National legal challenges to the Data Retention Directive
by Chris Jones, Researcher for Statewatch
This post, which examines the numerous legal challenges against the EU’s Data Retention Directive at both national and EU level (not including today’s judgment), is the third post in a series examining the EU’s mandatory data retention legislation, which was struck down today by the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).
EU Court of Justice legal basis challenge
The first legal challenge to the Data Retention Directive came when Ireland, supported by Slovakia, asked the EU Court of Justice to annul the Directive on the grounds that it had the wrong legal basis. They argued that the correct legal basis for data retention resided “in the provisions of the EU Treaty concerning police and judicial cooperation in criminal matters,” rather than those on the internal market. The ECJ dismissed the case in February 2009, stating that:“Directive 2006/24… regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities… “It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of the service provides in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty”.
The first ruling on national laws transposing the Directive came from Bulgaria in proceedings launched by the NGO Access to Information Program. In December 2008 the country’s Supreme Administrative Court annulled an article of the transposing legislation permitting the Ministry of Interior “passive access through a computer terminal” to retained data, as well as providing access without judicial permission to “security services and other law enforcement bodies”. The court found that:“[T]he provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution. No mechanism was established for the respect of the constitutionally granted right of protection against unlawful interference in one’s private or family affairs and against encroachments on one’s honour, dignity and reputation.”The court also found the legislation failed to make reference to other relevant laws – the Penal Procedure Code, the Special Surveillance Means Act and the Personal Data Protection Act – “which specify conditions under which access to personal data shall be granted.”
In June 2008 the Hungarian Civil Liberties Union (HCLU or TASZ, Társaság a Szabadságjogkért) requested “the ex-post examination” by the Hungarian Constitutional Court of the amendment of Act C of 2003 on electronic communications, “for unconstitutionality and the annulment of the data retention provisions.”According to the HCLU, Act C “already comprised numerous restrictive data retention provisions prior to the directive. The only changes brought in by the amendments were the retention of Internet communications data and the elimination of the lax – but at least pre-defined – legal purposes of the data processing”. The HCLU argued that “the amendments completely disregarded the provisions of the directive [stating] that data should be ‘available for the purpose of investigation, detection and prosecution of serious crimes’.” Despite being filed in 2008, the case is yet to be heard. According to Fanny Hidvégi of the HCLU, this is because as of 1 January 2012 new restrictions were placed on submitting cases to the Constitutional Court, and “every pending case submitted by a person or institution which no longer has the right to do so were automatically terminated”. The HCLU has begun a new and lengthy procedure that requires the exhaustion of all other remedies before the Constitutional Court can examine the Hungarian data retention measures.
In October 2009, the Romanian Constitutional Court found that proposed national legislation implementing the Data Retention Directive violated Romanian constitutional provisions protecting freedom of movement; the right to intimate, private and family life; secrecy of correspondence; and freedom of expression. The court found that the government’s attempt to justify the mandatory retention of telecommunications data by invoking undefined “threats to national security” was unlawful. The Court also referred to the 1978 ECHR ruling in Klass v Germany, which stated that “taking surveillance measures without adequate and sufficient safeguards can lead to ‘destroying democracy on the ground of defending it’.”
In October 2011 the European Commission asked the Romanian government to bring forward new laws transposing the Directive, issuing a “reasoned opinion” under Article 258 of the TFEU, which carries the threat of full infringement proceedings at the European Court of Justice if the request is not met. A new law was duly drafted, but was rejected by the Romanian Senate. The law was heavily criticised in the media prior to the vote and the country’s Data Protection Authority had refused to endorse it, claiming that articles relating to the security services were “still vague”. Civil society organisations also opposed it and even the government refused to sponsor it, leaving the Minister of Communications and Information Society to propose it in his role as MP rather than minister. Strong support from the Minister of European Affairs fuelled criticism that it was motivated solely by the need to escape sanction by the European Court of Justice.
Ultimately the Senate vote was not decisive and the law continued its journey to the Chamber of Deputies, where at the end of May 2012 it was adopted with 197 votes for and 18 against, with many abstentions amongst the 332 deputies. There was no substantive discussion of fundamental rights issues in the Chamber of Deputies or the main two committees that debated the law and critics have argued that the provisions on access to retained data are even more problematic than the original statute. On 21 February 2013 the European Commission withdrew the infringement procedure that it had opened in 2011.
In February 2011 the Supreme Court of Cyprus ruled that aspects of the national transposing legislation breached the Cypriot constitution and case law on surveillance. The case was brought by individuals whose telecommunications data had been disclosed to the police in accordance with District Court orders. They argued that the laws underlying the orders were based (Articles 4 and 5 of Law 183(I) 2007, that sought to harmonise Cypriot law with the Directive), and therefore the District Court orders themselves violated their rights to privacy and confidentiality of communications. The Supreme Court found that petitioners had indeed been subject to a violation of their rights and annulled provisions it said went beyond the requirements of the Data Retention Directive. However, the legality of the Directive itself was not called into question.
Legislation transposing the Data Retention Directive into the Telecommunication Act and Code of Criminal Procedure was passed by the Bundestag on 9 November 2007 and entered into force on 1 January 2008. The day before, 31 December 2007, 35,000 German citizens (represented by the NGO AK Vorrat) filed a complaint against the legislation at the Federal Constitutional Court. On 2 March 2010 the Court ruled that the transposing provisions were a disproportionate interference with Article 10 (confidentiality of communications) of the Basic Law (Grundgesetz), and contravened legal standards on purpose limitation, data security, transparency and legal remedies.
However, the Court made no ruling on the actual Directive, stating that data retention is in principle proportionate to the aim of investigating serious crime and preventing imminent threats against life, body, freedom of persons, and the existence and security of the Federal Republic or one of its states. The Court found that the new domestic law failed to comply with legal standards on purpose limitation (restrictions on use of the retained data), data security, transparency and legal remedies.
In January 2011 the Ministry of Justice (MoJ) presented a paper proposing an alternative to data retention – a “quick freeze” system of limited data preservation for criminal investigations. The police and/or public prosecutors would issue a “quick freeze” order seeking access to metadata already held by telecommunications providers, for example for billing purposes. To actually access the “frozen”’ data would require the approval of a judge. In addition, the MoJ proposed an obligation for ISPs to store internet traffic data for seven days, allowing criminal investigators to identify persons behind (already known) IP addresses in particular in cases of child pornography. Criminal investigators would request the traffic and communications data via service providers without having direct access to these traffic data. This paper reflected proposals made in June 2010 by the Federal Commissioner for Data Protection, as well as the suggestions of more pragmatic privacy advocates.
More radical activists claim that any mandatory storage of communications data should be prohibited. The Interior Ministry rejected these proposals and insisted on full implementation of the Directive, arguing that the Constitutional Court had already shown that it is possible to implement the Directive and ensure individual privacy through high data security standards, including encryption and the “four eyes principle” (approval by at least two people) as prerequisite for accessing data and log files; strict purpose limitation; and the protection of professions whose confidentiality must be ensured.
The MoJ produced a “quick freeze” bill in April 2012 but continued opposition from the Interior Ministry meant that it was never tabled in Parliament. The Interior Ministry was unhappy with the length of the proposed freezing periods, demanding three months instead of the one month suggested by the Ministry of Justice. Moreover, the Interior Ministry wanted to include crimes such as fraud and hacking. The controversy continues and no new legislation has yet been introduced.
By this time the European Commission had initiated infringement proceedings and took its case to the European Court of Justice in July 2012. The Commission is seeking to impose a daily fine of €315,000.
On 13 March 2011 the Czech Republic’s Constitutional Court declared national legislation implementing the Directive unconstitutional. It found that the retention period exceeded the requirements of the Directive, and that use of the data was not restricted to cases of serious crime and terrorism. “The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested.” As in Germany, the Court stated that it could not review the Directive itself, but noted there was nothing in principle preventing implementation in conformity with constitutional law.
A second Constitutional Court decision in December 2011 examined the procedures put in place for obtaining access to retained data and found the “procedure in question to be too vague, in breach of [the] proportionality rule (its second step) and thus unconstitutional due to interference with right to privacy and informational self-determination.” In the meantime the Czech government revised the implementing legislation with modifications that took account of the judgment.The NGO Iuridicum Remedium has lodged fresh proceedings against the revised legislation on the grounds that regulation remains inadequate and that the new decree could provide for the “monitoring of contents of Internet communications”.
In August 2012 a group of Slovakian MPs, supported by the European Information Society Institute, lodged a legal complaint against the legislation implementing the Data Directive. The complaint asks the Slovak Constitutional Court to examine whether the laws implementing the Directive and dealing with access by the authorities to retained data are compatible with constitutional provisions on proportionality, the rights to privacy and data protection, and the provision granting freedom of speech. It also argues that the measures infringe provisions guaranteeing privacy, data protection and freedom of expression in Slovakian human rights law, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. The complaint has not yet been resolved.
The European Commission has engaged in a lengthy battle to try to bring Sweden’s domestic legislation into line with the Directive. After the country missed the initial September 2007 deadline, the Commission brought infringement proceedings, with the European Court of Justice finding Sweden guilty of failing to fulfil its obligations in February 2010. A proposal for transposing legislation was put forward in December 2010 and adopted in March 2012. The new law should have taken effect in May 2012 but despite an overwhelming vote in favour of the new measures in the Swedish parliament (233 MPs voted in favour with 41 against and 19 abstaining), the Left Party and the Greens invoked a constitutional provision allowing the entry into force of new measures to be delayed by a motion of one sixth of the parliament’s members.
In May 2013, the European Court of Justice ordered Sweden to pay a €3 million fine for its delay in implementing the legislation. The Court rejected Swedish pleas regarding the domestic controversy over the implementation of the law:“As the Court has repeatedly emphasised, a Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under European Union law… The same is true of a decision, such as the one made by the Swedish Parliament, to which paragraph 8 of this judgment makes reference, to postpone for a year the adoption of the draft bill intended to transpose that directive.”
The Court of Justice of the European Union (CJEU)
The most serious challenge to the implementation of the Data Retention Directive has come from joined cases brought by the NGO Digital Rights and the plaintiffs in a case referred from the Austrian Constitutional Court. The Advocate General’s opinion on the case, published in December 2013 following a hearing in July, proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). The case focuses on the compatibility of the Directive with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Union Charter of Fundamental Rights. At the hearing the representatives of those who brought the cases argued that the Directive is fundamentally incompatible with the Charter and that there is still no evidence to demonstrate that its necessity or proportionality.
On behalf of Austrian privacy group AK Vorrat, Edward Scheucher argued that:“[T]he cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result [than] at the time when the German [Constitutional] Court took its decision [to annul certain provisions of German transposing legislation]. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the Data Retention Directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11,139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court.”
In response to requests for evidence demonstrating the necessity of the Directive, the Austrian and Irish governments presented new statistics on the use of retained data at the hearing. Also arguing in favour of the Directive were representatives of Italy, Spain and the UK, as well as the Commission, the Council and the Parliament. However, the Directive’s advocates still “had to acknowledge a lack of statistical evidence”, with the UK admitting that “there was no ‘scientific data’ to underpin the need” for data retention. Judge Thomas von Danwitz, the Court’s main rapporteur for the hearing, asked for information that had led to the adoption of the Directive in 2006, given that “the Commission in 2008 claimed not to have enough information for a sound review”. The Council’s lawyers, meanwhile, “implored the Court not to take away instruments from law enforcement”.
Ultimately, Advocate-General Cruz Villalón concluded that the Court answer the cases in the following way:“(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directivecontains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.“(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.”
Today’s Grand Chamber judgment, which is analysed in Steve Peers’ separate post, ultimately agreed with this recommendation. The EU has finally been forced to redraft its mandatory data retention rules.