Ruling by the European Court, April 8 2014 on ( Cases C-293/12 and C-594/12,
The European Court ruled that the retention directive is invalid because it contravenes the protection of privacy and does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data.
The case is touching the essence of the validity of regulations as the retention directive first set of issues, consisting of the first question in Case C-293/12, concerns the validity of Directive 2006/24 in the light of Article 5(4) TEU. The High Court asks very specifically whether Directive 2006/24 is, in general, proportionate within the meaning of Article 5(4) TEU, that is to say, whether it is necessary and appropriate to achieve the objectives which it pursues, which are to ensure that certain data are available for the purposes of investigation, detection and prosecution of serious crime and/or to ensure the proper functioning of the internal market. The second set of issues, which comprises the second question in Case C-293/12 and the first question in Case C-594/12, relates to the compatibility of several provisions of Directive 2006/24 with a number of provisions of the Charter, primarily Article 7 on the right to privacy and Article 8 on the right to the protection of personal data, and, more broadly, to the proportionality of the measures which it imposes, within the meaning of Article 52(1) of the Charter. That question of validity is indisputably central to the problems raised by these cases. The second question referred by the Verfassungsgerichtshof in Case C-594/12 raises a third set of issues, concerning the interpretation of the general provisions of the Charter governing its interpretation and application, in the present instance the interpretation and application of Articles 52(3), (4) and (7) and 53. More specifically, the Verfassungsgerichtshof raises, in essence, the question of the relationship between, on the one hand, Article 8 of the Charter, enshrining the right to the protection of personal data, and, on the other hand, (i) the provisions of Directive 95/46 and Regulation No 45/2001, in connection with Article 52(1) and (3) of the Charter (questions 2.1, 2.2 and 2.3), (ii) the constitutional traditions of the Member States (question 2.4), in connection with Article 52(4) of the Charter, and (iii) the law of the ECHR, in particular Article 8 thereof, in connection with Article 52(3) of the Charter (question 2.5). Finally, the third question of the High Court in Case C-293/12, which comprises the fourth and final set of issues, concerns the interpretation of Article 4(3) TEU and more specifically whether national courts are required, under the duty of sincere cooperation, to examine and assess the compatibility of national provisions transposing Directive 2006/24 with the provisions of the Charter, in particular Article 7 thereof.
The AG stresses the fact that Article 8 of the Charter enshrines the right to the protection of personal data as a right which is distinct from the right to privacy as in article 7. Data protection fits in the protection of the internal market, which was the background intention of the data protection directives from the start referring to the second part of the title of the data protection directive: the free movement of such data
Still, and this is very important, the AG accept and underlines, as described in former chapter 4, the fact that there is a fusion between the Charter and the EU Treaty as such resulting in a harsh opinion on the validity of the actual retention directive as answer to the preliminary question and proposing the following ruling:
(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directive contains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.
(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.
I’d close this paragraph with the remark made in the Report of CECILE, a FP 7 European commission project:
The Directive also ranks among the most controversial pieces of counter-terrorism legislation the EU has ever adopted and fierce debate as to its legitimacy and effectiveness has raged since the earliest stages of its drafting to the present day…
On the 8th of April 2014 the Court ruled the directive invalid:
“The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
The Court ruled that the meaning of the directive is to harmonise the law among member states taking into account the privacy requirements;
It follows from Article 1 and recitals 4, 5, 7 to 11, 21 and 22 of Directive 2006/24 that the main objective of that directive is to harmonise Member States’ provisions
In considering this the Court took into account the following:
The retention of data for the purpose of possible access to them by the competent national authorities, as provided for by Directive 2006/24, directly and specifically affects private life and, consequently, the rights guaranteed by Article 7 of the Charter. Furthermore, such a retention of data also falls under Article 8 of the Charter because it constitutes the processing of personal data within the meaning of that article and, therefore, necessarily has to satisfy the data protection requirements arising from that article (Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert EU:C:2010:662, paragraph 47).
Whereas the references for a preliminary ruling in the present cases raise, in particular, the question of principle as to whether or not, in the light of Article 7 of the Charter, the data of subscribers and registered users may be retained, they also concern the question of principle as to whether Directive 2006/24 meets the requirements for the protection of personal data arising from Article 8 of the Charter. 
To establish the existence of an interference with the fundamental right to privacy, it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way (see, to that effect, Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others EU:C:2003:294, paragraph 75). 
As a result, the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter.
Furthermore, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI).
Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter.
Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data. 
The Court takes into account the fact that the fight against terrorism is important and represents the individual right to security next to liberty(privacy) and the use of electronic data forms a necessary ingredient in this “war”:
It is apparent from the case-law of the Court that the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest (see, to that effect, Cases C-402/05 P and C-415/05 P Kadi and Al Barakaat International Foundation v Council and Commission EU:C:2008:461, paragraph 363, and Cases C-539/10 P and C-550/10 P Al-Aqsa v Council EU:C:2012:711, paragraph 130). The same is true of the fight against serious crime in order to ensure public security (see, to that effect, Case C-145/09 Tsakouridis EU:C:2010:708, paragraphs 46 and 47). Furthermore, it should be noted, in this respect, that Article 6 of the Charter lays down the right of any person not only to liberty, but also to security.
but those instruments have to be proportionate to the purpose
In that regard, according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives (see, to that effect, Case C-343/09 Afton Chemical EU:C:2010:419, paragraph 45; Volker und Markus Schecke and Eifert EU:C:2010:662, paragraph 74; Cases
C-581/10 and C-629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C-283/11 Sky Österreich EU:C:2013:28, paragraph 50; and Case C-101/12 Schaible EU:C:2013:661, paragraph 29). 
Taken into account
where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., S. and Marper v. the United Kingdom [GC], nos. 30562/04 and 30566/04, § 102, ECHR 2008-V).
As regards the necessity for the retention of data required by Directive 2006/24, it must be held that the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 being considered to be necessary for the purpose of that fight.
Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99). 
Also here, following the opinion of the AG, it is considered of the utmost importance to specify rules and circumstances and guarantees in a transparent way. Because the directive requires the retention of all electronic communication of all European citizens without exception by all member states, the Court states that “It therefore entails an interference with the fundamental rights of practically the entire European population “
And it does not , in any way, discriminate to access of authorities or specifies the concerned offences that legitimizes this access.
Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.
Also other aspects of the directive are considered invalid on basis of the non specified way they are laid down in the directive, as of course the retention period:
Furthermore, that period is set at between a minimum of 6 months and a maximum of 24 months, but it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary
As to the verdict:
It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.
Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down 
Also the aspect of independent control as required in Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, is not required in the directive.
On those grounds, the Court (Grand Chamber) hereby rules:
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.
Rob van den Hoven van Genderen
 AG in par 55:Although data protection seeks to ensure respect for privacy, it is, in particular, subject to an autonomous regime, primarily determined by Directive 95/46, Directive 2002/58, Regulation No 45/2001 and Directive 2006/24 and, in the field of police and judicial cooperation in criminal matters, by Framework Decision 2008/977/JHA.
 The EU Data Retention Directive: a case study in the legitimacy and effectiveness of EU counter-terrorism policy, SECILE – Securing Europe through Counter-Terrorism – Impact, Legitimacy & Effectiveness
A Project co-funded by the European Union within the 7th Framework Programme – SECURITY theme.
 DIGITAL RIGHTS IRELAND AND SEITLINGER AND OTHERS
JUDGMENT OF 8. 4. 2014 — JOINED CASES C-293/12 AND C-594/12 I-18
 Idem par 35, 36, I-20