government to the CJUE decision. There are some comments by jurists, lawyers, cyber-security experts on the impact of such decision on the Italian law system stressing the need for an intervention by the legislator. See: http://www.corrierecomunicazioni.it/tlc/26995_data-retention-scorza-il-legislatore-intervenga-subito.htm
Malta

Yes

S.L. 440.01 (as amended by L.N. 198 of 2008) Processing of Personal Data (Electronic Communications Sector) Regulations

No

  Not clear
NetherlandsYesYes, by a new law suit litigated in Jan. 2015 to challenge the law.PendingUnknown

Not implemented yet.  The Dutch government decided in November largely to maintain the national data retention law but with a few adjustments deemed necessary.

Now, the Dutch government is considering adding a new data retention bill.

RomaniaNoYesYes. Two Constitutional Court decisions: Decision 1258 of 8 October 2009 and Decision 440 of 8 July 2014YesIntense political willingness to reintroduce a new law. In this sense, a proposal to modify the ePrivacy law is under debate in Parliament. The law introduces new data retention obligations.
Spain

Yes, Law 25/2007 18 Oct. updated with the Telecommunications General Law, May 10 2014

Yes, by the Asociación de InternautasRuled against (sentencia 44/2008 de 5 de febrero)NoNone
Switzerland

Yes. Six months of data retention.

The Swiss Federal Data Protection Act (DPA) entered into force on July 1, 1993 and has been amended several times. The competent authority is the Federal Data Protection and Information Commission (DPIC). The DPA applies to data processing by both private entities and federal bodies. All Swiss cantons have their own laws regulating data processing by cantonal and municipal bodies. Each canton also appoints a cantonal data protection commissioner to supervise compliance by the authorities with the applicable cantonal laws.

Yes. As of September 2016, the court case is  “pending ready for a decision” at the Swiss Federal Court of Administration.None yetNot applicableThe government claims that the ECJ ruling is irrelevant to Swiss data retention.
United KingdomYesYesAppealed.  Referred to ECJECJ rulingReaction to the new Investigatory Powers Bill has been focused on snooping and decryption powers, not on data retention.

Last updated 19 May 2017.

Suggestions? Corrections? Additions? Please send us an email at observatory (at) mappingtheinternet (dot) eu. Or suggest via this webform.

 

The Open Rights Group has prepared a table showing the status of data retention in the EU, following the CJEU's decision in the Digital Rights Ireland case. For more information and data retention status check click here.

Link - Posted on Friday 19 September 2014

« Personal data breaches Internet Governance - Comparative Policy Tables »