W7y8w3

estricts freedom of expression and media freedom.Moreover, the length and extent of retained datawas prescribed without the support of any empiricalresearch.EISi also argued that many provisions of boththe Data Retention Directive and the Act are vagueand provide too much room for abuse by both publicauthorities and the private sector. The real-lifepractice of Slovak service providers retaining andstoring data was found to be entirely arbitrary, becauseoften the data retention was not required bylaw and/or data was provided to authorities whohave no legal right to request them. So both thescope of retention and scope of access often exceededthe law.Access to stored data is not regulated by anyprecise legislation. This enables law enforcementauthorities to take advantage of a messy legal situationand request data for less serious crimes. Thisis constitutionally incompatible with human rightssuch as the right to privacy and freedom of expression.EISi presented evidence which illustrated areal misuse of data when it comes to disclosures.It was established that the practice is often verydistant from what the letter of the law says. Thisis especially the case given that there is very littlesupervision from the public authorities responsiblefor this.The submission asked the Constitutional Courtto file for a preliminary reference before the CJEUarguing that the Data Retention Directive itself isinvalid.After several months of negotiations withmembers of parliament, the required number ofsignatures was reached to support our initiative.Finally, after six months, EISi managed to get thesubmission before the Constitutional Court. At thispoint, however, it had already been three yearssince we had started the initiative.In October 2012, the submission 6 demanding areview of the data retention provisions embodiedin the Act was officially submitted to the ConstitutionalCourt. 7 Shortly after the submission wasfiled, a preliminary submission concerning the constitutionalityof the Data Protection Directive wasfiled before the CJEU. The referring Austrian andIrish courts made a reference similar to the one EISiproposed for the Slovak Constitutional Court in theproceedings before it. Due to the inactivity of theSlovak Constitutional Court, it soon became clearthat the Court had decided to wait for the decisionof the CJEU first. In April 2014, the CJEU annulled theData Protection Directive. 8ConclusionsBy repealing the Data Retention Directive, the CJEUnot only invalidated a single act of the Union’ssecondary law, but also defined the scope of theirdiscretion. Slovak transposing acts, which are atthe moment under the scrutiny of the Slovak ConstitutionalCourt, were thus not only deprived ofthe reason for transposition, but are now also in adirect contradiction with the explicit standard setby the CJEU in Digital Rights Ireland C-293/12 andC-594/12.According to the decision of the CJEU, any kindof blanket data retention that does not distinguishbetween persons who can be connected to majorcriminal activity and other persons, does not conformwith the rights to privacy and protection ofpersonal data.In terms of future legislation:• Any kind of metadata retention must (i) beaimed at specific persons or circle of persons,and (ii) have a specific time period and/or (iii)geographical area.• Access to data must be restricted to investigatingacts of a serious nature that can justify thesignificant interference with fundamental humanrights such as the respect of private andfamily life and protection of personal data.• Access to data must be subject to judicial supervisionor the supervision of an independentadministrative body which can allow such accessbased only on a substantiated applicationto the courts.• Data retention must reflect the special statusof persons bound by a duty of confidentialityconferred by national law, such as attorneys ordoctors.• When grounds for data detention are not relevantanymore, the particular person must benotified of the fact that he/she was under surveillancein the past.• The period and types of retained data in a specificcase must be adapted to what is necessaryfor achieving a particular aim.• The data retention must provide clear safeguardsagainst possible misuse or unauthorisedaccess to this data.• Legal regulations must clearly describe how thedata can be stored and how the data will be destroyedafter it is used.• Any kind of access and subsequent use of metadatamust fall within a clearly defined scope andbe for a clearly defined aim.On 23 April 2014, the Slovak Constitutional Courtpreliminarily suspended the national implementingAct. This measure means that the retention laws arestill formally in place, but have no legal effect untilthe Court decides on the merits of the complaint.However, at the same time, data that has alreadybeen collected will not need to be destroyed, and itremains open to interpretation whether service providersmay or may not hand over data collected inthe past to state authorities upon request.On the other hand, the Slovak Parliament cameup with a proposal to amend the Penal ProcedureCode, which is one of the acts regulating the accessto this type of information. The proposal fails to liveup to the standard set by the CJEU. Yet no civil societyorganisation, and very few in the mainstreammedia, picked up on the topic. This creates littlepressure on legislators. It appears that even afterthe landmark decision of the CJEU and our efforts,sensitivity to privacy rights is still rather low in Slovakia.Even less significant copyright developmentsenjoy better coverage in the media and garner morepublic interest than most privacy-related issues.Action stepsSlovakia still lacks a strong privacy advocacy group.EISi, as a think tank focusing more on litigation,is not well suited to fulfil this role. Our exampleshows that the presence of expertise and litigationcoming from civil society does not necessarilyimprove social sensitiveness to the issues amongthe general public. Slovakia needs, in our view, thefollowing:• A strong privacy activist group needs to beestablished.• The work of the Slovak Data Protection Authorityneeds to be improved. Currently, it is not onlyfailing to act ex officio, but also in cases whendata is requested by the authorities, and itswork is marked by a lack of expertise.• The opportunity for civil society to object to legislationbefore the Constitutional Court, evenwithout political support, needs to be legislatedin Slovakia. When the general public is not sensitiveto certain issues, neither are the publicauthorities.All this will be important after the decision by theConstitutional Court is made, when the debate willagain be shifted to the national parliament. In theabsence of broader interest by civil society, thestrength of the pro-privacy opposition will remainvery small and we will witness a race to the bottom.6 PL. ÚS 10/20147 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/49-slovak-case-on-data-retention8 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/74-us-data-retention-suspension222 / Global Information Society Watch Slovak Republic / 223