Judgment of the CJEU (Grand Chamber) of 8 April 2014 (joined cases C-293/12 and C-594/12): the Court declared the invalidity of the Data Retention Directive The Directive
• Historic context of Approval • Scope – Types of Data Retained
• Findings: the EU legislator exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union
Digital Rights Ireland Landmark Judgment
• Directive allows acquiring very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life,
permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.
• By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly
serious manner with the fundamental rights to respect for private life and to the protection of personal data.
• However, the retention does not adversely affect the essence of the
fundamental rights to respect for private life and to the protection of personal data:
i. the directive does not allow the retention of content
ii. the service or network providers must respect certain principles of data protection and data security.
• It satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.
Digital Rights Ireland Landmark Judgment
• By adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.
• The interference of the directive with the fundamental rights was not limited to what is strictly necessary.
• The type of retained data provides a lot of information on the people in question, including:
the identity of the person with whom the communication took place and by what means, and
the time of the communication as well as the place from which that communication took place and
• The frequency of the communications with certain persons during a given period.
Main problems with the directive:
• Covers, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
• Fails to lay down any objective criterion which would ensure that the
competent national authorities have access to the data and can use them
only for the purposes of prevention, detection or criminal prosecutions concerning offences that may be considered to be sufficiently serious to justify such an interference.
• Refers in a general manner to ‘serious crime’ as defined by each Member State in its national law.
Digital Rights Ireland Landmark Judgment
• Does not lay down substantive and procedural conditions for access to and
subsequent use of the data: access to is not made dependent on prior review
by a court or by an independent administrative body.
• The minimum retention period of six months does not make any distinction between the categories of data on the basis of the persons concerned or the usefulness of the data in relation to the objective pursued and no criteria are provided for justifying maximum retention period of up to two years.
• No sufficient safeguards provided to ensure effective protection of the data against the risk of abuse and against unlawful access and use of the data (e.g. service providers can have regard to economic considerations when determining the level of security) and it does not ensure the irreversible
• Last (unexpected) concern of the Court:
• The Directive does not require that the data be retained within the EU: in doing
so, it does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter.
• Control of a DPA, carried out on the basis of EU law, is an essential
component of the protection of individuals with regard to the processing of
personal data.
• Important decision for cloud computing: the Court seems to imply that retained data (or any sensitive data) must be stored and processed exclusively within the European Union
International transfer issues for cloud computing
• Introduction to cloud computing: models, cloud providers (controllers and/or processors), main contractual issues, concerns
• International transfers under Directive 95/46/EC (BCRs, Model Clauses Controller-Processor (2010), ad hoc Contracts, Safe Harbor)
• Article 29 WP Working Document of a Co-operation Procedure For Issuing Common Opinions on “Contractual Clauses”
considered compatible with the EC Model Clauses
• Approval of model clauses of Microsoft and Amazon Web Services
• Safe Harbor Regime under scrutiny/transatlantic discussions for an umbrella agreement
• Data Nationalism and its impact in cloud computing (Brazil, Europe, Australia, Russia, France, Portugal) • Microsoft Case (US), Schrems v. Data Protection
International transfer issues for cloud computing
• Transfers of data by EEA based cloud providers to sub processors outside the EEA – how to solve the problem?
• WP29, Working document 01/2014 on Draft Ad hoc contractual clauses “EU data processor to non-EU sub-processor”;
• How can we improve model clauses and make them more effective?
• Impact of the draft EC Data Protection Regulation on data transfers Company Supplier of Cloud Service Subcontractor Sub-subcontractor in a third country
UE + EEA
Obrigado | Thank you.
Luis Neto Galvão
Sócio/Partner
T +351 21 313 20 00 | F +351 21 313 20 01
Av. Zarco, nº2, 2º, 9000-069 T. +351 291 20 2260 | F. +351 291 20 2261 PORTO (*) R. Tenente Valadim, nº215, 4100-479 T. +351 22 543 2610 | F. +351 22 543 2611 _MOÇAMBIQUE