Netherlands

[NL] Court Suspends the Dutch Telecommunications Data Retention Act

IRIS 2015-4:1/17

Sarah Johanna Eskens

Institute for Information Law (IViR), University of Amsterdam

The Dutch Telecommunications Data Retention Act (Wet bewaarplicht telecommunicatiegegevens) has been suspended as of 11 March 2015. The Act required providers of public telecommunications services and networks to retain traffic and location data of telephone and internet communications, for the purpose of investigating serious crimes. Telephone data had to be retained for twelve months; internet data for six months. The Act implemented the Data Retention Directive (2006/24/EC) (see IRIS 2006-3/110), which the Court of Justice of the European Union (CJEU) invalidated in the Digital Rights Ireland case (C-293/12).

A coalition of Dutch organisations brought preliminary relief proceedings against the Act in the District Court of The Hague. The Court agreed with them that the obligation to retain data interfered with the fundamental rights to privacy and the protection of personal data, guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (the Charter) respectively. It was uncontested that Digital Rights Ireland did not imply that the Act was invalid too.

In the view of the Court, interferences with these fundamental rights was not unacceptable in every case. It adopted as a starting point that the obligation to retain data is necessary and effective to investigate serious crimes. Then the Court observed that the Act, like the Data Retention Directive, covered all users of electronic communications services without any differentiation. Consequently, it applied even to persons for whom there is no evidence suggesting that their conduct relates to serious crime. Moreover, the Act did not require any relationship between the data whose retention is provided for and a threat to public security. Still, the Court held it did not follow from Digital Rights Ireland that such a broad obligation is disproportional per se.

The main objection was that the interference was not limited to what is strictly necessary. In Digital Rights Ireland, the CJEU stated that the legislation should contain objective criteria by which to determine the limits of the access by the national authorities to the data and their subsequent use, for the purpose of law enforcement concerning offences that are sufficiently serious to justify an interference with Articles 7 and 8 of the Charter. The Court considered that the Act included offences that were not sufficiently serious in that sense. The Government stated that it did not request data lightly. Nevertheless, the Court held that the Act did not ensure that access to the data is actually limited to what is strictly necessary for the investigation of serious crimes.

This was all the more problematic, since the Act did not subject access to the data retained to ex ante review carried out by a court or an independent administrative body. Contrary to what the Government argued, the Court held that the Dutch Public Prosecution Service could not be regarded as an independent administrative body. The Court inferred from Digital Rights Ireland that the CJEU found this a serious objection.

On the basis of all this, the Court concluded that the Act constituted an unacceptable interference with Articles 7 and 8 of the Charter and suspended it. The Government is still considering bringing an appeal.