¹ EC Directive 2006/24 of 15 March 2006, O.J. 2006 L 105/54.Google Scholar

² EC Directive 2002/58 of 12 July 2002, O.J. 2002 L 201/37.Google Scholar

³ Namely, the Bulgarian Supreme Administrative Court, in 2008, the Romanian Constitutional Court, in 2009, the German Federal Constitutional Tribunal, in 2010, the Czech Constitutional Court, in 2011, and the Cypriot Supreme Court, in 2011.Google Scholar

⁴ According to the system of constitutional review of legislation in place in Ireland, the High Court is, together with the Supreme Court, the judicial authority empowered to check the compliance of the legislation enacted with the Constitution.Google Scholar

⁵ See Boehm, Franziska & Cole, Mark D., Data Retention after the Judgment of the Court of Justice of the European Union 41 (2014), available at http://www.greens-efa.eu/.Google Scholar

⁶ “This Directive aims to harmonize Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.” EC Directive 2006/24, supra note 1, at Art. 1.Google Scholar

⁷ Id. at Preamble, para. 10.Google Scholar

⁸ The Treaty of the European Union, adopted in Maastricht in 1992, introduced a new institutional structure for the EU, which remained until the adoption and the entry into force of the Treaty of Lisbon. This institutional structure was composed of three “pillars”: the first, so-called Community pillar, which corresponded to the three Communities: the European Community, the European Atomic Energy Community (EURATOM), and the former European Coal and Steel Community (ECSC); the second pillar devoted to the common foreign and security policy (Title V of the Treaty on European Union); finally, the third pillar devoted to police and judicial cooperation in criminal matters (Title VI of the Treaty on European Union).Google Scholar

⁹ Case C–301/06, Ireland v. European Parliament and Council of the European Union, 2009 E.C.R. I-00593.Google Scholar

¹⁰ Press Release, Court of Justice of the European Union, No 11/09, 1 (10 February 2009), http://curia.europa.eu/jcms/upload/docs/application/pdf/2009-03/cp090011en.pdf.Google Scholar

¹¹ “Ireland submits that the choice of Art. 95 EC as the legal basis for Directive 2006/24 is a fundamental error. Neither Article 95 EC nor any other provision of the EC Treaty is, in its view, capable of providing an appropriate legal basis for that directive. Ireland argues principally that the sole objective or, at least, the main or predominant objective of that directive is to facilitate the investigation, detection and prosecution of crime, including terrorism. Therefore, the only legal basis on which the measures contained in Directive 2006/24 may be validly based is Title VI of the EU Treaty, in particular Articles 30 EU, 31(1)(c) EU and 34(2)(b) EU.” Ireland, Case C–301/06 at para. 28.Google Scholar

¹² Id. at paras. 83–85.Google Scholar

¹³ See EC Directive 2006/24, supra note 1, at Art. 5 for further technical details.Google Scholar

¹⁴ EC Directive 97/66 of 15 December 1997, O.J. 1998 L 024/01.Google Scholar

¹⁵ In particular, the Directive prescribed that traffic data had to be deleted or made anonymous at the very end of each communication; it also generally prohibited the extensive retention of data.Google Scholar

¹⁶ EC Directive 2002/58, supra note 2.Google Scholar

¹⁷ Id. at Art. 15.Google Scholar

¹⁸ EC Directive 2006/24, supra note 1, at Art. 11 (“the following paragraph shall be inserted in Article 15 of Directive 2002/58/EC: la. Paragraph 1 shall not apply to data specifically required by Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks to be retained for the purposes referred to in Article 1(1) of that Directive.”).Google Scholar

¹⁹ Id. at Art. 4.Google Scholar

²⁰ This option was adopted by Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Slovenia, Sweden, and the UK. For the specific legislation through which Member States transposed the Directive see the EUR-Lex register, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX.Google Scholar

²¹ Namely, Austria, the Netherlands, and Sweden in May 2009; Greece and Ireland in November 2009; and Germany in May 2012.Google Scholar

²² Art. 7 CFR: “Respect for private and family life – Everyone has the right to respect for his or her private and family life, home and communications.”Google Scholar

²³ Art. 8 CFR: “Protection of personal data - 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.”Google Scholar

²⁴ Art. 11 CFR: “Freedom of expression and information - 1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers […].”Google Scholar

²⁵ TFEU Art. 16, para. 1.Google Scholar

²⁶ See EC Directive 2006/24, supra note 1, at Art. 1.Google Scholar

²⁷ COM(2005) 438 final, 21 September 2005.Google Scholar

²⁸ Art. 52(1) CFR: “1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.”Google Scholar

²⁹ Bulgarian Supreme Administrative Court, No 13627, 11 December 2008, at http://www.capital.bg/getatt.php?filename=o_598746.pdf.Google Scholar

³⁰ Romanian Constitutional Court Decision no. 1258 of 8 October 2009, R.O.M. No. 789, 23 November 2009.Google Scholar

³¹ German Constitutional Court, 1 BvR 256/08, Judgment of 2 March 2010.Google Scholar

³² Czech Constitutional Court, Decision of 22 March 2011, Official Gazette of the Czech Republic 1 April 2011.Google Scholar

³³ Supreme Court of Cyprus, Civil applications 65/2009, 78/2009, 82/2009, 15/2010, 22/2010, Judgment of 1 February 2011, available in Greek at http://www.supremecourt.gov.cy.Google Scholar

³⁴ For more detailed information about the Hungarian case and other pending ones on the DRD, see Kosta, Eleni, The way to Luxemburg: national Court decision on the compatibility of the Data Retention Directive with the rights to privacy and data protection, 10/3 Scripted, 339 (2013).Google Scholar

³⁵ Boehm & Cole, supra note 5, at 14.Google Scholar

³⁶ Id. at 19.Google Scholar

³⁷ Bulgaria transposed the Directive in the Regulation No. 40 of the Ministry of Interior of 7 January 2000 (available at http://lex.bg/laws/ldoc/2135577924). The NGO “Program Action to Information” filed a complaint at the Bulgarian Supreme Administrative Court, after the transposition of the Data Retention Directive, claiming the violation of the right to privacy caused by the Regulation.Google Scholar

³⁸ Art. 5, Regulation No.40 of the Ministry of Interior of 7 January 2000 (note 37).Google Scholar

³⁹ Art. 32, Constitution of the Republic of Bulgaria, Jul. 1991, SG 56/13: “(1) The privacy of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in their private or family affairs and against encroachments on their honour, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without their knowledge or despite their express disapproval, except when such actions are permitted by law.”Google Scholar

⁴⁰ As it has been pointed out, “[…] the decision is important, as it was the first decision of a national court that examined data retention in relation to the right to privacy of citizens, albeit on an issue that the Directive left to the Member States to regulate. Moreover, the direct reference to Art. 8 ECHR rather than merely to the relevant provision of the Bulgarian Constitution illustrates the importance of data retention aspects with regard to the right to privacy.” See Kosta, supra note 34, at 346.Google Scholar

⁴¹ Bulgarian Supreme Administrative Court, Decision No 13627 (note 29).Google Scholar

⁴² Romanian Constitutional Court Decision no. 1258 (note 30).Google Scholar

⁴³ Law No. 298/2008, Official Monitor No. 780 of 21 November 2008.Google Scholar

⁴⁴ Eur. Court H.R., Rotaru v. Romania, Judgment of 4 May 2000, Reports of Judgments and Decisions 2000–V; Eur. Court H.R., Sunday Times v. UK, Judgment of 26 April 1979, Series A, No. 30; Eur. Court H.R., Prince Hans-Adam of Liechtenstein v. Germany, Judgment of 12 July 2001, Reports of Judgments and Decisions 2001–VIII.Google Scholar

⁴⁵ Art. 8, ECHR, “1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”Google Scholar

⁴⁶ As underlined by the Court: “[…] the continuous limitation of the privacy right and the secrecy of correspondence makes the essence of the right disappear by removing the safeguards regarding its execution. The physical and legal persons, mass users of the public electronic communication services or networks, are permanent subjects to this intrusion into their exercise of their private rights to correspondence and freedom of expression, without the possibility of a free, uncensored manifestation, except for direct communication, thus excluding the main communication means used nowadays.” Romanian Constitutional Court Decision no. 1258.Google Scholar

⁴⁷ “The adoption of a law implementing the Data Retention Directive in Germany faced immense public outcry. After the transposition of the Directive into German law, the German Constitutional Tribunal was called upon to decide on the compatibility of specific provisions of the legislation with the right to the secrecy of communications and the right to informational self-determination.” See Kosta, supra note 34, at 349.Google Scholar

⁴⁸ German Constitutional Court (Bundesverfassungsgericht), 1 BvR 256/08, Judgment of the of 2 March 2010, http://www.bverfg.de/pressemitteilungen/bvgl0-011en.html Google Scholar

⁴⁹ Art. 10 Basic Law for the Federal Republic of Germany: “(1) The privacy of correspondence, posts and telecommunications shall be inviolable. (2) Restrictions may be ordered only pursuant to a law. If the restriction serves to protect the free democratic basic order or the existence or security of the Federation or of a Land, the law may provide that the person affected shall not be informed of the restriction and that recourse to the courts shall be replaced by a review of the case by agencies and auxiliary agencies appointed by the legislature.”Google Scholar

⁵⁰ Law Enforcement.Google Scholar

⁵¹ Boehm & Cole, supra note 5, at 17.Google Scholar

⁵² Id. Google Scholar

⁵³ Civil Applications 65/2009, 78/2009, 82/2009, 15/2010 and 22/2010, supra note 33. See Markou, Christiana, The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb, 28 Computer L. & Security Rev. 468 (2012).Google Scholar

⁵⁴ See Kosta, supra note 34, at 353. For a complete analysis of the issue see Supreme Court of Cyprus, Decision of civil applications 65/2009, 78/2009, 82/2009, 15/2010, 22/2010, 1 February 2011, available at http://www.supremecourt.gov.cy.Google Scholar

⁵⁵ Art. 1A of the Constitution of Cyprus was amended in 2006 and provides that: “[n]o provision of the Constitution shall be deemed as overriding any legislation, acts or measures enacted or taken by the Republic that are deemed necessary due to its obligations as a Member State of the European Union, neither does it prevent Regulations, Directives or other Acts or binding measures of a legislative character, adopted by the European Union or the European Communities or by their institutions or competent bodies thereof on the basis of the Treaties establishing the European Communities or the Treaty of the European Union, from having legal effect in the Republic.”Google Scholar

⁵⁶ Irish High Court, Digital Rights Ireland Ltd. v. Minister for Communication & Others, Judgment of 5 May 2010, [2010] IEHC 221.Google Scholar

⁵⁷ The proposal for an updating of the EU legislation in the matter of data retention and security provisions to counter terrorism, from which the DRD eventually originated, was put forward by Ireland during its turn of Presidency of the EU in April 2004. In submitting its proposal for a Framework Decision on Data Retention (Council Document 8958/04, ADD1, of 28 April 2004), the Irish Government was both officially pushing for a concrete response to the terrorist attacks that occurred in Madrid a month earlier and searching for a supranational normative solution to a critical situation that had arisen in its internal legal order. Ireland had set up a comprehensive telecommunication law relatively early, in 1983 (Postal and Telecommunication Services Act, 1983. For the complete text of this and the other quoted Irish laws, see http://acts.oireachtas.ie/en.toc.decade.html), and then perfected it with the Data Protection Act of 1988, (approved in order to harmonize the Irish normative framework with the requirements of the Convention for the protection of individuals with regard to automatic processing of personal data, signed in Strasbourg on 28 January 1981), that regulated the management of communication data and instituted the Data Protection Commissioner, in charge of the supervision and monitoring over the respect of the Convention. The effectiveness of these normative efforts was seriously impaired by the absence of a comprehensive discipline of metering, that is to say the collection and disclosure of telephonic traffic and location data. In particular, although the access of public security authorities to communication data in case of State security and offence prosecution needs was somehow limited and subdued to formal prescriptions, no preemptive independent authorization was prescribed for collecting the data, nor specific monitoring over their use established; such use was not bound to necessity or proportionality requirements, and it was not circumscribed to serious offences; no time limit was furthermore set for the collection and retention of traffic and location data (see T.J. McIntyre, Data retention in Ireland: Privacy, policy and proportionality, in 24 Computer L. & Security Rep. 326, 327 (2008)). The parallel development of the then European Community's discipline in the field of telecommunication, with the approval of the Directive 97/66/EC, supra note 14, gave Ireland a chance to complete its legislative coverage of metering, but again no transposing law was passed until 2002, thus substantially leaving telecommunication operators free to decide whether to retain traffic data; the only requirements were that the retained information to be somehow relevant and by no means excessive, and their storage was generally allowed for no longer than necessary to its purpose. In late 2001, an enquiry revealed the Irish mobile telephone companies would retain traffic and location data for a period of six years, making them available to the public security authorities when requested (see Irish, know where you've been, Wired News, Nov. 9, 2001). The issue was brought to the attention of the Data Protection Commissioner, who concluded that the length of the storage period was inconsistent with both the Data Protection Act and the relevant EU normative framework, and set it to a maximum of six months. The Commissioner's decision was opposed by the institutions (and in particular, by the Department of Justice, which rather sustained that the maximum retention period should have been established at three years in case of security exigencies), that in an attempt to circumvent it, relying upon section 110 of the Postal and Telecommunication Act 1983, created a secret direction in which the said companies were ordered to instead keep any kind of traffic data for three years. The provision, severely limiting the right to privacy, was in manifest contradiction with both the dispositions of Directive 97/66/EC and Art. 8 of the ECHR, stating that any interference by a public authority with the exercise of the right to respect for private and family life, home and correspondence is only admissible when it happens in accordance with the law. A character of the said direction was evidently missing, in this—moreover—illegitimately overstepping the powers and prerogatives of the Irish Parliament and, as a consequence, also those of the judiciary in the exercise of its power of reviewing legislation. Eventually informed of the direction, the Data Protection Commissioner challenged it on the basis of these legal standpoints, obtaining the commitment of the Minister of Justice to submit to the Parliament a Bill properly regulating the issue within some months, by the end of 2002. In the meantime, the direction would have worked as a provisional measure. The originally proposed deadline of late 2002 was eventually missed, and the Irish Government decided to postpone the whole proceeding, “lifting” it within the EU context with the proposal of a Framework Decision on Data Retention. In parallel, an unrelated Bill translating into law the content of the 2002 direction through an amendment to the Criminal Justice (Terrorist Offences) Act 2005, was surreptitiously introduced at the Irish Parliament, and finally approved in 2005, also as a response to the activism of the Data Protection Commissioner, who had in the meantime at first ordered telecommunication providers to delete any traffic data in their possession that had been stored for longer than six months, and then raised the issue in front of the Irish Courts (See Irish Court of Criminal Appeal, People (DPP) v. Murphy, 2005 IE CCA 1). In its Part 7, the so-approved Criminal Justice (Terrorist Offences) Act officially established that traffic and location data transmitted through a fixed line or mobile phone had to be retained by the competent providers for a period of three years upon request of the Commissioner of the police force, in order to allow—as stated by Section 63—”(a) the prevention, detection, investigation or prosecution of crime (including but not limited to terrorist offences), or (b) the safeguarding of the security of the State.” Such data could, as per the previous legislation, be acceded and disclosed upon authorization (that had to be countersigned by a senior member of the police or military force), the disclosure being mandatory for the providers once requested (see Kosta, Eleni & Valcke, Peggy, Retaining the Data Retention Directive, 22 Computer L. & Security Rep. 377 (2006)). Meanwhile, on the EU front, the former Proposal for a Framework Decision, that Ireland wished to be approved within the Third Pillar, had instead been passed as a First Pillar Directive; after its coming into force, the Irish Government challenged its legal basis in front of the CJEU (at the time still named European Court of Justice), under Article 230 Treaty on the European Community (TEC) (now Article 263 TFEU. See Ireland, Case C–301/06). Later on in 2009, the CJEU ruled against the Irish Government, confirming that the Directive had been properly approved under Art. 95 TEC (now Art. 117 TFEU). After the entry into force of the Directive, the Irish society witnessed the start of a new and feverish phase of debate that led to the referral of both the Directive and the national legislation in the field of retention of data to the Irish High Court.Google Scholar

⁵⁸ That was in fact the predecessor of the Minister for Communication, Marine and Natural Resources.Google Scholar

⁵⁹ See supra note 57.Google Scholar

⁶⁰ Originally, the Plaintiff also asked for the CJEU to specify whether the Directive was lacking the correct legal basis in EU law, but the question was dismissed during the proceedings after the delivery of the recalled Ireland, Case C–301/06.Google Scholar

⁶¹ Irish High Court, Digital Rights Ireland Ltd. at para. 109.Google Scholar

⁶² It must not be forgotten that, notwithstanding the judicial proceedings, the Irish Government still had to fulfill its duty to enact Directive 2006/24/EC, whose content was transfused in the Communication (Retention of Data) Act 2011 introducing the necessary modifications to the recalled national pre-existing legal framework on the matter; the intervention was quite limited, basically consisting in the establishment of a new mandatory retention period, that was set to two years for the telephonic traffic data and one year for the internet ones. The implementation of the new provisions was characterized by a peculiar attention to the judicial evolutions of the case in front of the EU Court.Google Scholar

⁶³ After the entry into force of the Directive, Austria was among the most reluctant Member States in transposing its content. Once implemented, in fact, the DRD would have significantly overturned the Austrian internal legislation in this matter (contained in the Austrian Code of Criminal Procedure, in the Telekommunikationsgesetz (Telecommunication Act, hereinafter TKG) 2003—Federal Law Gazette I No. 70/2003 and in the Datenschutzgesetz (Data Protection Act) 2000, DSG, BGBl. I 165/1999, as amended by BGBl. I 112/2011), originally extremely cautious in allowing the retention and processing of communication data, establishing the requisite of the users’ consent as unavoidable in order to store any data relating to them, and imposing the shortest possible retention period. This explains the fierce opposition showed by the Austrian society at the entry into force of Directive 2006/24/EC that was the main cause of the delay in transposing the Directive into this legal order. Such an opposition had evidently been foreseen by the Austrian Government (on its side skeptical about the DRD's content), that had in fact declared, pursuant to Art. 15(3) of the Directive, that it was going to postpone its application for 18 months after the deadline of September 2007. The very first transposition bill, introduced to the Austrian Parliament in 2007, was repeatedly put off due to the massive public resistance, causing the missing of the prescribed March 2009 deadline. The European Commission consequently brought an action against Austria before the CJEU for an infringement of the EC Treaty (Case C–189/09, Commission v. Austria, 2010 E.C.R. I–00099), and on 29 July 2010, the CJEU predictably ruled against the Austrian State. Urged to remediate, the Federal Ministry for Transport, Innovation and Technology hence published a new Bill for transposition, consisting in a series of cautious amendments to the TKG, aimed at limiting any interference with fundamental rights as much as possible. In order to appease the internal climate of criticism, the public was involved in the Bill's drafting before its presentation to the Parliament, through the possibility to submit any observations on its content by February 2010. The amended TKG released by the Austrian Legislature on 18 May 2011 therefore aimed at complying with the minimum requirements of the Directive: the maximum data retention period for telecommunication services providers was set to six months after the termination of a communication, admitting it “solely for the purpose of investigating, identifying and prosecuting criminal acts whose severity justifies an order pursuant to art 135 par. 2a Code of Criminal Procedure.” This latter provision introduced the admissibility of the transmission of information on retained communication data, in case the same was deemed to be useful in order to investigate on the commission of serious criminal acts carrying a sentence of more than one year (or in some listed cases six months) imprisonment, acts among which a specific mention was made for “committed or planned” crimes related to terrorism. The data to be retained consisted, as required by the Directive, in phone, internet and email traffic data (with the exclusion, of the content of such a kind of communications); in particular, as to telephone traffic the providers had to retain, inter alia, the phone numbers of the caller and called person (including call-forwarding related data), the names and addresses of both the caller and the called, the start date and time and the duration of the communication, the type of service used (whether call or message), and in case of use mobile phones the location in which the caller and called were at the start of the communication; as to internet traffic, the relevant data were name, address, and identifier of the subscriber to whom a public IP address was assigned, the date and time of the assignment and revocation of a public IP address for an Internet access service, the calling telephone number for dial-up access and the identifier of the line over which Internet access was established; finally, for e-mail communications, the providers were to store the identifier assigned to a subscriber, the IP address of the sender and of each recipient of the e-mail, and the time of each login and logout of an user to an e-mail service, the date, time, identifier and public IP address of the subscriber. In order to do so, the providers of telecommunication services were obliged to “make available all facilities necessary for monitoring communications and for providing information on data in communications”; due to the cost of such an undertaking, the obligation to retain data was restricted to the operators of public communication networks, the private (and therefore generally smaller) ones being left out in order to keep them from being forced to bear disproportionate cost. Public security Authorities and Tribunals could access the stored data upon a court-approved order, issued by the public prosecutor's office pursuant to Article 135.2a of the Code of Criminal Procedure. Upon receiving the access request from the Court and having checked its validity, the providers had to extract the indicated data without delay, encrypt them, and transmit them to the requesting authority, making sure at the same time to store the request's log data (that is to say, to keep trace of the received request and of the actions that followed it) for a period of three years and to transmit them to the Federal Minister of Justice (that in its turn has the duty to report them to the EU Commission and the Austrian National Council), and to the Austrian Data Protection Commission and Data Protection Council (established and disciplined by Sect. 7 of the cited Datenschutzgesetz 2000), charged with supervising the protection of data, granting their security and monitoring the compliance to the cited provisions. To guarantee the security of the stored data, the providers had to take the appropriate technical measures to ensure that they could “be accessed only by authorized persons with due adherence to the principle of dual control”; moreover, the storage had to be performed in such a way that a distinction could in any moment be made among the different data, and that the “unlawful destruction, accidental loss or unlawful storage, processing, access and disclosure” of the same were prevented. Albeit carefully formulated, and involving society and the interested organization to construct a comprehensive system of guarantees and control over the retention of communication data, and declaredly adopting the lightest of the measures prescribed by the Directive, it nevertheless led to profound public criticism after its coming into force in April 2012.Google Scholar

⁶⁴ Application G 47/12.Google Scholar

⁶⁵ Application G 59/12.Google Scholar

⁶⁶ Id. Google Scholar

⁶⁷ Applications G 62,70, 71/12.Google Scholar

⁶⁸ Request of a preliminary ruling from the Verfassungsgerichtshof (Austria), Case C–594/12 of 19 December 2012.Google Scholar

⁶⁹ As is known, Slovenia is a parliamentary democratic republic; it became an independent State after the disintegration of Yugoslavia in 1991; on 23 December 1991, after the plebiscite on the sovereignty and independence of Slovenia of 23 December 1990, the Constitution of the Republic was adopted. Slovenia has a bicameral Parliament, composed of the National Assembly and the National Council. The Slovenian Parliament is characterized by an asymmetric duality, because the Chambers do not have equal powers. The National Assembly (Državni zbor) is comprised of ninety deputies, elected for a four-year term, with one representative of each of the Hungarian and Italian minorities. The National Assembly exercises legislative power, voting, and monitoring functions. The National Council (Državni svet) is the upper house of the Slovenian Parliament and represents social, economic, professional, and local interests. The President of the Republic is the head of State and is elected by the people for a five year term. It represents the unity of the nation and is the head of the armed forces. It is the head of government and holds the executive power with the latter. The Government consists of the President and the Ministers. As regards their responsibilities, the Government and individual Ministers are autonomous and responsible to the National Assembly. As regards the Slovenian judicial system, the unified system of courts consists of courts with general jurisdiction and courts with specialized jurisdiction; they all act in accordance with the principles of constitutionality, independence and the rule of law. Courts with general jurisdiction include forty-four district, eleven regional, four higher courts, and the Supreme Court; four labor courts and social court- that rule on labor-related and social insurance disputes- and the Administrative Court, which provides legal protection in administrative affairs and has the status of a higher court, composed the specialized courts. A special place in the justice system is held by State prosecution, as it is an independent authority, but also part of the executive branch of power. The National Assembly appoints the General State Prosecutor. The Constitutional Court represents the highest authority with regard to the protection of constitutionality, legality, human rights, and basic freedoms. The National Assembly, following nominations from the President of the Republic, appoints the judges. Nine judges are elected for a period of nine years, with no possibility of a further term. The offices of constitutional judge and judges of specialized and general courts are incompatible with other offices in state bodies. The Court judges the conformity of laws with respect to the Constitution and the conformity of laws and regulations with respect to international treaties ratified and to the principles of international law.Google Scholar

⁷⁰ Slovenia implemented the DRD in 2007 with regard to telephony data and in 2009 with regard to data relating to the Internet, transposing the provisions in its Act on Electronic Communications that was amended in 2012, with the new provisions entering into force in January 2013. Such a new set of norms imposed on operators the obligation to preventively retain the traffic and location data of all users (having no regard to whether the users themselves gave the impetus for this interference with their rights) for a duration of fourteen months for data regarding publicly available telephone services and of 8 months for other kinds of data.Google Scholar

⁷¹ An autonomous and independent body, instituted on 31 December 2005 on the basis of the Information Commissioner Act (ZlnfP), entitled of the supervision over the protection of personal data and the access to public information. The Commissioner is appointed by the National Assembly at the proposal of the President of the Republic. For more references on the point, see the Commissioner's institutional website, www.ip-rs.si/?id=195.Google Scholar

⁷² The text of the complaint can be found in Slovenian at www.iprs.si/fileadmin/user_upload/Pdf/ocene_ustavnosti/ZEKom__Zahteva_za_oceno_ustavnosti__data_retention_.pdf Google Scholar

⁷³ Slovenian Constitutional Court, No. U–l–113/04, Judgment of 7 February 2007, Official Gazette RS No. 16/07 and OdIUS XVI, 16; No. U–l–37/10, Judgment of 18 April 2013, Official Gazette RS No. 39/13.Google Scholar

⁷⁴ Full text of the ordinance available at www.us-rs.si/media/u-i-65-13.-.order.pdf.Google Scholar

⁷⁵ “The Constitutional Court cannot adopt a decision on the matter at issue until the CJEU, which has exclusive competence to assess the validity of the above-mentioned Directive, decides on its validity. Consequently, the Constitutional Court stayed the proceedings for the assessment of the constitutionality of the challenged provisions of the ECA-1 until the CJEU adopts a decision in the above-mentioned cases.” Slovenian Constitutional Court, No. U-I-37/10.Google Scholar

⁷⁶ Prevosti, Oscar, Tutela della privacy come presupposto della libertà: due recenti sentenze della Corte di Giustizia dell'Unione Europea a difesa della riservatezza individuale, 3 Osservatorio Costituzionale (2014), http://www.osservatorioaic.it/.Google Scholar

⁷⁷ The Court refers to Art. 1 of the Datenschutzgesetz. Google Scholar

⁷⁸ See the English translation of the Verfassungsgerichtshof's decision at https://www.vfgh.gv.at/cms/vfghsite/attachments/1/4/5/CH0007/CMS1363699922389/vorlage_vorratsdatenspeicherung_english.pdf Google Scholar

⁷⁹ Id. Google Scholar

⁸⁰ “[…] concerns prevail regarding the retention of data without cause as such and the related consequences. The applicants’ concerns are largely based on the high degree of intervention of data retention, and that for several reasons. First, the directive sets out a retention period ranging from six months to two years. This timeframe is to be assessed in consideration of the data volume to be stored. It is the preliminary view of the Constitutional Court that this retention period gives rise to serious concerns.” Id. at 26.Google Scholar

⁸¹ Id. at 27.Google Scholar

⁸² Irish High Court, Kennedy v. Ireland [1987] I.R. 587; [1988] I.L.R.M. 472.Google Scholar

⁸³ Irish High Court, Digital Rights Ireland Ltd. Google Scholar

⁸⁴ Id. Google Scholar

⁸⁵ Joined Cases C–46/87 and C–227/88, Hoechst AG v. Commission of the European Communities, 1989 E.C.R.2859; Case 85/87 Dow Benelux NV v. Commission, 1989 E.C.R. 3137; Joined cases 97/87, 98/87 and 99/87, Dow Chemical Iberica SA v. Commission of the European Communities, 1989 E.C.R. 3165.Google Scholar

⁸⁶ The judge refers to Eur. Court H.R., Niemietz v. Germany, Judgment of 16 December 1992, Series A, No. 251–B, and Eur. Court H.R., Société Colas Est and Others v. France, Judgment of 16 April 2002, Reports of Judgments and Decisions, 2002–III.Google Scholar

⁸⁷ Eur. Court H.R., Copland v. the United Kingdom, Judgment of 3 April 2007, Reports of Judgments and Decisions, 2007–I.Google Scholar

⁸⁸ Irish High Court, Digital Rights Ireland Ltd. Google Scholar

⁸⁹ Id. Google Scholar

⁹⁰ Id. Google Scholar

⁹¹ On the theme of the deferential dialogue between Courts in the EU, see Pelin-Raducu, Ioana, Deferential dialogues between the Court of Justice and domestic courts regarding the compatibility of the EU Data Retention Directive with (higher?) national fundamental rights standards, available at http://www.on-federalism.eu/index.php/component/content/article/166-deferential-dialogues-between-the-court-of-justice-and-domestic-courts-regarding-the-compatibility-of-the-eu-data-retention-directive-with-higher-national-fundamental-rights-standards (2014).Google Scholar

⁹² Slovenian Constitutional Court, No. U-I-295/13, Judgment of 6 November 2014, Official Gazette RS No. 82/2014.Google Scholar

⁹³ See Case C–260/89, ERT v. DEP, 1991 E.C.R. I-2925; Case C–299/95, Friedrich Kremzow v. Republik Österreich, 1997 E.C.R. I–2629; Case C–309/96, Annibaldi v. Sindaco del Comune di Guidonia and Presidente Regione Lazio, 1997 E.C.R. I–7493; Case C–94/00, Roquette Frères SA v. Directeur general de la concurrence, de la consummation et de la repression des frauds, and Commission of the European Communities, 2002 E.C.R. I–9011; Case C–349/07, Sopropé – Organizações de Calçado Lda v Fazenda Pública, 2008 E.C.R. I–10369; Case C–256/11, Murat Dereci and Others v Bundesministerium für Inneres, 2011 E.C.R. I-11315; Case C–27/11, Anton Vinkov v. Nachalnik Administrativno-nakazatelna deynost, 2012 E.C.R. 0000; and Case C–617/10, Åklagaren v. Åkerberg Fransson, 2013 E.C.R. 0000.Google Scholar

⁹⁴ The fact that, as said, the questions to be addressed to the CJEU were by will of the Irish High Court not defined in its May 2010 decision, but entrusted to a subsequent public consultation “deprives” us of a powerful instrument for understanding the Court's intentions, as basically no reasoning of it is provided in the order of referral.Google Scholar

⁹⁵ EC Directive 95/46 of 24 October 1995, O.J. 1995 L 281/31.Google Scholar

⁹⁶ EC Regulation 45/2001 of 18 December 2000, O.J. 2001 L 8/1.Google Scholar

⁹⁷ Austrian Constitutional Court (Verfassungsgerichtshof), Joined Cases G 47/12-11, G 59/12-10, G 62, 70, 71/12–11, Judgment of 28 November 2012, para. 50.Google Scholar

⁹⁸ As recalled, the two Directives entailed the confidentiality of communication of traffic data and prescribed upon service providers the duty to store such data as long as they are necessary for billing purposes, and to cancel them, or at least make them anonymous, when they are no longer needed for the communication transmission.Google Scholar

⁹⁹ Joined Cases C–465/00, C–138/01 and C–139/01 Rechnungshof v. Österreichischer Rundfunk and Others and Christa Neukomm and Joseph Lauermann v. Österreichischer Rundfunk, 2003 E.C.R. I–4989.Google Scholar

¹⁰⁰ On the point, see also Boehm & Cole, supra note 5, at 30.Google Scholar

¹⁰¹ Joined Cases C–293/12 and C–594/12, Digital Rights Ireland, Seitlinger and Others, para. 37 (Apr. 8, 2014), http://curia.europa.eu/.Google Scholar

¹⁰² The reference is to cases Eur. Court H.R., Leander v. Sweden, Judgment of 26 March 1987, Series A, No. 116, para. 48; Eur. Court H.R., Rotaru v. Romania at para. 46; Eur. Court H.R., Weber and Saravia v. Germany, Judgment of 29 June 2006, Reports of Judgments and Decisions 2006-XI, para. 79; Digital Rights Ireland, Joined cases C–293/12 and C–594/12 at para. 35.Google Scholar

¹⁰³ The aim underlying the “essence of rights” criterion is of preserving the “hard core” (the essence, indeed) of a fundamental right, so as to guarantee that, even when limited by a necessary measure, it is not deprived of its whole content and meaning.Google Scholar

¹⁰⁴ Digital Rights Ireland, Joined cases C–293/12 and C–594/12 at para. 66.Google Scholar

¹⁰⁵ The relevance of such data, the Court observes, has been widely recognized as of growing importance for the activities relating to the countering of serious crime and terrorism, due to the increasing diffusion of electronic communication. The reference is to the conclusions of the Justice and Home Affairs Council of 19 December 2002, reported in recital 7 of the DRD's preamble.Google Scholar

¹⁰⁶ Cases C–402/05 P and C–415/05P, Yassin Abdullah Kadi and Al Barakaat International Foundation v. Council of the European Union and Commission of the European Communities, 2008 E.C.R. I-06351, para. 363; Joined Cases C–539/10 P and C–550/10 P, Stichting Al-Aqsa v. Council of the European Union and Kingdom of the Netherlands v. Stichting Al-Aqsa, 2012 E.C.R. 0000, para. 130; C–145/09 Land Baden-Württemberg v Panagiotis Tsakouridis, 2010 E.C.R. 1—1979, paras. 46–47.Google Scholar

¹⁰⁷ Eur. Court H.R., S. and Marper v. the United Kingdom, Judgment of 4 December 2008, Report of Judgments and Decisions 2008-V. The case concerned the conformity of the UK national DNA database with the right to respect for private and family life enshrined in Art. 8 ECHR. The Court was called on to assess whether the retention of fingerprints and DNA data of individuals who had, for a period of their lives, been suspected of criminal offences (but not convicted for having committed the crime) was to be considered compatible with the guarantees offered by Art. 8. In keeping with an already consolidated case law, the Court deemed that the retention of fingerprints and DNA (similarly to those of any kind of data) was not consistent with the right to privacy, interestingly asserting that justifications for the retention of data in light of Art. 8 ECHR should be evaluated considering that, notwithstanding the legitimate aim of preventing crimes, whenever a “right at stake is crucial to the individual's effective enjoyment of intimate or key rights,” the margin of appreciation recognized to Member States in enacting data retention legislation must be drawn narrower. On the point, see Boehm & Cole, supra note 5, at 23.Google Scholar

¹⁰⁸ Digital Rights Ireland, Joined cases C–293/12 and C–594/12 at para. 49.Google Scholar

¹⁰⁹ The fundamental nature of these rights, and of the rights to privacy and protection of personal data, the Court seems to sustain, cannot in fact automatically lead to the prevalence of the former over the latter, it being crucial to carefully balance the scope and extent of the three rights in such a way that interferences to them are restricted to cases of strict necessity. Id. at para. 51.Google Scholar

¹¹⁰ Eur. Court H.R., S. and Marper; Eur. Court H.R., M.K. v. France, Judgment of 18 April 2013 (not final).Google Scholar

¹¹¹ Digital Rights Ireland, Joined cases C–293/12 and C–594/12 at para. 65Google Scholar

¹¹² Id. at para. 58.Google Scholar

¹¹³ Id. at para. 59.Google Scholar

¹¹⁴ Boehm & Cole, supra note 5, at 38.Google Scholar

¹¹⁵ Digital Rights Ireland, Joined cases C–293/12 and C–594/12 at para. 62.Google Scholar

¹¹⁶ As said supra (note 63), this condition had been foreseen by the Austrian Legislature, that in implementing the Directive had in fact conjugated the retention period along with the different categories of data.Google Scholar

¹¹⁷ Furthermore, the Court remarks, by permitting the providers to “have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures” the Directive does not guarantee that the said providers respect sufficient security measures, and particularly the one of the permanent erasing of data at the end of the retention period. Digital Rights Ireland, Joined cases C–293/12 and C–594/12s at para. 67.Google Scholar

¹¹⁸ Boehm & Cole, supra note 5, at 49.Google Scholar

¹¹⁹ “If States do not react and change their data retention regime that were based on the now void DRD, claims before national courts and/or proceedings in front of the ECtHR (after having exhausted domestic remedies) remain possible within the constraints of the respective national procedural laws. Individuals, NGOs as well as companies may initiate such proceedings claiming a violation of Arts. 7 and 8 CFR, 8 ECHR and the respective provisions of national constitutions. National courts confronted with such claims would then be obliged to review national data retention measures and take EU law, in particular the respective guarantees stemming from Art. 7 and 8 CFR, into account. Therefore, there is a high chance that courts of Member States will also declare the national transposing act void, as it can be seen in first proceedings (e.g. in Austria and Slovenia) on this issue.” Boehm & Cole, supra note 5, at 49, 57.Google Scholar

¹²⁰ European Parliament Opinion on the CJEU's ruling on the Data Retention Directive, https://s3.amazonaws.com/access.3cdn.net/27bd1765fade54d896_l2m6i61fe.pdf.Google Scholar

¹²¹ Austrian Constitutional Court (Verfassungsgerichtshof), Joined cases G 47/2012–49, G 59/2012–38, G 62/2012–46, G 70/2012–40 and G 71/2012–36, Judgment of 27 June 2014.Google Scholar

¹²² The Slovenian Constitutional Court abrogated Arts. 162–169 of the Electronic Communication Act and ordered the deletion of all the retained data. Slovenian Constitutional Court, Case U-I-65/13-19, Judgment of 3 July 2014, Official Gazette RS No. 54/2014.Google Scholar

¹²³ The Romanian Constitutional Court also declared unconstitutional, in an unanimous decision, the Romanian Data Retention Law which was introduced in 2012, after the declaration of unconstitutionality of an earlier data retention act transposing the Directive, in 2009. Romanian Constitutional Court, Decision No. 440 of 8 July 2014, Romanian Official Gazette no. 653 of 4 September 2014.Google Scholar

¹²⁴ Polish Constitutional Tribunal, Case K 23/11, Judgment of 30 July 2014.Google Scholar

¹²⁵ See Husovec, Martin, First European Constitutional Court suspends data retention after the decision of the Court Of Justice of EU, available at https://cyberlaw.stanford.edu/blog/2014/04/first-european-constitutional-court-suspends-data-retention-after-decision-court.Google Scholar

¹²⁶ See the openrightsgroup table on “Data retention in the EU following the CJEU ruling,” https://www.openrightsgroup.org/assets/files/pdfs/reports/Data_Retention_status_EU_Dec_2014.pdf.Google Scholar

¹²⁷ The text of the complaint can be found in Slovenian at www.iprs.si/fileadmin/user_upload/Pdf/ocene_ustavnosti/ZEKom__Zahteva_za_oceno_ustavnosti__data_retention_.pdf Google Scholar

¹²⁸ For a complete examination of the Slovenian Constitutional Court's decision see Bardutzky, Samo, The Timing of Dialogue: Slovenian Constitutional Court and the Data Retention Directive, available at http://www.verfassungsblog.de.Google Scholar

¹²⁹ Republic of Slovenia Information Commissioner press release, available at https://www.ip-rs.si/index.php?id=272&tx_ttnews[tt_news]=1256&cHash=2885f4a56e6ff9d8abc6f94da098f461.Google Scholar

¹³⁰ Legal analysis from the Danish Ministry of Justice, http://justitsministeriet.dk/sites/default/files/media/Pressemeddelelser/pdf/2014/Notat%20om%20logningsdirektivet.pdf (only in Danish).Google Scholar

¹³¹ Data Retention and Investigatory Powers Act 2014 (c.27), of 17 July 2014, available at http://www.legislation.gov.uk.Google Scholar

¹³² Pollicino, Oreste, Interpretazione o manipolazione? La Corte di Giustizia definisce un nuovo diritto alla privacy digitale, Federausmi.it – 3 Focus Comunicazioni, media e nuove tecnologie 2, 24 (2014).Google Scholar

¹³³ On the point, see, in this same issue, Cherubini, Francesco, The Relationship Between the Court of Justice of the European Union and the European Court of Human Rights in the View to the Accession. Google Scholar

¹³⁴ Opinion 2/13, Draft agreement on the accession of the European Union to the European Convention for the Protection of Human Rights and Fundamental Freedoms (Dec. 18, 2014), http://curia.europa.eu/.Google Scholar