The ECJ’s ruling
It is commonly known that the European Court of Justice (ECJ) has held the Data Retention Directive invalid.1 The details of the ECJ’s reasoning are not, however, generally known. Moreover, one particular consideration in the judgment’s reasoning has stayed fairly undetected.
But generally, the ECJ has conceded in its ruling that the retention of data does not by itself adversely affect the fundamental rights to respect for private life and to the protection of personal data. The court further held that the potential disclosure of such data to national authorities principally serves a legitimate general interest: the fight against serious crime and the safeguarding of public security.
However, the ECJ found the Data Retention Directive to infringe the principle of proportionality because it applies to all individuals, communications and traffic data without differentiation or limitation. The court has also held other parts of the Directive excessive, such as the fact that the retention period does not differentiate between the stored data categories.
But the real spotlight should be on the ECJ’s considerations on data security. The court held the Data Retention Directive invalid because it allows the service provider to align the security measures to the provider’s commercial and economic considerations. Most notably, however, the ECJ has also criticised that the Directive does not require the data to be retained within the EU. With this, the Court claimed that the Directive does not sufficiently ensure control rights of an independent authority, as explicitly required by EU data protection law (in particular, the European Charter of Fundamental Rights).2 In the view of the court, such control forms an essential component of the protection of individuals in the processing of their personal data. The importance of this argument is not least reflected by the fact that the ECJ included this consideration in its press release on the cited ruling.
What are the effects of this ruling? The ECJ’s arguments might have an impact beyond the case that triggered the ruling. They might in fact touch the privacy aspects of international data transfers as we know them today. Currently, it is commonly accepted by all EU data protection regulators for international data transfers that an adequate data protection level can be provided through valid and signed EU Model Clauses. But the Model Clauses neither expressly address (physical) server and data storage location requirements nor do they explicitly address compliance control aspects and related supervisory authority competencies.
Given that, it is not unthinkable that a national DP regulator, contemplating the ECJ’s reasoning, might question whether the Model Clauses give valid proof for the data in question being stored within the territory of the EU and, with this, under the competency and compliance control of a European (in the view of the Court, sufficiently independent) supervisory authority.
And the answer might be self-evident. Since the Model Clauses do not expressly require the data recipient (in its role as the data importer) to retain the data exclusively within the territory of the EU, the authority might, based on this consideration, require the applicant to amend the Model Clauses, or it might reject the application.
In the light of these considerations, the ECJ ruling could have an impact that goes far beyond the court’s reasoning on the retention of personal data. It affects the key principles of the transferring of personal data outside the EU.
And it is not Europe alone that will have to deal with such territoriality considerations. Also the Russian Federation is currently eager to amend the Russian Data Protection Act. The amended regulation would require databases that contain personal data of Russian citizens be located only in Russia.3 This, of course, would require all industries (banks, insurance companies, telecommunications providers, etc.) to store their Russian customer data exclusively on Russian territory.
Things are on the move. Companies will have to wait to see how national DP regulators interpret the ECJ's reasoning. But the court's reasoning clearly supports an observable European market trend: the market's increasing demand that personal data be physically retained within the territory of the EU.
1ECJ 08.04.2014, Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Seitlinger and others)
2Charter of Fundamental Rights of the European Union, Official Journal of the European Communities, C‑364/01, 18 December 2000.
3cf Jones Day, Russia Adopts Restrictive Changes to its Data Privacy Law, 18.07.2014 (http://www.jonesday.com/russia-adopts-restrictive-changes-to-its-data-privacy-law-07 – 18-2014/)