Loading...
Canada deserves to know.
Loading...
In April 2014, the EU's highest court invalidated the Data Retention Directive — a law that required ISPs to retain user metadata for six months to two years. The court found the retention was a "particularly serious" interference with fundamental rights and not "limited to what is strictly necessary." The directive's retention period and category of data are nearly identical to what Bill C-22 proposes for Canada.
On April 8, 2014, the Court of Justice of the European Union (CJEU) handed down its decision in Digital Rights Ireland (joined cases C-293/12 and C-594/12), striking down the EU's Data Retention Directive as invalid. The Directive had required telecoms in member states to retain user metadata — phone numbers, IP addresses, location data, device identifiers — for six months to two years, on every customer, with police access on a production-order standard. The CJEU found this regime to be a "particularly serious" interference with the fundamental rights to private life and personal data protection under Articles 7 and 8 of the EU Charter, and that the interference failed proportionality because (1) the retention applied to all persons without distinction, (2) there was no relationship between the retained data and the threat the regime was meant to address, and (3) safeguards on access were insufficient. The ruling does not bind Canadian courts. The reasoning is highly persuasive and will be central to any future Canadian Charter challenge to Bill C-22.
In 2012, Digital Rights Ireland Ltd. (a small Irish digital-rights NGO) and the Kärntner Landesregierung (an Austrian provincial government, joined by some 11,000 individual applicants) filed separate complaints before national courts arguing that the EU Data Retention Directive violated fundamental rights. The national courts referred the cases to the Court of Justice of the European Union for a preliminary ruling on the Directive's validity.
The CJEU heard the two cases together as joined cases C-293/12 and C-594/12. On April 8, 2014, the Grand Chamber of the CJEU — the Court's most authoritative panel — handed down its ruling. The Directive was declared invalid in its entirety.
The ruling did not abolish data retention in EU member states. The Directive had required member states to enact national data-retention laws. After the ruling, member states had to choose what to do with their national implementations: rewrite them to meet the CJEU's proportionality requirements, or repeal them. The decade since has produced a mosaic of national approaches — none of which replicates the breadth of the original Directive.
Directive 2006/24/EC (the "Data Retention Directive") was enacted in the wake of the 2004 Madrid and 2005 London bombings. It required telecommunications service providers across the EU to retain metadata on every customer for a period of six months to two years, with the specific duration set by each member state's domestic law.
The Directive's retention categories included:
- **Communication identifiers** — phone numbers (caller and receiver), email addresses (sender and recipient), IP addresses assigned at any point in the session. - **Date, time, and duration** of every communication. - **Location data** — from cell-tower assignment for mobile-phone communications, sufficient to determine where the user was during the communication. - **Device identifiers** — IMEI, IMSI, MAC address.
Content of communications was excluded. The Directive's purpose, as recited in its preamble, was to facilitate "the investigation, detection and prosecution of serious crime, in particular organized crime and terrorism."
The CJEU accepted, as a starting point, that the Directive's stated aim — fighting serious crime — is a legitimate objective of general interest. The Court's invalidation rested entirely on the proportionality analysis.
The Court found the Directive to be a "particularly serious interference" with two fundamental rights under the EU Charter:
- **Article 7** — respect for private and family life. - **Article 8** — protection of personal data.
The Court's proportionality reasoning, summarized:
1. **The retention applied to all persons without distinction.** Every EU resident's metadata was retained, regardless of whether they were a suspect, a person of interest, or had any link whatsoever to serious crime. This was found to be inconsistent with the Charter's requirement that interference with fundamental rights be limited to what is strictly necessary. 2. **There was no relationship between the retained data and the threat addressed.** The Directive did not differentiate by category of data, by class of person, by geographic concentration of risk, or by any other criterion that could narrow the retention to the population genuinely connected to serious crime. 3. **Safeguards on access were insufficient.** The Directive set no harmonized access standard; it left each member state's law to determine the conditions under which retained data could be accessed. The result was a wide variation in safeguards across the EU, undermining the Directive's stated rights-protecting purpose. 4. **The retention period was not differentiated.** The Directive set a uniform retention period regardless of the category of data or the threat profile it might illuminate.
The Court did not require member states to abolish data retention. The Court required that any retention regime meet the strict-necessity test — narrowly tailored to specific threats, time-limited by data category, with robust harmonized access safeguards.
Bill C-22's metadata-retention regime can be compared to the Directive on five axes:
| Axis | EU Directive 2006/24 | Bill C-22 | |---|---|---| | Retention category | Transmission, location, device identifiers; content excluded | Transmission, location, device identifiers; content excluded | | Retention duration | 6 months to 2 years (member-state discretion) | Up to 1 year | | Coverage | All users of all telecom services | All customers of all "core providers" | | Access threshold | Member-state discretion (production order standard) | Production order with "reasonable grounds to suspect" | | Oversight body in regime | National data-protection authorities | Intelligence Commissioner (for Part 2 orders); OPC absent |
The retention category is essentially identical. The retention duration is at the lower bound of the Directive's range. The coverage is universal. The access threshold is comparable to what existed under EU national implementations of the Directive — and is, per Geist's analysis, weaker than the previous Canadian standard for subscriber-information access.
The most material difference is the oversight architecture. The Directive contemplated independent data-protection-authority oversight of every member-state implementation. Bill C-22, as discussed in Day 3 of this series, does not provide a statutory role for the Office of the Privacy Commissioner of Canada in the regime it creates.
The CJEU ruling did not end data retention in the EU. It required that any continuing retention meet the strict-necessity test the Court articulated. Member-state responses over the decade since have varied:
- **Sweden** — the national court (Kammarrätten i Stockholm) ruled in 2017 that the Swedish data-retention law was incompatible with EU law and required reform. The current Swedish law applies retention only to specific categories of data, time-limited. - **Germany** — the Federal Constitutional Court (Bundesverfassungsgericht) struck down the German implementation of the Directive in 2010, before the CJEU ruling on the Directive itself. A subsequent reform attempt was again blocked by the German courts in 2024. - **United Kingdom** — the Investigatory Powers Act 2016 (post-Brexit) replaced the previous Data Retention and Investigatory Powers Act. The 2016 Act is itself the subject of ongoing litigation on similar grounds. - **Ireland** — the country where Digital Rights Ireland originated. Ireland's current data-retention law (the 2011 Act, amended after the CJEU ruling) is materially narrower than the original Directive — narrower retention categories, shorter durations. - **European Parliament** — has not attempted to re-introduce a Directive. The legislative consensus is that the original Directive's breadth cannot be reconstituted under EU law as the CJEU has interpreted it.
The EU experience suggests two things: that a CJEU-style proportionality analysis can survive in domestic policy, and that the political path is to narrow rather than abandon retention. Whether Canada will reach the same conclusion via Charter litigation is open.
Canadian Charter litigation on Bill C-22, if and when it occurs, will turn on Section 8 — the protection against unreasonable search and seizure.
The Supreme Court of Canada's decision in *R v Spencer*, 2014 SCC 43, is the most directly relevant existing precedent. In *Spencer*, the Supreme Court held unanimously that Canadians have a reasonable expectation of privacy in their internet-subscriber data, and that police access to that data without a warrant (under the pre-Spencer practice of voluntary ISP disclosure) violated Section 8.
*Spencer* did not address mandatory metadata retention. Bill C-22 would be the first federal bill to test what a mandatory-retention regime looks like under the post-Spencer Charter framework.
Charter litigants would likely argue:
1. The retention applies to all Canadians without distinction — the same fact pattern the CJEU treated as a "particularly serious interference." 2. The bill does not differentiate retention by data category or threat profile — a structural feature the CJEU found incompatible with the strict-necessity test. 3. The Office of the Privacy Commissioner has no statutory oversight role under the regime — the kind of harmonized independent-oversight gap the CJEU treated as undermining proportionality. 4. The Department of Justice's own Charter statement on Bill C-22 is silent on the metadata-retention question — a fact Charter litigants would invite the court to weigh in the analysis.
The CJEU ruling does not bind a Canadian court. The Supreme Court of Canada has, however, cited foreign comparative-law reasoning in Charter jurisprudence many times, including in privacy cases. Digital Rights Ireland will be central to the litigation record any future Charter challenge develops.
It is fair to note the rebuttal the bill's defenders would make.
The Canadian access-threshold under C-22 is not warrantless: a production order under the "reasonable grounds to suspect" standard is required. The CJEU's concern about variable national access standards across the EU does not map onto a single Canadian regime with a uniform statutory threshold.
The Intelligence Commissioner's review of Part 2 ministerial orders provides a layer that the EU Directive did not have. The CJEU's proportionality reasoning identified the absence of harmonized oversight as a structural defect of the Directive; the Canadian regime has, at least for ministerial orders, an independent reviewer.
The retention scope under C-22 is narrower than the Directive in at least one respect: the bill does not require web-browsing-history retention. The Directive's retention category was broader on that point.
These arguments do not, in the view of the bill's academic critics, defeat the CJEU's central reasoning — but they are the rebuttal that any future Charter litigation will have to address.
The bill explicitly excludes the content of communications from mandatory retention. What it would require — who you talked to, when, where you were, what device you used — is the data that intelligence professionals call "the more important half" of surveillance. Here is what a year of that data reveals about an ordinary Canadian.
The Lawful Access Act, 2026 cleared a critical procedural hurdle in the House on April 20. Committee review starts next. Five distinct opposition voices — academic, technology-industry, civil-society, U.S. legislative, and Charter-rights — have already weighed in against parts of the bill. Here is where the bill stands, what it would do, and what happens between here and Royal Assent.
The Lawful Access Act is back in Parliament with new powers for police and secret orders for telecom providers. Here is what it means for your privacy.
About this article
Parliament Audit is non-partisan and does not endorse or oppose any legislation. This article is based on publicly available legislative documents and parliamentary records; all sources are linked above.
AI-assisted, human-edited. AI tools help us ingest parliamentary records and draft analysis; an editor reviews every article and verifies key facts against primary sources before publication. Quotation marks are reserved for verbatim text from a primary source. See our methodology and corrections log.
Your MP votes on this. Their constituency inbox is the most-read channel for feedback on bills in committee.
You're welcome to run this article in full on your newsroom, blog, newsletter, or paper. Keep the byline and the link back to parliamentaudit.ca. See the full terms.
<!-- Parliament Audit — republished under CC BY-ND 4.0 -->
<article>
<h1>The European Court of Justice Already Struck Down a Law Like Bill C-22. Here Is What It Found.</h1>
<p><em>By Parliament Audit · May 24, 2026 · 8 min read</em></p>
<p><strong>On April 8, 2014, the Court of Justice of the European Union (CJEU) handed down its decision in Digital Rights Ireland (joined cases C-293/12 and C-594/12), striking down the EU's Data Retention Directive as invalid. The Directive had required telecoms in member states to retain user metadata — phone numbers, IP addresses, location data, device identifiers — for six months to two years, on every customer, with police access on a production-order standard. The CJEU found this regime to be a "particularly serious" interference with the fundamental rights to private life and personal data protection under Articles 7 and 8 of the EU Charter, and that the interference failed proportionality because (1) the retention applied to all persons without distinction, (2) there was no relationship between the retained data and the threat the regime was meant to address, and (3) safeguards on access were insufficient. The ruling does not bind Canadian courts. The reasoning is highly persuasive and will be central to any future Canadian Charter challenge to Bill C-22.</strong></p>
<h2>The Digital Rights Ireland case</h2>
<p>In 2012, Digital Rights Ireland Ltd. (a small Irish digital-rights NGO) and the Kärntner Landesregierung (an Austrian provincial government, joined by some 11,000 individual applicants) filed separate complaints before national courts arguing that the EU Data Retention Directive violated fundamental rights. The national courts referred the cases to the Court of Justice of the European Union for a preliminary ruling on the Directive's validity.</p>
<p>The CJEU heard the two cases together as joined cases C-293/12 and C-594/12. On April 8, 2014, the Grand Chamber of the CJEU — the Court's most authoritative panel — handed down its ruling. The Directive was declared invalid in its entirety.</p>
<p>The ruling did not abolish data retention in EU member states. The Directive had required member states to enact national data-retention laws. After the ruling, member states had to choose what to do with their national implementations: rewrite them to meet the CJEU's proportionality requirements, or repeal them. The decade since has produced a mosaic of national approaches — none of which replicates the breadth of the original Directive.</p>
<h2>What the EU Directive required</h2>
<p>Directive 2006/24/EC (the "Data Retention Directive") was enacted in the wake of the 2004 Madrid and 2005 London bombings. It required telecommunications service providers across the EU to retain metadata on every customer for a period of six months to two years, with the specific duration set by each member state's domestic law.</p>
<p>The Directive's retention categories included:</p>
<p>- **Communication identifiers** — phone numbers (caller and receiver), email addresses (sender and recipient), IP addresses assigned at any point in the session.
- **Date, time, and duration** of every communication.
- **Location data** — from cell-tower assignment for mobile-phone communications, sufficient to determine where the user was during the communication.
- **Device identifiers** — IMEI, IMSI, MAC address.</p>
<p>Content of communications was excluded. The Directive's purpose, as recited in its preamble, was to facilitate "the investigation, detection and prosecution of serious crime, in particular organized crime and terrorism."</p>
<h2>The CJEU's reasoning</h2>
<p>The CJEU accepted, as a starting point, that the Directive's stated aim — fighting serious crime — is a legitimate objective of general interest. The Court's invalidation rested entirely on the proportionality analysis.</p>
<p>The Court found the Directive to be a "particularly serious interference" with two fundamental rights under the EU Charter:</p>
<p>- **Article 7** — respect for private and family life.
- **Article 8** — protection of personal data.</p>
<p>The Court's proportionality reasoning, summarized:</p>
<p>1. **The retention applied to all persons without distinction.** Every EU resident's metadata was retained, regardless of whether they were a suspect, a person of interest, or had any link whatsoever to serious crime. This was found to be inconsistent with the Charter's requirement that interference with fundamental rights be limited to what is strictly necessary.
2. **There was no relationship between the retained data and the threat addressed.** The Directive did not differentiate by category of data, by class of person, by geographic concentration of risk, or by any other criterion that could narrow the retention to the population genuinely connected to serious crime.
3. **Safeguards on access were insufficient.** The Directive set no harmonized access standard; it left each member state's law to determine the conditions under which retained data could be accessed. The result was a wide variation in safeguards across the EU, undermining the Directive's stated rights-protecting purpose.
4. **The retention period was not differentiated.** The Directive set a uniform retention period regardless of the category of data or the threat profile it might illuminate.</p>
<p>The Court did not require member states to abolish data retention. The Court required that any retention regime meet the strict-necessity test — narrowly tailored to specific threats, time-limited by data category, with robust harmonized access safeguards.</p>
<h2>The Canadian comparison</h2>
<p>Bill C-22's metadata-retention regime can be compared to the Directive on five axes:</p>
<p>| Axis | EU Directive 2006/24 | Bill C-22 |
|---|---|---|
| Retention category | Transmission, location, device identifiers; content excluded | Transmission, location, device identifiers; content excluded |
| Retention duration | 6 months to 2 years (member-state discretion) | Up to 1 year |
| Coverage | All users of all telecom services | All customers of all "core providers" |
| Access threshold | Member-state discretion (production order standard) | Production order with "reasonable grounds to suspect" |
| Oversight body in regime | National data-protection authorities | Intelligence Commissioner (for Part 2 orders); OPC absent |</p>
<p>The retention category is essentially identical. The retention duration is at the lower bound of the Directive's range. The coverage is universal. The access threshold is comparable to what existed under EU national implementations of the Directive — and is, per Geist's analysis, weaker than the previous Canadian standard for subscriber-information access.</p>
<p>The most material difference is the oversight architecture. The Directive contemplated independent data-protection-authority oversight of every member-state implementation. Bill C-22, as discussed in Day 3 of this series, does not provide a statutory role for the Office of the Privacy Commissioner of Canada in the regime it creates.</p>
<h2>How EU member states responded</h2>
<p>The CJEU ruling did not end data retention in the EU. It required that any continuing retention meet the strict-necessity test the Court articulated. Member-state responses over the decade since have varied:</p>
<p>- **Sweden** — the national court (Kammarrätten i Stockholm) ruled in 2017 that the Swedish data-retention law was incompatible with EU law and required reform. The current Swedish law applies retention only to specific categories of data, time-limited.
- **Germany** — the Federal Constitutional Court (Bundesverfassungsgericht) struck down the German implementation of the Directive in 2010, before the CJEU ruling on the Directive itself. A subsequent reform attempt was again blocked by the German courts in 2024.
- **United Kingdom** — the Investigatory Powers Act 2016 (post-Brexit) replaced the previous Data Retention and Investigatory Powers Act. The 2016 Act is itself the subject of ongoing litigation on similar grounds.
- **Ireland** — the country where Digital Rights Ireland originated. Ireland's current data-retention law (the 2011 Act, amended after the CJEU ruling) is materially narrower than the original Directive — narrower retention categories, shorter durations.
- **European Parliament** — has not attempted to re-introduce a Directive. The legislative consensus is that the original Directive's breadth cannot be reconstituted under EU law as the CJEU has interpreted it.</p>
<p>The EU experience suggests two things: that a CJEU-style proportionality analysis can survive in domestic policy, and that the political path is to narrow rather than abandon retention. Whether Canada will reach the same conclusion via Charter litigation is open.</p>
<h2>Why this matters for Canadian Charter analysis</h2>
<p>Canadian Charter litigation on Bill C-22, if and when it occurs, will turn on Section 8 — the protection against unreasonable search and seizure.</p>
<p>The Supreme Court of Canada's decision in *R v Spencer*, 2014 SCC 43, is the most directly relevant existing precedent. In *Spencer*, the Supreme Court held unanimously that Canadians have a reasonable expectation of privacy in their internet-subscriber data, and that police access to that data without a warrant (under the pre-Spencer practice of voluntary ISP disclosure) violated Section 8.</p>
<p>*Spencer* did not address mandatory metadata retention. Bill C-22 would be the first federal bill to test what a mandatory-retention regime looks like under the post-Spencer Charter framework.</p>
<p>Charter litigants would likely argue:</p>
<p>1. The retention applies to all Canadians without distinction — the same fact pattern the CJEU treated as a "particularly serious interference."
2. The bill does not differentiate retention by data category or threat profile — a structural feature the CJEU found incompatible with the strict-necessity test.
3. The Office of the Privacy Commissioner has no statutory oversight role under the regime — the kind of harmonized independent-oversight gap the CJEU treated as undermining proportionality.
4. The Department of Justice's own Charter statement on Bill C-22 is silent on the metadata-retention question — a fact Charter litigants would invite the court to weigh in the analysis.</p>
<p>The CJEU ruling does not bind a Canadian court. The Supreme Court of Canada has, however, cited foreign comparative-law reasoning in Charter jurisprudence many times, including in privacy cases. Digital Rights Ireland will be central to the litigation record any future Charter challenge develops.</p>
<h2>What the bill's defenders would say</h2>
<p>It is fair to note the rebuttal the bill's defenders would make.</p>
<p>The Canadian access-threshold under C-22 is not warrantless: a production order under the "reasonable grounds to suspect" standard is required. The CJEU's concern about variable national access standards across the EU does not map onto a single Canadian regime with a uniform statutory threshold.</p>
<p>The Intelligence Commissioner's review of Part 2 ministerial orders provides a layer that the EU Directive did not have. The CJEU's proportionality reasoning identified the absence of harmonized oversight as a structural defect of the Directive; the Canadian regime has, at least for ministerial orders, an independent reviewer.</p>
<p>The retention scope under C-22 is narrower than the Directive in at least one respect: the bill does not require web-browsing-history retention. The Directive's retention category was broader on that point.</p>
<p>These arguments do not, in the view of the bill's academic critics, defeat the CJEU's central reasoning — but they are the rebuttal that any future Charter litigation will have to address.</p>
<hr />
<p><small>
Originally published by <a href="https://parliamentaudit.ca/news/bill-c-22-europe-data-retention-directive-struck-down">Parliament Audit</a>
under the <a href="https://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND 4.0</a> license.
<img src="https://parliamentaudit.ca/api/republish-beacon?slug=bill-c-22-europe-data-retention-directive-struck-down" alt="" width="1" height="1" />
</small></p>
</article>