Slashdot Mirror
Court Overturns Dutch Data Retention Law, Privacy More Important
wabrandsma writes According to DutchNews.nl: "Internet providers no longer have to keep their clients phone, internet and email details because privacy is more important, a Dutch court ruled on Wednesday." Digital rights organization Bits of Freedom writes in a blog: "The law's underlying European directive was meant as a tool in the fight against serious crimes. The Dutch law, however, is much more expansive, including everything from terrorism to bike theft. During the hearing, the state's attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft. The judge's response: it doesn't matter if you exploit the possibility or not, the fact that the possibility exists is already reason enough to conclude that the current safeguards are unsatisfactory."
It does in the second link: District court of The Hague.
This is actually a completely unsurprising decision, since there already was a European law saying that such data retention is illegal. However, this European law postdates the Dutch law, and therefore this is just a "fix" of the Dutch law. It is widely described as such.
So while in principle this is a great decision, it is no surprising decision run my good motives: like seemingly all good decisions that are being taken in European countries, they are motivated by EU law. Which time and time again appears to be a good thing.
First, the EU directive on which this law was built upon, itself was already pulled because of being too unbalanced. Thus the Netherlands are no longer required to have a data retention law at all. So, from an EU point of view, no one in Brussels actually cares anymore if the Netherlands have a data retention law. They can do so if they want, but that's an entirely different matter (and even a new one has to take into account the verdict of the European High Court which pulled the old directive).
Second: If a new directive was in place which conforms to the verdict of the European High Court, the member states have to work out new data retention laws which also conform to the verdict and to their respective constitutions. If they don't manage to do so, they will be sued for EU contract violation, and then they have to argue why their new data retention law is not in place yet. This could even work out to the theoretical new directive being pulled too, if not enough member states are able to create constitutionally acceptable data retention laws.
But all those laws define requirements for telcos and internet providers, they totally leave out the ability or the legality of secret service agencies to gain access to the data and create their own data retention. My guess is that the whole data retention bruhaha came up because the spy agencies already did all those things without a legal base, and now the governments wanted them to be legalized in a way that the results could be used in the open. Maybe some envy between police forces and spy agencies also played a role, and the police wanted to have the same abilities.
The short answer is that a national judge's ruling doesn't directly affect other countries, although it could indirectly affect them if it leads to an appeal to a European court and their ruling clarifies the law in a way which is incompatible with other countries' implementations.
The longer answer: EU law works by means of "directives" which each country then implements in its national law. Each directive comes with a deadline to implement it, although typically most countries miss the deadline. But in principle the European Commission can sue a country which fails to implement a directive, and fines can be levied. The issue here is that the Dutch implementation of the Data Retention Directive went further than the minimal requirements, and the judge has ruled it incompatible with other European law. (It's not clear from either of the articles whether that was the Data Protection Directive or the European Convention on Human Rights*).
The two main options now would be that the Dutch government appeals to a European court (the European Court of Justice if it was the Data Protection Directive that formed the basis of the ruling, or the European Court of Human Rights if it was the ECHR); or that it passes a replacement law which sticks closer to the Data Retention Directive. If it doesn't do either of those, it would be failing to fulfil its obligation to implement that directive.
* Not EU law, but I think all EU countries are members of the European Council, and the most recent constitutional treaty of the EU commits the EU as an organisation to acceding to the ECHR.