This Article examines a recent twist in European Union ("EU") data protection law. In the 1990s, the European Union was a market-creating organization and the law of data protection was designed to prevent rights abuses by market actors. Since the terrorist attacks in New York, Madrid, and London, however, cooperation in law enforcement has accelerated. Now the challenge for the European Union is to protect privacy in its emerging system of criminal justice. This Article analyzes the first EU law to address data privacy in law enforcement-the Data Retention Directive (or "Directive"). Based on a detailed examination of the Directive's legislative history, this Article finds that privacy-as guaranteed under Article 8 of the European Convention on Human Rights and the Council of Europe's Convention on Data Protection-is adequately protected in the Directive. This positive experience can serve as guidance for guaranteeing other fundamental rights in the rapidly expanding area of EU cooperation on criminal matters.
Data privacy is one of the oldest human rights policies in the European Union. The European Union was born as an international organization dedicated to the creation of a common market. Rights emerged only gradually, as it became apparent that market liberalization could come into conflict with rights and that the safeguards available under national constitutional law were inadequate. At first, the European Court of Justice took the lead in establishing rights. By the mid-1990s, however, the European legislature had also become active. One of its first forays into the human rights realm was the Data Protection Directive.
The Data Protection Directive, proposed in 1990 and passed in 1995, set up a complex regulatory scheme at the national level to protect individual rights.1 At that time, as was to be expected in a European Union still focused on the common market, data protection was aimed at preventing rights abuses by market actors and by government agencies operating as service providers. Recently, however, EU data protection has taken a new turn. Now, the challenge is to safeguard privacy when governments exercise their core sovereign powers of national security and law enforcement.
This Article examines the European Union's new turn toward protecting privacy in law enforcement activities. The first part explores the developments that have given rise to these policies, namely the growing importance of digital technologies in police investigations and the intensification of police cooperation in the European Union following the terrorist attacks in New York, Madrid, and London. The second part analyzes the Data Retention Directive, the legislation with the most significant data protection ramifications to be enacted at the time of this writing.2 The Article concludes with some thoughts on how the largely positive experience of the Data Retention Directive can inform the protection of other classic liberal rights in the rapidly growing domain of European cooperation on fighting crime.
II. LAW ENFORCEMENT IN THE DIGITAL EUROPEAN AGE
To understand the challenges of data protection today, a bit of history is necessary. The first European data protection laws date to the early 1970s. Their focus was large-scale data collection by the government and by the few private actors with the resources and technology to engage in such data processing-mostly banks and telecommunications providers. On the public side, these early laws largely affected those parts of government administration that routinely collected large amounts of information from citizens for purposes of providing services such as health care, education, and welfare.
For the most part, intelligence and law enforcement officials were untouched by these early data protection regulations. Under their respective national laws, intelligence and law enforcement officers were generally prohibited from accessing without cause the records of other government agencies. …