Niklas Vainio

The European Union introduced the Data Retention Directive (“the Directive”) after the terrorist attacks in Madrid and London in 2004. The purpose of the Directive was to obligate telecommunication service providers to retain specified phone and internet-related metadata in order to ensure that the data were available for the purpose of the investigation, detection and prosecution of serious crime (art. 1(1) of the Directive).

The Directive was heavily criticised for its strong interference with fundamental rights, particularly the right to privacy and the right to protection of personal data. It required Member States to oblige telecommunications companies to store all traffic data about all phone calls, internet access and e-mail communications that take place in their network. The data was to be retained for a period of 6–24 months, depending on the national implementation of the Directive. Access to the data was not regulated in the Directive, as it is outside the jurisdiction of the EU. The European Data Protection Supervisor, the Article 29 Working Party, and digital rights organisations expressed strong concerns about the necessity and proportionality of the proposal.

The constitutionality of the data retention regime was challenged in several Member State courts, with each challenge leading to an annulment of the domestic retention law. An EU-level judgment was finally given in April 2014 when the Court of Justice of the European Union (“the CJEU”) gave its ruling in the joined cases of Digital Rights Ireland and Seitlinger. The judgment declared the Directive invalid on the grounds that it violated the rights to privacy and data protection and exceeded the limits of what was acceptable in the view of the principle of proportionality. Although counted as a victory by privacy advocates, the ruling has not led to the uniform consequences which one might expect. Several court decisions were given after the ruling, again striking down the national data retention laws, yet governments in other Member States have taken a completely different direction, either by keeping their data retention laws unchanged—or even expanding them.

In this article, compliance of the Member States with the judgment is studied. The purpose of directives and the interpretations given by the CJEU is to harmonise the law in the Union. This begs the question: Why do the readings of the directive and judgment lead to such different outcomes? Also, as long as the status of data retention remains unclear—with some Member States still retaining data—does the Charter of Fundamental Rights effectively protect the rights to privacy and data protection?

Ohjelmistoja on kehitetty avoimissa yhteisöissä alkaen 1960-luvulta, jolloin syntyi ns. hakkerikulttuuri ja sen myötä vapaiden ohjelmistojen liike. Erityisesti akateemisessa maailmassa ohjelmistojen avoimuus on ollut pääsääntö. Suljettujen, kaupallisten ohjelmistojen merkitys alkoi kasvaa 1980-luvulla. 2000-luvulla avoin malli on tullut jälleen suosituksi. Kamppailu avoimen ja suljetun tai vapaan ja omistetun mallin välillä on alkujaan ideologinen.