With its judgment in joined Cases C-293/12 and C-594/12 (Digital Rights Ireland and Seitlinger and Others) dated 8th April 2014, the European Court of Justice has declared to be invalid the directive on the obligation of retention of data generated or processed by providers of publicly available electronic communications services or of public communications networks.
According to the data retention directive, these providers had the obligation to retain traffic and location data as well as related data necessary to identify the subscriber or user, for the purpose of the prevention, investigation, detection and prosecution of serious crime. The field of application of this directive covered all individuals, all means of electronic communication and all traffic data without any differentiation or exception.
Therefore, remote gambling transactions traffic data made by the users have been retained and stored as well, in compliance with national provisions drafted accordingly with the directive.
Although it was not permitting the retention of the content of the communication or of information consulted, the Court of Justice considered that the data retained may provide very precise information on the private lives of the persons whose data are retained, such as:” the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented”.
The Court considered that the directive, by requiring the retention of those data and by allowing the competent national authorities to access those data without laying down substantive and procedural limits and conditions, is too broad and interferes in a disproportionate manner with the fundamental rights to respect for private life and to the protection of personal data.
As for example, the Court underlined the risks of undifferentiated storage of traffic data and the unclear period of retention set at between a minimum of six months and a maximum of 24 months, but without any objective criteria on the basis of which the period of retention should be determined.
Moreover, the Court stated that data has to be stored within the EU to ensure sufficient protection – thus implicitly condemning the recent Datagate scandal.
In light of all the above, the Court ruled that the data protection directive is null and void as it entails a “wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary”.
This ruling has an obvious impact on national provisions transposing this directive. Reference is made to the Italian data protection code that had been recently amended by the data retention directive in reference and which amendments could now be challenged, thus creating legal uncertainty for providers, who have been collecting and storing user data thus including remote gambling data until now.
A call for more data protection safeguards has been made. There is now a need for provisional guidelines by the competent national authorities to bridge the gap.