U-I-65/13

Reference no.:
U-I-65/13
Objavljeno:
Official Gazette RS, No. 54/2014 and OdlUS XX, 27 | 03.07.2014
ECLI:
ECLI:SI:USRS:2014:U.I.65.13
Act:
Electronic Communications Act (Official Gazette RS, Nos. 109/12 and 110/13) (ECA-1), Arts. 162, 163, 163.1, 164, 165, 166, 167, 168, and 169.
Operative provisions:
Articles 162, 163, 164, 165, 166, 167, 168, and 169 of the Electronic Communications Act (Official Gazette RS, Nos. 109/12 and 110/13) are abrogated.
 
Following the publication of this Decision in the Official Gazette of the Republic of Slovenia, the service providers referred to in the first paragraph of Article 163 of the Electronic Communications Act must immediately destroy all data that they are retaining on the basis of the challenged provisions.
Abstract:
Due to the determination of the obligatory and non-selective retention of certain traffic data of all communications related to fixed network phone service, mobile phone service, Internet access, Internet e-mail service and Internet phone service (for 14 or 8 months), service providers are creating vast databases of personal data on the users of these services, from which very precise conclusions can be drawn concerning their private lives. Such processing of personal data entails an interference with the right of individuals to the protection of personal data (the first paragraph of Article 38 of the Constitution).
 
The obligatory and non-selective retention of traffic data entails a substantial interference with the right to the protection of personal data due to the scope of the persons affected by such measure, the nature of the data retained, and the fact that by creating vast databases of personal data on the entire population, the risk of illegal access to these data substantially increases. The invasiveness of such interference is further strengthened by the fact that the persons whose data are being retained are not informed of the retention and potential subsequent use of these data. Due to the above, in the minds of these persons, the retention of such data can generate an intangible feeling of constant surveillance, which can influence the exercise of other rights, above all the right to free expression and public communication (the first paragraph of Article 39 of the Constitution).
 
The legislature did have a constitutionally admissible objective for such interference with the right to the protection of personal data, namely the prevention, investigation, and prosecution of serious forms of criminal offences, the defence of the state, and the safeguarding of national security in order to protect human rights and fundamental freedoms, as well as other fundamental legal values, from unlawful attacks.
 
The challenged measure is also appropriate for achieving the mentioned objectives, although in certain instances such to a certain extent cannot be achieved due to methods of technical circumvention or specific uses of the communications services that enable anonymous use. A measure is not appropriate when the means for achieving an objective is not reasonably connected with such objective and when the means used cannot in any event lead to achieving the stated objective.
 
The challenged measure is, however, not necessary. The obligatory and non-selective retention of traffic data necessarily entails that such retention predominantly interferes with the rights of those persons who are not and will not be even indirectly connected with the purposes for which these data were primarily collected and who did not give rise to any reasons for such an interference with their right to the protection of personal data. At the same time, data is also retained regarding those communications whose confidential or anonymous use is necessary for the achievement of their purpose. The challenged regulation did not limit the retention of data to a certain period of time, geographical area, or a circle of persons who could have a certain connection with the purpose pursued by the measure. The legislature also failed to explain the underlying reasons for determining the time limit of retention to be 14 months for data regarding publicly accessible telephone services and 8 months for other data, and thus also the reasons why a shorter time limit of retention would not be sufficient to achieve the pursued objective. The measure is also not necessary because the legislature did not limit the processing of data only to the investigation, detection, and prosecution of serious criminal offences. Due to the fact that by instituting the obligatory retention of traffic data, the legislature substantially interfered with the right to the protection of personal data, whereby it did not delimit in detail the circumstances limiting such interference to a measure truly necessary to achieve the objective pursued, the legislature disproportionally interfered with the right to the protection of personal data determined by the first paragraph of Article 38 of the Constitution. Therefore, the challenged regulation is unconstitutional.
Password:
1.5.51.1.17.1 - Constitutional Justice - Decisions - Types of decisions of the Constitutional Court - In abstract review proceedings - Annulment - Of a statute.
1.5.51.1.22 - Constitutional Justice - Decisions - Types of decisions of the Constitutional Court - In abstract review proceedings - Determination of the manner of implementation of a decision.
2.1.1.3 - Sources of Constitutional Law - Categories - Written rules - Community law.
2.1.3.2.2 - Sources of Constitutional Law - Categories - Case-law - International case-law - Court of Justice of the European Communities.
2.1.1.4.3 - Sources of Constitutional Law - Categories - Written rules - International instruments - European Convention on Human Rights of 1950.
2.1.1.4.14 - Sources of Constitutional Law - Categories - Written rules - International instruments - Charter of Fundamental Rights of the European Union
5.3.30.1 - Fundamental Rights - Civil and political rights - Right to private life - Protection of personal data.
3.9 - General Principles - Rule of law.
3.16 - General Principles - Proportionality.
Legal basis:
Arts. 2, 5, 15.3, 38, 38.1, 39, and 39.1, Constitution [CRS]
Art. 8, Convention for the Protection of Human Rights and Fundamental Freedoms [ECHR]
Arts. 4 and 5, Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data [CPI]
Arts. 40.2 and 43, Constitutional Court Act [CCA]
Document in PDF:
The full text:
U-I-65/13-16                  
26 September 2013

ORDER

 
At a session held on 26 September 2013 in proceedings to review constitutionality initiated upon the request of the Information Commissioner, the Constitutional Court


decided as follows:

 
The proceedings to review the constitutionality of Articles 162 through 169 of the Electronic Communications Act (Official Gazette RS, No. 109/12) shall be stayed until the Court of Justice of the European Union adopts a decision in cases C-293/12 and C-594/12.
 

REASONING

 
 
A
 
1. The applicant requests a review of the constitutionality of Articles 162 through 169 of the Electronic Communications Act (hereinafter referred to as the ECA-1), which entered into force on 15 January 2013. By the challenged provisions the Republic of Slovenia transposed into its legal order Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ L 105, 13 April 2006, p. 54 – hereinafter referred to as the Data Retention Directive). For the purposes determined by the law regulating criminal proceedings, the law regulating the functioning of the Slovene Intelligence and Security Agency, and the law regulating the defence of the state (the first paragraph of Article 162 of the ECA-1), the challenged regulation imposes on providers of publicly available electronic communications services and public communications networks the obligation to retain certain traffic, location, and other data necessary for the identification of an individual (Article 164 of the ECA-1). Such data are to be retained for 14 months (for data regarding publicly available telephone services) or 8 months (for other data) following the date of communication. In exception, a longer period can be determined (the fifth and sixth paragraphs of Article 163 of the ECA-1). The level of security of the retained data is determined, along with the measures that a service provider must adopt, alone or in cooperation with others, with regard to the retention of data (Article 165 of the ECA-1). The supervisory role of the Information Commissioner is also determined (Article 169 of the ECA-1).
 
2. The fundamental allegation contained in the request for a review of constitutionality is that, on the basis of the Data Retention Directive, the Republic of Slovenia imposed on service providers the obligation to retain as a precautionary measure the traffic and location data of all users, i.e. regardless of whether the users themselves gave rise to reasons for such an interference with their rights. Referring to the constitutional case law and the case law of the European Court of Human Rights, the applicant draws attention to the fact that not only the content of communication, but also data which constitute an integral part of communication enjoy constitutional protection and protection under the [applicable] convention. The precautionary retention of data allegedly entails inadmissible interferences with the rights to the protection of personal data (Article 38 of the Constitution) and communication privacy (Article 37 of the Constitution), and consequently also with the right to freedom of movement (Article 32 of the Constitution), the right to freedom of expression (Article 39 of the Constitution), and with the principle of the presumption of innocence (Article 27 of the Constitution). The applicant is of the opinion that, in conformity with the established constitutional case law, these measures do not pass the test of proportionality.
 
3. The request for a review of constitutionality was sent to the National Assembly and the Government. In its reply, the National Assembly concurred that the retention of data under Article 164 of the ECA-1 substantially interferes with an individual's privacy, however it underlined that the retention of data is an important tool for discovering and investigating criminal offences, and that most often data must be obtained for a past period of time, which is precisely what the obligatory precautionary retention of data enables. The National Assembly drew attention also to those provisions of the challenged regulation that reduce the possibility of abuse. In its opinion, the Government stated inter alia that in terms of substance, the applicant in fact alleged an inconsistency of the Data Retention Directive with the above-mentioned human rights, although it explicitly challenged the provisions of the national regulation.
 
4. The reply of the National Assembly and the Government were submitted to the applicant. In its reply, the applicant maintained that the measure is not proportional. It is of the opinion that research carried out does not confirm that the retention of data contributes to the better investigation of criminal offences. It also draws attention to the fact that by simple technical workarounds it is possible to negate the effectiveness of such measure. Therefore, a measure that interferes to such a degree with the privacy of the users of communication services is allegedly not proportional to the pursued objectives.
 
 
B
 
5. The applicant explicitly challenges the obligation to retain data that follows from the Data Retention Directive, with regard to which the Directive does not offer Member States the possibility of a different regulation. Therefore, the applicant in fact alleges an inconsistency of the Data Retention Directive with human rights, which is also what the Government explicitly underlines. With regard to this, the Constitutional Court deems that the alleged unconstitutionality essentially refers, above all, to the rights to communication (Article 37 of the Constitution) and information privacy (Article 38 of the Constitution). The argumentation that due to such severe interference with the mentioned rights also the right to freedom of expression (Article 39 of the Constitution), the right to freedom of movement (Article 32 of the Constitution), and the presumption of innocence (Article 27 of the Constitution) are consequently jeopardised, essentially entails that the disproportionate weight of the interference with the right to privacy is underlined. Within the framework of European Union law, the human rights determined by Articles 37 and 38 of the Constitution are guaranteed as human rights by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (OJ C 326, 26 October 2012 – hereinafter referred to as the Charter). Therefore, what is at issue is actually the question of whether the provisions of the Data Retention Directive are consistent with the above-mentioned provisions of the Charter.
 
6. By joining the European Union, the Republic of Slovenia transferred the exercise of part of its sovereign rights to the European Union on the basis of Article 3a of the Constitution.[1] From the third paragraph of Article 3a of the Constitution it follows that legal acts and decisions adopted within the framework of the European Union are applied in accordance with the legal regulation of the European Union.[2] This provision also binds the Constitutional Court, when exercising its competences, to respect the law of the European Union, as such is. The challenged provisions of the ECA-1 transpose the obligations imposed by the Data Retention Directive, i.e. their implementation entails the application of European Union law. In conformity with the first paragraph of Article 51 of the Charter, Member States are bound by its provisions when implementing European Union law.
 
7. The Constitutional Court has already adopted the position that its competence is not excluded with regard to a review of the constitutionality of regulations that transpose directives into the internal legal order.[3]
 
8. With regard to the fact that the allegations regarding the unconstitutionality of the statutory provisions entail, in terms of substance, allegation regarding the inconsistency of the provisions of the Data Retention Directive with Articles 7 and 8 of the Charter, a decision on the validity of the Data Retention Directive is of key importance for a review of the constitutionality of the provisions of the national legislation. On the basis of point b) of the first paragraph of Article 267 of the Treaty on the Functioning of the European Union (consolidated version, OJ C 326, 26 October 2012 – hereinafter referred to as the TFEU), the Court of Justice of the European Union has exclusive competence to review the validity of the Directive.[4]
 
9. The Court of Justice of the European Union has not yet decided on the validity of the Data Retention Directive from the viewpoint of its consistency with Articles 7 and 8 of the Charter. The question of the validity of the Data Retention Directive has nonetheless already been submitted to the Court of Justice of the European Union to be decided on as a preliminary question in case C-301/06,[5] however that case only referred to the issue of the legal basis of the Directive at issue. The question of the validity of the Directive from the viewpoint of Articles 7 and 8 of the Charter has also been submitted in cases C-293/12[6] and C-594/12.[7] The mentioned proceedings are already pending before the Court of Justice of the European Union; an oral hearing has already been held and also a date for the submission of the opinion of the Advocate General has been set. As the substance of the alleged unconstitutionality matches the reasons due to which the proceedings on the validity of the Data Retention Directive are already pending, the Constitutional Court does not have to submit a request for a preliminary ruling to the Court of Justice of the European Union.
 
10. The Constitutional Court cannot adopt a decision on the matter at issue until the Court of Justice of the European Union, which has exclusive competence to assess the validity of the above-mentioned Directive, decides on its validity. Consequently, the Constitutional Court stayed the proceedings for the assessment of the constitutionality of the challenged provisions of the ECA-1 until the Court of Justice of the European Union adopts a decision in the above-mentioned cases.
 
 
C
 
11. The Constitutional Court adopted this Order on the basis of point b) of the first paragraph of Article 267 of the TFEU in connection with the third paragraph of Article 3a of the Constitution and the second paragraph of Article 41 of the Constitutional Court Act (Official Gazette RS, No. 64/07 – official consolidated text and 109/12 – CCA), composed of: Dr. Ernest Petrič, President, and Judges Dr. Mitja Deisinger, Dr. Dunja Jadek Pensa, Mag. Marta Klampfer, Dr. Etelka Korpič – Horvat, Mag. Miroslav Mozetič, Jasna Pogačar, and Dr. Jadranka Sovdat. The Order was adopted unanimously.
 
 
Dr. Ernest Petrič
President
 
Notes:
[1] Treaty between the Kingdom of Belgium, the Kingdom of Denmark, the Federal Republic of Germany, the Hellenic Republic, the Kingdom of Spain, the French Republic, Ireland, the Italian Republic, the Grand Duchy of Luxembourg, the Kingdom of the Netherlands, the Republic of Austria, the Portuguese Republic, the Republic of Finland, the Kingdom of Sweden, the United Kingdom of Great Britain and Northern Ireland (Member States of the European Union) and the Czech Republic, the Republic of Estonia, the Republic of Cyprus, the Republic of Latvia, the Republic of Lithuania, the Republic of Hungary, the Republic of Malta, the Republic of Poland, the Republic of Slovenia, the Slovak Republic, concerning the accession of the Czech Republic, the Republic of Estonia, the Republic of Cyprus, the Republic of Latvia, the Republic of Lithuania, the Republic of Hungary, the Republic of Malta, the Republic of Poland, the Republic of Slovenia and the Slovak Republic to the European Union (OJ L 236, 23 September 2003, p. 17, and Official Gazette RS, No. 12/04, MP, No. 3/04).
[2] The third paragraph of Article 3a of the Constitution reads: "Legal acts and decisions adopted within international organisations to which Slovenia has transferred the exercise of part of its sovereign rights shall be applied in Slovenia in accordance with the legal regulation of these organisations."
[3] See Order of the Constitutional Court No. U-I-113/04, dated 7 February 2007 (Official Gazette RS, No. 16/07, and OdlUS XVI, 16) and Decision of the Constitutional Court No. U-I-37/10, dated 18 April 2013 (Official Gazette RS, No. 39/13).
[4] Such was also the position of the Constitutional Court in Order No. U-I-113/04, dated 8 July 2004.
[5] See the Judgment in Ireland v. European Parliament and Council of the European Union, C-301/06, dated 10 February 2009.
[6] Reference for a preliminary ruling that the High Court of Ireland made on 11 June 2012 – Digital Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General.
[7] Reference for a preliminary ruling that the Verfassungsgerichtshof (Austria) made on 19 December 2012 - Kärntner Landesregierung and Others.
 
 
 
U-I-65/13
3 July 2014
 
DECISION
 
At a session held on 3 July 2014, in proceedings to review constitutionality initiated upon the request of the Information Commissioner, the Constitutional Court
 
 
decided as follows:
 
1. Articles 162, 163, 164, 165, 166, 167, 168, and 169 of the Electronic Communications Act (Official Gazette RS, Nos. 109/12 and 110/13) are abrogated.
 
2. Following the publication of this Decision in the Official Gazette of the Republic of Slovenia, the service providers referred to in the first paragraph of Article 163 of the Electronic Communications Act must immediately destroy all data that they are retaining on the basis of the challenged provisions.
 
 
REASONING
 
 
A
 
1. On the basis of the sixth indent of Article 23a of the Constitutional Court Act (Official Gazette RS, Nos. 64/07 – official consolidated text and 109/12 – hereinafter referred to as the CCA), the Information Commissioner submitted a request for the review of the constitutionality of Articles 162 through 169 of the Electronic Communications Act (hereinafter referred to as the ECA-1), which entered into force on 15 January 2013. By the challenged provisions, the Republic of Slovenia transposed into its legal order Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ L 105, 13 April 2006 – hereinafter referred to as the Data Retention Directive).[1]
 
2. The applicant is the supervisory authority for supervision of the implementation of the provisions on the obligatory retention of data in conformity with the provisions of Section XIII of the ECA-1 (Article 169 of the ECA-1). It claims that it is conducting an inspection procedure with regard to the conduct of one of the Slovene mobile phone service providers, in conformity with the provisions of the ECA-1. Since in this procedure it doubted the constitutionality of the provisions on the basis of which the service provider had been retaining the traffic, location, and other therewith related data (hereinafter referred to as traffic data) of its users on the basis of the first paragraph of Article 163 of the ECA-1, the applicant submitted the request for the review of the constitutionality of the challenged provisions.
 
3. The fundamental allegation contained in the request for the review of the constitutionality of the challenged provisions is that, on the basis of the Data Retention Directive, the Republic of Slovenia imposed on service providers the obligation to retain as a precautionary measure data on all users, i.e. regardless of whether the users themselves gave rise to reasons for such an interference with their rights. Such retention of data allegedly entails an inadmissible interference with the right to the protection of personal data (Article 38 of the Constitution), communication privacy (Article 37 of the Constitution), and consequently also with the right to freedom of movement (Article 32 of the Constitution), the right to freedom of expression (Article 39 of the Constitution), and with the principle of the presumption of innocence (Article 27 of the Constitution). The applicant is of the opinion that, in conformity with the established constitutional case law, these measures do not pass the test of proportionality. It stresses that traffic data enjoy the same protection as the content of communications and that they are protected by Article 37 of the Constitution. It is also of the opinion that the interferences with [the mentioned human] rights are not proportionate because empirical data do not prove that the purpose of such retention of data could be achieved by such interference with the mentioned rights. Only a significantly higher percentage of serious criminal offences being investigated can allegedly justify the primacy of the public interest over the interests of every single individual with regard to enjoying privacy, moving and communicating freely (without being monitored), expressing his or her opinions, etc. The applicant is of the opinion that the measure is not even appropriate, because there exists a series of technical circumventions that prevent the retention of data. In the opinion of the applicant, the awareness of users that their communications are being monitored also has an influence on the exercise of other rights (especially the freedom of expression). Due to self-censorship, an individual who knows that he is being monitored will act differently than he or she would otherwise. The applicant is of the opinion that due to the retention of location data, the regulation is additionally invasive, because it interferes with the freedom of movement. It also alleges a violation of Article 3a of the Constitution, which in its view lies in the fact that the Data Retention Directive has allegedly been incorrectly transposed into the Slovene legal order, because it also allows the retention of traffic data for the prevention, investigation, detection, and prosecution of criminal offences that cannot be qualified as serious criminal offences, and because it allows data to be used for the purpose of providing for the needs of the intelligence service and defence forces.
 
4. In its reply to the request [for the review of constitutionality], the National Assembly in fact concurs that the retention of data determined by Article 164 of the ECA-1 significantly interferes with the privacy of individuals; however, it does not concur with the standpoint of the applicant that the state does not need such data. It draws attention to the fact that the retention of data is an important tool for the detection and investigation of criminal offences, the defence of the state, national security, and constitutional regulation, and that such data must most often be obtained for a past period of time, which is precisely what the obligatory precautionary retention of data enables. The National Assembly draws attention to the provisions of the challenged regulation that reduce the possibility of abuses, namely: ten-year retention of data regarding any accessing of traffic data; service providers must retain data and protect them as confidential in conformity with the law regulating confidential data; sanctions are determined for any violation of security rules; and access to data is only possible on the basis of a court order.
 
5. In its opinion, the Government draws attention to the fact that the applicant, although it explicitly challenges the provisions of a national regulation, substantively alleges that the Data Retention Directive is inconsistent with the mentioned human rights. The Government does not concur with the standpoint that the retention itself of traffic data is not an important tool for the prosecution of criminal offences. It refers to the Evaluation Report on the Data Retention Directive, dated 18 April 2011,[2] from which it allegedly follows that retained traffic data such as envisaged by the Data Retention Directive have an important role in the investigation of criminal offences. An equal conclusion allegedly also follows from the analysis with regard to the use of electronic communications traffic data for the period 2010−2012 that was prepared by the Police. From that analysis it allegedly follows that traffic data have an important role in the collection of evidence in the framework of the investigation of criminal offences, because they indicate individual facts, circumstances, relations, dynamics, and patterns that significantly contribute to the collection of fundamental evidence for directly proving the suspicion that a [concrete] criminal offence has been committed (uncovering the planning of criminal offences, the identification of persons and connections in a criminal association, etc.). The Government warns that the detection of certain criminal offences would not even be possible without the analysis of data retained beforehand (e.g. sexual abuses of children committed over the Internet). It also stresses that access to traffic data is an important tool for combating terrorism and international organised crime, as well as for the functioning of the [Slovene] Intelligence and Security Agency with the purpose of safeguarding the security of the state and its constitutional regulation. The Government explains that service providers retain traffic data in two separate databases: in the so-called "commercial" database and the "retential" database. The latter is smaller in scope, because from the "commercial" database only those data that are exhaustively determined by Article 164 of the ECA-1 are transferred thereto. Allegedly, the only consequence of the challenged regulation is a longer period of the retention of data. The Government is of the opinion that the challenged regulation does not interfere with the right to the freedom to act and the freedom of movement, and with the freedom of expression, as determined by Articles 32 and 39 of the Constitution. On the contrary, the regulation allegedly does interfere with the right to communication and information privacy determined by Articles 37 and 38 of the Constitution, as well as with the general right to privacy determined by Article 35 of the Constitution; however, these interferences are allegedly proportionate. The same allegedly applies to the alleged violation of the presumption of innocence.
 
6. In its reply, the applicant underlines that the allegations of the Government regarding the alleged benefits of the obligatory retention of data are generalised. It alleges that the Government does not explain what is essential: whether due to the entry into force of the obligatory retention of traffic data there was a significant change in the detection of criminal offences in comparison with the period when the regulation had not yet been in force. It is of the opinion that the analysis submitted by the Government is methodologically inappropriate and that it pursues wrong aims. It refers to the study of the Max Planck Institute for Foreign and International Criminal Law from 2011, from which the conclusion allegedly follows that the retention of traffic data does not contribute to a higher number of criminal offences being investigated. It also draws attention to statistical data submitted by the Government, from which it follows that only a small share of the data needed by the Police are older than 6 months. It also underlines that the perpetrators of the most serious (especially organised) criminal offences have the knowledge and means to efficiently conceal [their] electronic traces. One consequence of that is the fact that the immensely vast database containing data on the entire population will only serve to aid in the search for a handful of the most ignorant and careless perpetrators of criminal offences; for such reason, the [disputed] interferences entail a manifestly disproportionate measure.
 
 
B – I
 
7. The challenged provisions are contained in Section XIII of the ECA-1, entitled "Retention of data". The legislature envisaged such regulation as determined by this Section only in order to transpose into the national legal order the requirements of the Data Retention Directive.[3] In fact, the Slovene legislature first transposed the obligations stemming from the Data Retention Directive already by the adoption of the Act Amending the Electronic Communications Act (Official Gazette RS, No. 129/06 – hereinafter referred to as the ECA-A),[4] which entered into force on 27 December 2006. The regulation of the obligatory retention of data, as a consequence of the implementation of the Data Retention Directive (except for the time limit for the retention of data being shortened from two years to the now applicable 14 or 8 months),[5] has already been in force in a virtually unchanged form for more than 7 years.
 
8. The challenged provisions impose on service providers the obligation to retain data related to the use of certain telecommunication services (telephone services in fixed and mobile networks, Internet and e-mail access, as well as Internet phone service access). On the basis of the data that are being retained, it is possible to determine who communicated with whom, when, for how long, where, and how (Article 164 of the ECA-1 and Article 5 of the Data Retention Directive). The obligation to retain data also includes unsuccessful phone calls. The content of communications is not being retained (the third paragraph of Article 163 of the ECA-1 and the first paragraph of Article 3 of the Data Retention Directive). Data related to publicly accessible phone services are being retained for 14 months following the day of a particular communication, whereas other data are being retained for 8 months. In exception, a longer period of retention can be determined (the fifth and sixth paragraphs of Article 163 of the ECA-1 and Articles 6 and 12 of the Data Retention Directive). At the end of the retention period, service providers must destroy the data, except those data regarding which an order for accessing the data has been issued and that have been transmitted to the competent authority (the seventh paragraph of Article 163 of the ECA-1 and Article 7 of the Data Retention Directive). What is determined (in general) is the level of protection of the retention of data and the related measures that service providers must adopt themselves or in cooperation with others. The role of the Information Commissioner is also determined; the Information Commissioner can submit preliminary opinions with regard to the general act that determines in detail the manner of the protection of the retention of data (Article 165 of the ECA-1) and supervises, with certain limitations, the implementation of the provisions of Section XIII of the ECA-1 (Article 169 of the ECA-1). Service providers must retain data (if they create or process such when providing public communications services related thereto) for the purposes of obtaining data in a public communications network determined by the law that regulates criminal procedure, for the purposes of ensuring national security and the constitutional system, and the security, political, and economic interests of the state as determined by the law that regulates the Slovene Intelligence and Security Agency, as well as the defence of the state as determined by the law that regulates the defence of the state (the first paragraph of Article 163 of the ECA-1 and in a certain part also Article 1 of the Data Retention Directive). A record of any access to data and transmission of data must be ensured for ten years (the fifth paragraph of Article 166 of the ECA-1). Service providers must not disclose to the affected persons (or third persons) the fact that any data will be or has been accessed or transmitted, nor may they disclose the court order itself (the fourth paragraph of Article 166 of the ECA-1). This Section also includes special provisions with regard to the definition of the terms that are used in this Section (Article 162 of the ECA-1), the costs of the retention of data (Article 167 of the ECA-1), and data referring to the orders for accessing and transmitting data (Article 168 of the ECA-1).
 
9. In fact, the applicant explicitly challenges all the provisions of Section XIII of the ECA-1, however, as is evident from the third paragraph of this reasoning, it substantively challenges only those provisions that impose on service providers the obligation to retain certain data in public communications networks (also) for the purposes and in the scope envisaged by the Data Retention Directive. [Therefore], the Constitutional Court also carried out a review [of constitutionality] in such scope.
 
10. Substantively, the applicant in fact alleged that the Data Retention Directive is inconsistent with human rights. The Constitutional Court was not able to decide on the constitutionality of the challenged regulation until the Court of Justice of the European Union, which has exclusive competence to assess the validity of the mentioned Directive, decided on its validity. Therefore, by Order No. U-I-65/13, dated 26 September 2013, the Constitutional Court stayed the proceedings to review the constitutionality of the challenged provisions of the ECA-1 until the Court of Justice of the European Union adopted a decision in the joined cases Nos. C-293/12 and C-594/12, which when the Constitutional Court decided to stay the proceedings were already in the final phase of decision-making.
 
11. By its Judgment in the joined cases Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources and others and Kärntner Landesregierung and others, C-293/12 and C-594/12, dated 8 April 2014 (hereinafter referred to as the Judgment in the joined cases C-293/12 and C-594/12), the Court of Justice of the European Union declared the Data Retention Directive invalid. It established that by its adoption, the legislature of the European Union exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7 and 8, as well as the first paragraph of Article 52 of the Charter of Fundamental Rights of the European Union (OJ C 326, 26 October 2012, p. 391 – hereinafter referred to as the Charter).
 
 
B – II
 
12. By declaring the Data Retention Directive invalid, the obligation of Member States to transpose the requirements from this Directive into the national legal order ceased. Nonetheless, the protection of traffic data still remains a subject of regulation under European Union law. Articles 5 and 6 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) (OJ L 201, 31 July 2002) impose on Member States the obligation to ensure the confidentiality of communications and related traffic data, if they are not necessary for achieving the purpose of the transfer of communications or if an individual did not give his or her consent for such processing of the mentioned data. Article 15 of this Directive enables that "Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, […] of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union."
 
13. Therefore, European Union law does not prohibit the retention of traffic data for purposes such as are determined by the first paragraph of Article 163 of the ECA-1. Consequently, a Member State may decide to adopt such a measure. If it does, however, it must respect the requirement of the proportionality of the measure, in conformity with the limitations referred to in the mentioned provision of the Directive. From such a perspective, the Slovene legislature is entitled to determine the obligatory retention of traffic data also for the purposes of safeguarding national security, defence, and public safety, as well as [for the purposes of] preventing, investigating, detecting, and prosecuting criminal offences. In conformity with the mentioned provision of the Directive, such interference with fundamental rights must entail a necessary, appropriate, and proportionate measure within a democratic society. Also in conformity with the established constitutional case law, there has to exist a constitutionally admissible aim in order for an interference with any human right – and thus also with the right to information privacy determined by the first paragraph of Article 38 of the Constitution – to be admissible, and in addition, such interference must also be in conformity with the principles of a state governed by the rule of law, namely with that of these principles that prohibits excessive interferences by the state (the general principle of proportionality – Article 2 of the Constitution).[6] The admissibility of the limitation of the right to the protection of personal data is thus also, in conformity with the Constitution, substantively regulated in the same manner as follows from Article 15 of the mentioned Directive.
 
 
B – III
 
14. On the basis of the challenged regulation, as a precautionary measure service providers non-selectively retain, for a determined period of time, exhaustively determined traffic data on all communications related to fixed network phone service, mobile phone service, Internet access, Internet e-mail service, and Internet phone service. The Government alleges that these data indicate individual facts, circumstances, dynamics, and patterns of individuals' lives. With regard to the definition [of personal data] in point 1 of Article 6 of the Personal Data Protection Act (Official Gazette RS, No. 94/07 – official consolidated text – hereinafter referred to as the PDPA-1), which determines the system of protection of personal data, personal data is any data relating to an individual, irrespective of the form in which it is expressed. An individual is an identified or identifiable natural person to whom personal data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur large costs or disproportionate effort or require a large amount of time (point 2 of Article 6 of the PDPA-1). Therefore, on the basis of the challenged regulation, service providers are retaining data that include, from the viewpoint of privacy, information regarding identifiable individuals, who must thus enjoy the protection of personal data as guaranteed by Article 38 of the Constitution. The Constitutional Court does not deal with the question of whether absolutely all traffic data that are determined by the challenged regulation are in any event personal data in the sense of the definition mentioned above.[7] What is key is that from these data (combined) it is possible to draw details from individuals' lives, and they must thus enjoy protection from the viewpoint of the right to privacy. Or, as stated by the Court of Justice of the European Union in the Judgment in the joined cases C-293/12 and C-594/12 (paragraph 27): "Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them."
 
15. The retention of such data (also for the purposes envisaged by the challenged regulation) entails, with regard to the established constitutional case law and also the case law of the Court of Justice of the European Union,[8] an interference with the right to the protection of personal data guaranteed by Article 38 of the Constitution, Article 8 of the Charter[9], and also Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (Official Gazette RS, No. 33/94, MP, No. 7/94 – hereinafter referred to as the ECHR).[10]
 
16. From the established constitutional case law it follows that the first paragraph of Article 38 of the Constitution guarantees the protection of personal data as a special aspect of privacy. The purpose of the protection of personal data is to ensure respect for a special aspect of human privacy – so-called information privacy. As the Constitution regulates this right specifically, it has a special place and importance in the general protection of the privacy of an individual. It also has an important place on the level of the European Union. Article 8 of the Charter also in a declaratory manner elevated the right to the protection of personal data to the level of a fundamental human right. In conformity with the established constitutional case law, any collecting and processing of personal data entails an interference with the right to the protection of privacy, i.e. with the right of individuals to keep information regarding themselves [private], because they do not want others to be acquainted therewith. The fundamental value foundation of this right is the realisation that individuals have the right to retain information regarding themselves to themselves and that as a starting point it is they who can decide how much information concerning themselves they will reveal and to whom.[11] However, the right to information privacy is not unlimited and absolute. Therefore, individuals must accept the limitations of information privacy, i.e. allow interferences therewith that are in the prevailing public interest and if the constitutionally determined conditions are fulfilled. [Such] an interference is admissible under the conditions determined by the third paragraph of Article 15 and Article 2 of the Constitution. In such context, the Constitutional Court must assess whether the legislature followed a constitutionally admissible aim, and if it did, also whether the limitation is in conformity with the principles of a state governed by the rule of law, namely with that principle that prohibits excessive interferences by the state (the general principle of proportionality).[12] In the law it must be precisely determined which data may be collected and processed, and for what purpose they may be used; supervision over the collection, processing, and use of personal data must be envisaged, as well as protection of the confidentiality of the collected personal data. The purpose of the collecting of personal data must be constitutionally admissible. Only data appropriate and urgently necessary for the implementation of the statutorily defined purpose may be collected.[13] When what is at issue is the processing of personal data for the purposes of police work, the legislature must weigh the measure by which it interferes with a sensitive area of the privacy of an individual without his or her consent in an especially meticulous manner.[14] The same also applies to the processing of personal data by other authorities of the state for the purposes of the defence of the state, national security, and the constitutional system.
 
17. The Constitutional Court has already explained numerous times that substantively similar requirements to those included in Article 38 of the Constitution are also included in the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Official Gazette RS, No. 11/94, MP, No. 3/94 – hereinafter referred to as the CPI). In addition to the fact that personal data must be obtained and processed fairly and lawfully, the CPI requires that measures be taken that will ensure that personal data will be retained for specified and legitimate purposes and that they will not be used in a way incompatible with those purposes, as well as that only data that are adequate, relevant, and not excessive in relation to the purposes for which they are retained will be processed (Article 5 in relation to Article 4 of the CPI).[15]
 
18. The first condition for the admissibility of an interference with the right determined by the first paragraph of Article 38 of the Constitution is thus the existence of a constitutionally admissible aim. The fundamental purpose of the Data Retention Directive, due to which the legislature instituted the challenged regulation, was determined by the first paragraph of Article 1 [of the Directive],[16] namely "[…] to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law." Similarly, also the first paragraph of Article 163 of the ECA-1 determines that "[service providers] must retain, for the purposes of obtaining data in a public communications network determined by the law that regulates criminal procedure, for the purposes of ensuring the national security and the constitutional system, and the security, political, and economic interests of the state, as determined by the law that regulates the Slovene Intelligence and Security Agency, as well as the defence of the state, as determined by the law that regulates the defence of the state, the data determined by Article 164 of this Act, if they create or process it when providing public communications services related thereto." The prosecution of serious forms of criminal offences, the defence of the state, and the safeguarding of the security of the state with the purpose of ensuring the protection of human rights and fundamental freedoms, as well as other fundamental legal values from illegal attacks against them are constitutionally admissible aims. In order for the state to be able to protect human rights and fundamental freedoms on its territory (Article 5 of the Constitution), it must primarily foster the existence and efficient functioning of the institutions of a state governed by the rule of law also in such a manner that it combats the most serious forms of criminal offences, ensures the defence of the state, the national security, and the constitutional system.
 
19. Therefore, the legislature did have constitutionally admissible aims for interfering with the constitutionally protected right to information privacy determined by the first paragraph of Article 38 of the Constitution. From this point of view, the interference is not inadmissible.
 
20. The challenged measure is also appropriate for achieving the mentioned aims, because they can in fact be achieved by the measure. Undoubtedly, in certain situations the retention and subsequent use of traffic data can entail an appropriate means for the investigation, detection, and prosecution of serious criminal offences. The same applies to the purposes of the defence of the state and the safeguarding of the security of the state. Such proceeds from the statements of Member States, as follows from the Evaluation Report of the European Commission[17] and other documents published on its website,[18] as well as from the analysis that was submitted by the Government in the proceedings at issue. The Government alleges that these data play an important supporting role in the collection of evidence in the framework of the investigation of criminal offences, because they indicate individual facts, circumstances, relations, dynamics, and patterns that significantly contribute to the collection of fundamental evidence directly proving the suspicion that a [concrete] criminal offence has been committed. Also the Court of Justice of the European Union assessed that with regard to the increasing importance of electronic communications, the data that had to be retained on the basis of the [now] invalid Directive provided national authorities competent for criminal prosecution additional possibilities with regard to detecting serious criminal offences and that in this regard they are a valuable means for [conducting] criminal investigations.[19] Although from the materials submitted by the Government and the documents of the Commission it is not clearly evident whether what is at issue is the use of data that otherwise in the absence of obligatory retention as envisaged by the Data Retention Directive and the now challenged regulation would not be accessible to prosecuting authorities and other competent authorities of the state, it is at the same time also not possible to conclude that these data are manifestly inappropriate for achieving the [stated] aim. Likewise, it is not evident that the measure is inappropriate even if in certain instances due to technical circumvention or specific types of use of these communications services (e.g. falsifying the number calling, the use of unregistered prepaid mobile services, the use of a service for the anonymisation of traffic over the Internet, etc.) it is possible to cover the digital traces behind the real user or achieve anonymous use of a mobile and fixed network phone service, as well as of Internet access, which is what the applicant otherwise draws attention to. A measure is inappropriate only when the means for achieving the aim does not have a sensible connection with that aim and when the stated aim cannot be achieved in any event by the [chosen] measure, not only that [it cannot be achieved] only to a certain degree.[20] However, the fact that the constitutionally admissible aim can only be achieved to a certain degree by the [chosen] measure can significantly influence the assessment of the proportionality of such measure.
 
21. Even if a measure is both appropriate and useful, such does not mean at the same time that it is necessary, i.e. that in order to achieve the pursued aim no [other] less invasive measures that would interfere less with the human rights of individuals are available.[21] In the framework of the test of the necessity of a measure, the Constitutional Court assesses whether an interference is at all necessary in the sense that the aim cannot be achieved without (any) interference at all or whether the aim can be achieved without the (concrete) interference that is being assessed by means of some other [interference] that would be milder in nature.[22]
 
22. For such reason, it is necessary to assess whether the legislature could also achieve the purpose for which such personal data was retained also in a manner that would interfere less invasively with the right determined by the first paragraph of Article 38 of the Constitution. Due to the fact that with regard to the manner and scope of the retention of data the challenged regulation is actually a transposition of the requirements from the Data Retention Directive and was thus determined in a manner such as was determined by the now no longer valid Data Retention Directive, the underlying reasons that guided the Court of Justice of the European Union in its invalidation are key also to the assessment of the challenged Act.
 
23. First of all, it has to be underlined that combating serious criminal offences, especially organised crime and terrorism, the defence of the state, and ensuring national security and the constitutional system, are of fundamental importance for the functioning of a state governed by the rule of law. However, such an aim, although of fundamental importance, cannot in itself justify an unlimited interference with human rights.
 
24. The challenged regulation provides for the precautionary (in advance) and indiscriminate retention of traffic data [generated by] certain electronic communications. A consequence of such regulation is that service providers retain, for a determined period, the traffic data of all users of phone services in fixed and mobile networks, data on accessing the Internet and e-mail, and data on the use of phone service over an Internet protocol, such as determined by Article 164 of the ECA-1. By the precautionary and indiscriminate retention of data created daily, service providers are creating vast databases that are being retained for 14 or 8 months and from which, at any moment, very detailed conclusions can be drawn concerning facts regarding the private life of every single individual that uses these services.[23] With regard to the fact that the modern manner of communicating predominantly entails the use of the mentioned electronic communications services,[24] such a measure in fact entails a very invasive interference with the (information) privacy of the entire population, both with regard to the scope of the persons affected by the measure and with regard to the data that are being retained. The interference with the [mentioned] right is also exacerbated by the fact that by the creation of such an extensive database of personal data on the entire population, the risk that unauthorised persons will access the retained data or that the data will be used for unlawful purposes, despite the obligations imposed on service providers by, inter alia, Article 165 of the ECA-1, increases substantially.[25] Such a regulation substantially interferes with the human rights and fundamental freedoms of individuals also due to the fact that the affected persons are not informed of the retention and the potential subsequent use of their data, which can in the minds of these persons generate a feeling of constant surveillance.[26] Such an intangible feeling of constant surveillance can also influence the exercise of other rights, above all the right to free expression and public communication, as guaranteed by Article 39 of the Constitution and Article 11 of the Charter.[27]
 
25. By the nature of the matter, the precautionary and non-selective retention of data necessarily entails that it predominantly interferes with the rights of those persons who are not and will not be even indirectly connected with the purposes for which these data were primarily collected. Both the Data Retention Directive and the Slovene legislature did not limit the retention to those data that have some reasonable and objectively verifiable connection with purpose that [the legislature] intends the measure to achieve. The non-selective and precautionary retention of traffic data necessarily entails that it will interfere predominantly with the rights of that part of the population that did not give rise to any reasons for such an interference. As also the Court of Justice of the European Union stressed,[28] by the unlimited measure also data regarding communications that would otherwise have to enjoy special protection are retained. Namely, the regulation does not allow for anonymous use of means of communication in all those instances when confidential and untraceable use of the means of communication is necessary to achieve its purpose (e.g. phone services for assistance in emotional distress). Similarly, the challenged regulation, as well as the Data Retention Directive, did not limit the retention of data to a certain period of time, geographical area, or circle of persons who might have a certain connection with the purpose pursued by the measure.[29]
 
26. The question regarding the length of time personal data is retained is also important for the assessment of whether the interference [at issue] is necessary to achieve a constitutionally admissible aim. The retention and processing of personal data for a longer period of time than is necessary in order to achieve the purpose does not fulfil the [criterion of] proportionality.[30] In fact, in the fifth paragraph of Article 163 of the ECA-1, the legislature envisaged a different length of time for the retention of data regarding publicly accessible phone services (14 months), on the one hand, and all other data (8 months), on the other. However, the reasons why the legislature decided [to require] retention for such duration and why it determined a different period of retention for the mentioned data are not evident from either the reply of the National Assembly nor the opinion of the Government. The analysis already mentioned above that was submitted by the Government only includes the generalised claim that if the duration of retention was shortened, "a new adaptation of investigative procedures would be necessary." With regard to the fact that different data are collected that have, by the nature of the matter, a different utility value with regard to the duration of retention, the legislature should have taken that into consideration and correspondingly differentiated the duration of retention with regard to the usefulness of the data or with regard to the persons concerned.[31] From the mentioned documentation it is also not evident why a shorter period of retention (than was, for instance, determined by certain Member States)[32] does not suffice to achieve its purpose. With regard to the measure that includes such a broad range of different data without objective criteria being determined more precisely for such retention, it is also not possible [to carry out] a subsequent test of whether the measure only refers to what is truly necessary in order to achieve its purpose. Such measure does not fulfil the criterion of necessity nor the criterion of proportionality in the narrower sense, because it is not possible to weigh whether the correspondingly longer period of retention and the degree of interference with the privacy of individuals related thereto are proportionate to ensuring public safety or some other interest pursued by such measure.
 
27. The now invalidated Data Retention Directive limited the purpose of such retention only to the investigation, detection, and prosecution of serious criminal offences. The challenged regulation does not include such a limitation. Also in the regulations referred to by the challenged regulation (the first paragraph of Article 163 of the ECA-1), the legislature did not limit the processing of personal data only to certain acts (serious criminal offences) for which it would assess that due to their weight the retention of data or access to these data justify the interference with the privacy of individuals.[33] Also for such reason, the measure disproportionally interferes with the right determined by the first paragraph of Article 38 of the Constitution.
 
28. By determining, in the first paragraph of Article 163 of the ECA-1, the obligatory retention of traffic data, the legislature substantially interfered with the right to the protection of personal data and at the same time it did not determine in detail the circumstances on the basis of which such interference would be limited to only what is truly necessary to achieve the aim. The challenged provision thereby interfered disproportionally with the right to the protection of personal data determined by the first paragraph of Article 38 of the Constitution. Consequently, the first paragraph of Article 163 of the ECA-1, which explicitly determines the obligation to retain traffic data, is unconstitutional. The other challenged provisions of Section XIII of the ECA-1 are directly connected with this provision and do not have an independent meaning. For such reason, the Constitutional Court abrogated the challenged provisions of Section XIII in their entirety (point 1 of the operative provisions).
 
29. Since the challenged provisions had to be abrogated already due to the inconsistency with the right to the protection of personal data determined by Article 38 of the Constitution, the Constitutional Court did not assess the other alleged unconstitutionalities.
 
30. In order to prevent further disproportionate interferences with the right to the protection of personal data determined by the first paragraph of Article 38 of the Constitution, the Constitutional Court determined, on the basis of the second paragraph of Article 40 of the CCA, the manner of the implementation of this Decision. On the basis of this Article, service providers that are retaining traffic data in conformity with the first paragraph of Article 163 of the ECA-1 must immediately upon the publication of this Decision in the Official Gazette of the Republic of Slovenia destroy these data (point 2 of the operative provisions).
 
 
C
 
31. The Constitutional Court reached this decision on the basis of Article 43 and the second paragraph of Article 40 of the CCA, composed of: Mag. Miroslav Mozetič, President, and Judges Dr Mitja Deisinger, Dr Dunja Jadek Pensa, Dr Etelka Korpič – Horvat, Dr Ernest Petrič, Jasna Pogačar, Dr Jadranka Sovdat, and Jan Zobec. The Constitutional Court adopted the Decision unanimously.
 
 
Mag. Miroslav Mozetič
President
 
 
 
Endnotes:
[1] Such follows from the content of the statutory provisions and especially from the second paragraph of Article 2 of the ECA-1 and the purpose of the legislature expressed in the draft act (Gazette of the National Assembly, dated 1 October 2012, EPA 667-VI).
[2] Report from the Commission to the Council and the European Parliament, Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), dated 18 April 2011, COM (2011) 225 final.
[3] See the explanation of Section XIII of the ECA-1 (Retention of data) in the draft act (Gazette of the National Assembly, dated 1 October 2012): "[…] From the viewpoint of the clarity of the regulation, because what is at issue is the implementation of two different directives (the Directive on Privacy and Electronic Communications and the Data Retention Directive), a new Section is introduced in the ECA-1 that only refers to the implementation of the Data Retention Directive, as was in fact already ensured by Section X of the existing ECA (i.e. ‘The protection of the privacy, confidentiality, and safety of electronic communications and the retention of data regarding electronic communications traffic’). […]"
[4] See Article 92 of the ECA-A, which introduced the new Articles 107a through 107e.
[5] The fifth paragraph of Article 163 of the ECA-1.
[6] Cf.  Decision of the Constitutional Court No. U-I-18/02, dated 24 October 2003 (Official Gazette RS, No. 108/03, and OdlUS XII, 86).
[7] See, for instance, the Opinion on the Concept of Personal Data of 2007 of the Article 29 Working Group on Data Protection.
[8] See the Judgment in the joined cases Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen, C-92/09 and C-93/09, dated 9 November 2010.
[9] See the second sentence of paragraph 29 of the Judgment in the joined cases C-293/12 and C-594/12.
[10] See, in particular, the Judgments of the European Court of Human Rights (hereinafter referred to as the ECtHR) in Leander v. Sweden, dated 26 March 1987, Amann v. Switzerland, dated 16 February 2000, Kopp v. Switzerland, dated 25 March 1998.
[11] See Paragraph 12 of the reasoning of Decision of the Constitutional Court No. U-I-98/11, dated 26 September 2012 (Official Gazette RS, No. 79/12).
[12] Cf.  Decision of the Constitutional Court No. U-I-18/02.
[13] As stated already in Decision No. U-I-411/06, dated 19 June 2008 (Official Gazette RS, No. 68/08, and OdlUS XVII, 43).
[14] See Decision No. U-I-312/11, dated 13 February 2014 (Official Gazette RS, No. 15/14).
[15] As stated, for instance, already in Decision No. U-I-98/11.
[16] See also the introductory statements Nos. 4, 5, 7 through 11, 21, and 22 to the Data Retention Directive.
[17] Report from the Commission to the Council and the European Parliament, Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), dated 18 April 2011.
[18] See, e.g., Evidence for the necessity of data retention in the EU, accessible at: (accessed 2 July 2014).
[19] Paragraph 49 of the reasoning of the Judgment in the joined cases C-293/12 and C-594/12.
[20] See Decision No. U-I-201/93, dated 7 March 1996 (Official Gazette RS, No. 24/96, and OdlUS V, 27). Cf.  also with paragraph 207 of the reasoning of the Judgment of the Federal Constitutional Court of the Federal Republic of Germany No. 1 BvR 2156/08, 1 BvR 263/08, 1 BvR 586/08, dated 2 March 2010.
[21] In the framework of the assessment of the proportionality of a measure (or the necessity of a measure in a democratic society), the ECtHR underlines that the adjective "necessary" is not synonymous with "indispensable" and at the same time it also cannot be interpreted as flexibly as, for instance, the expressions "admissible", "ordinary", "useful", "reasonable", or "desirable" (the Judgment in Handyside v. United Kingdom, dated 7 December 1976).
[22] As stated, e.g., in Decision No. U-I-77/08, dated 8 July 2010 (Official Gazette RS, No. 61/10).
[23] See Paragraph 14 of the reasoning.
[24] See paragraphs 72 and 73 of the opinion of Advocate General Pedro Cruz Villalón in the joined cases C-293/12 and C-594/12, dated 12 December 2012, and the Judgments of the ECtHR to which he refers.
[25] Ibidem, paragraph 75.
[26] Namely, service providers must not reveal to the persons to whom [the relevant] data refer that they were transmitted (the fourth paragraph of Article 166 of the ECA-1).
[27] As stated already in the Judgment of the Federal Constitutional Court of the Federal Republic of Germany No. 1 BvR 2156/08, 1 BvR 263/08, 1 BvR 586/08 and paragraph 37 of the reasoning of the Judgment in the joined cases C-293/12 and C-594/12.
[28] See paragraph 58 of the reasoning of the Judgment in the joined cases C-293/12 and C-594/12.
[29] Ibidem, paragraph 59.
[30] Decision of the Constitutional Court No. U-I-312/11, dated 13 February 2014 (Official Gazette RS, No. 15/14). See also the Judgment of the ECtHR in S. and Marper v. United Kingdom, dated 4 December 2008. As stated also by Article 6 of the Directive on Privacy and Electronic Communications and point e) of Article 5 of the CPI. See also Paragraph 24 of the reasoning in Decision [of the Constitutional Court] No. U-I-411/06. Article 6 of the Directive on Privacy and Electronic Communications determines the principle that traffic data that is processed must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.
[31] Cf.  with paragraphs 63 and 64 of the Judgment in the joined cases C-293/12 and C-594/12.
[32] E.g. the six-month time limit determined by the Federal Republic of Germany in the (now in fact abrogated) Article 113a of the Telecommunications Act (Telekommunikationgesetz).
[33] Cf.  the first paragraph of Article 149b of the Criminal Procedure Act (Official Gazette RS, No. 32/12 – official consolidated text and 47/13 – hereinafter referred to as the CrPA) and the second paragraph of Article 150 of the CrPA, where the legislature determined a catalogue of criminal offences with regard to which the measures determined by the first paragraph of Article 150 of the CrPA can be ordered.
Type of procedure:
review of constitutionality and legality of regulations and other general acts
Type of act:
statute
Applicant:
Information Commissioner, Ljubljana
Date of application:
06.03.2013
Date of decision:
03.07.2014
Type of decision adopted:
decision
Outcome of proceedings:
annulment or annulment ab initio
Document:
AN03707