On 10 February, the ECJ gave its judgment on Case C-301/06, Ireland v. European Parliament and Council of the European Union where it was called to decide on the boundary between the Community pillar and the third pillar, namely Title VI of the EU Treaty on police and judicial cooperation in criminal matters.

The ECJ ruling is a blow for those hopping to overturn the EU data retention directive which harmonises rules on the length of time that telecom operators and internet providers must retain data.

The aim of the Directive 2006/24 is to harmonise Member States laws concerning the providers of publicly available electronic communications services or of public communications networks obligations to retain certain data which are generated or processed by them and to guarantee that such data is available for the purpose of the investigation, detection and prosecution of serious crime. Such data can identify the caller, the time and means of communication. Member States are required to adopt measures to ensure that data retained in observance with this Directive are solely provided to the competent national authorities in specific cases and in accordance with national law as well as to ensure that such types of data are retained for periods of not less than six months and not more than two years from the date of the communication.

The use of data in this way entails disproportionate interferences with individuals’ right to privacy.

It should be mentioned that back to 2004, France, Ireland, Sweden and the UK submitted to the Council a draft framework decision concerning the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data in public communication networks for the purposes of the prevention, investigation, detection and prosecution of criminal offences, including terrorism which was based on Articles 31(1)(c) EU and 34(2)(b) EU. However, the Commission took the view that the Community should legislate on the determination of the categories of data to be retained and on the retention period therefore the Commission reserved the right to submit a proposal for a directive. The Commission put forward a proposal for a directive on operators’ obligations to retain data for a certain length of time based on Article 95 which authorises the adoption of measures which have as their object the establishment and functioning of the internal market. The UK which initially has argued that rules on data retention should be subject to national vetoes at the end supported the measure which was adopted by the Justice and Home Affairs Council.

Ireland and Slovakia would have preferred to adopt such measure within the third pillar framework under which unanimity is required at the Council and the European Parliament has solely a consultative power. They voted against the measure but there was a majority support therefore the Council adopted the Data Retention Directive in February 2006.

Ireland brought before the ECJ an action for annulment of Directive 2006/24/EC on data retention. Ireland, supported by the Slovak Republic, took the view that Directive 2006/24 could not be legitimately based on Article 95 EC, but in Title VI of the EU Treaty concerning police and judicial cooperation in criminal matters. According to Ireland if the main objective of the Directive is to facilitate the investigation, detection and prosecution of serious crime, including terrorism it should have been based in Title VI of the EU Treaty. The main objective of the Directive is to combat crime and not to prevent distortions of competition or obstacles to the internal market.

According to the Council although the need to combat crime was a determining factor in adopting the directive any article in the EU Treaty could not have been used as the basis for a measure which amends the obligations imposed on operators by Directive 2002/58 without infringing Article 47 EU. Under Article 47 EU no provisions of the EC Treaty may be affected by a provision of the EU Treaty.

The Advocate General, Yves Bot, on 14 October, took the view that the Directive was rightly based on Article 95 EC. Unsurprisingly, the ECJ has followed the arguments of its Advocate General. In fact, the ECJ is well known for assigning matters of the EU legislature to the Community. Although it seems clear that the purpose of collecting and retaining data for the purpose of police cooperation among Member States is an activity that falls directly within third pillar competence the ECJ rejected Ireland’s claim. The Court found that the Commission had made the right choice in proposing a directive based on Article 95 of the EC Treaty to safeguard “the proper functioning of the internal market through the adoption of harmonised rules.”

The Court pointed out that several Member States have introduced measures intended to impose obligations on service providers on data retention and stressed that “those measures differed substantially.” According to the ECJ such differences on rules adopted on the retention of data relating to electronic communications were likely to have a direct impact on the functioning of the internal market. Hence, the Court held that “Such a situation justified the Community legislature in pursuing the objective of safeguarding the proper functioning of the internal market thought the adoption of harmonised rules.”

The Court found that the directive’s provisions are basically limited to the activities of service providers and do not rule access to data or its use by the police or judicial authorities of the Member States. Consequently, the Court concluded that the directive relates predominately to the functioning of the internal market. Thus, the Court rejected the application for annulment of the data retention Directive.

The Anti-Terrorism, Crime and Security Act 2001 (ATCSA) provides for a voluntary regime for the retention of communications data by communications companies. The Directive requires the UK voluntary system to be replaced by a mandatory system of data retention.

The UK is obliged to implement this Directive since failure to do so would result in infringement proceedings. Nevertheless, it should be recall that it was the UK Government who first proposed this intrusive policy. As abovementioned the UK submitted, with other Member States, to the Council draft framework decision concerned data retention.

The EU Member States were required to implement, by September 2007, the Directive’s provisions concerning fixed network and mobile telecommunications in their national laws but they have been given the option to postpone the application of the Directive to data relating to Internet access, Internet telephony and Internet e –mail until 15 March 2009 and the UK has made a Declaration to the Commission to postpone the application of that part of the Directive.

The Data Retention (EC Directive) Regulations 2009 will come into force in April 2009 and they implement the Data Retention Directive part related to internet data.

Therefore, since 2007, there is a Statutory Instrument in force which transposed the Directive provisions in respect of communications data from fixed line telephony and mobile telephony.

Originally, the Communications Data Bill was supposed to implement the remainder of the Directive but in order to meet the March deadline the transposition of the Directive will be completed by a statutory instrument.

The Data Retention (EC Directive) Regulations 2009 revoke, and supersede, the Data Retention (EC Directive) Regulations 2007 (SI 2007/2199). These draft Regulations incorporate the obligation to retain communications data in relation to fixed line telephony and mobile telephony, as well as internet access, internet email and internet telephony. Hence, from April 2009 internet service providers will be required to keep details of personal internet use. The UK Regulation provides for a retention period of 12 months.

The data will be accessed by the police, security and intelligence agencies and additional public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).

On 10 February, the Home Office published its Impact Assessment of the transposition of Directive 2006/24/EC, according to which, taxpayers will face a bill of 46.58m for communication companies to retain internet data over the next eight years. The Home Office will pay all costs related to the design, development and installation of Data Retention facilities with communication companies to implement the directive requirements to store communications data. The system will cost around 2.21m a year to run.

Around 19m have already been paid by taxpayers in the last four years, to communication providers, under the Anti-terrorism, Crime and Security Act 2001 (ATCSA) and the Data Retention (EC Directive) Regulations 2007 for storing data. In 2007 and 2008 the Government has paid to communication providers around 4.5million under the EU Directive.

According to the recently published, Draft Statutory Instruments, the Data Retention (EC Directive) Regulations 2009, “These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation.” Moreover, it reads “The Secretary of State must give a written notice to a public communications provider under paragraph (1) unless the communications data concerned are retained in the United Kingdom in accordance with these Regulations by another public communications provider.” The Home Office is not willing to pay for small Internet service providers (ISP) to retain data for law enforcement purposes. Hence, the Government is planning to call on BT and other bandwidth wholesalers to gather the data from their networks. However, it is far from clear how this plan will work.

The Government is planning to pool all the data held by communications companies directly into a centralised database under the Communications Data Bill. That would cost taxpayers billions of pounds and raises serious concerns over privacy and potential data loss.