Lorna Woods, Professor of Internet Law, University of Essex
Today’s judgment in these important cases concerns the acceptability from a human rights perspective of national data retention legislation maintained even after the striking down of the Data Retention Directive in Digital Rights Ireland (Case C-293/12 and 594/12) (“DRI”) for being a disproportionate interference with the rights contained in Articles 7 and 8 EU Charter of Fundamental Rights (EUCFR). While situated in the context of the Privacy and Electronic Communications Directive (Directive 2002/58), the judgment sets down principles regarding the interpretation of Articles 7 and 8 EUCFR which will be applicable generally within the scope of EU law. It also has possible implications for the UK’s post-Brexit relationship with the EU.
Background and Facts
The Privacy and Electronic Communications Directive requires the confidentiality of communications, including the data about communications to be ensured through national law. As an exception it permits, under Article 15, Member States to take measures for certain public interest objectives such as the fight against terrorism and crime, which include requiring public electronic communications service providers to retain data about communications activity. Member States took very different approaches, which led to the enactment of the Data Retention Directive (Directive 2006/24) within the space for Member State action envisaged by Article 15. With that directive struck down, Article 15 remained the governing provision for exceptions to communications confidentiality within the field harmonised by the Privacy and Electronic Communications Directive. This left questions as to what action in respect of requiring the retention of data could be permissible under Article 15, as understood in the light of the EUCFR.
The cases in today’s judgment derive from two separate national regimes. The first, concerning Tele2, arose when – following the DRI judgment – Tele2 proposed to stop retaining the data specified under Swedish implementing legislation in relation to the Data Retention Directive. The second arose from a challenge to the Data Retention and Investigatory Powers Act 2014 (DRIPA) which had been enacted to provide a legal basis in the UK for data retention when the domestic regime implementing the Data Retention Directive fell as a consequence of the invalidity of that directive. Both sets of questions referred essentially asked about the impact of the DRI reasoning on national regimes, and whether Articles 7 and 8 EUCFR constrained the States’ regimes.
The Advocate General handed down an opinion in July (noted here) in which he opined that while mass retention of data may be possible, it would only be so when adequate safeguards were in place. In both instances, the conditions – in particular those identified in DRI – were not satisfied.
Scope of EU Law
A preliminary question is whether the data retention, or the access of such data by police and security authorities, falls within EU law. While the Privacy and Electronic Communications Directive regulated the behaviour of communications providers generally, Article 1(3) of that Directive specifies that matters covered by Titles V and VI of the TEU at that time (e.g. public security, defence, State security) fall outside the scope of the directive, which the Court described as relating to “activities of the State” . Further Article 15(1) permits the State to take some measures resulting in the infringement of the principle of confidentiality found in Art 5(1) which again “concern activities characteristic of States or State authorities, and are unrelated to fields in which individuals are active” [para 72]. While there seems to be overlap between Article 1(3) and Article 15(1), this does not mean that matters permitted on the basis of Article 15(1) fall outside the scope of the directive as “otherwise that provision would be deprived of any purpose” [para 73].
In the course of submissions to the Court, a distinction was made between the retention of data (by the communications providers) and access to the data (by police and security services). Accepting this distinction would allow a line to be drawn between the two, with retention as an activity of the commercial operator regulated by the Privacy and Electronic Communications Directive within its scope and the access, as an activity of the State lying outside it. The Court rejected this analysis and held that both retention and access lay within the field of the Privacy and Electronic Communications Directive [para 76]. It argued that Article 5(1) guarantees confidentiality of communications from the activities of third parties whether they be private actors or state authorities. Moreover, the effect of the national legislation is to require the communications providers to give access to the state authorities which in itself is an act of processing regulated by the Privacy and Electronic Communications Directive [para 78]. The Court also noted that the sole purpose of the retention is to be able to give such access.
Interpretation of Article 15(1)
The Court noted that the aim of the Privacy and Electronic Communications Directive is to ensure a high level of protection for data protection and privacy. Article 5(1) established the principle of confidentiality and that “as a general rule, any person other than the user is prohibited from storing, without the consent of the users concerned, the traffic data”, subject only to technical necessity and the terms of Article 15(1) (citing Promusicae) [para 85]. This requirement of confidentiality is backed up by the obligations in Article 6 and 9 specifically dealing with restrictions on the use of traffic and location data. Moreover, Recital 30 points to the need for data minimisation in this regard [para 87]. So, while Article 15(1) permits exceptions, they must be interpreted strictly so that the exception does not displace the rule; otherwise the rule would be “rendered largely meaningless” [para 89].
As a result of this general orientation, the Court held that Member States may only adopt measures for the purposes listed in the first sentence of Article 15(1) and those measures must comply with the requirements of the EUCFR. The Court, citing DRI (at paras 25 and 70), noted that in addition to Articles 7 and 8 EUCFR, Article 11 EUCFR – protecting freedom of expression – was also in issue. The Court noted the need for such measures to be necessary and proportionate and highlighted that Article 15 provided further detail in the context of communications whilst Recital 11 to the Privacy and Electronic Communications Directive requires measures to be “strictly proportionate” [para 95].
The Court then considered these principles in the light of the reference in Tele2 at paras 97 et seq of its judgment. Approving expressly the approach of the Advocate General on this point, it underlined that communications “data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained” and that such data is no less sensitive that content [para 99]. The interference in the view of the Court was serious and far-reaching in relation to Articles 7, 8 and 11. While Article 15 identifies combatting crime as a legitimate objective, the Court – citing DRI – limited this so that only the fight against serious crime could be capable of justifying such intrusion. Even the fight against terrorism “cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered necessary” [para 103]. The Court stressed that the regime provides for “no differentiation, limitation or exception according to objectives pursued” [para 105]. The Court did confirm that some measures would be permissible:
… Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. [para 108]
It then set down some relevant conditions:
Clear and precise rules “governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse” [para 109].
while “conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued” .
The Court then emphasised that there should be objective evidence supporting the public whose data is to be collected on the basis that it is likely to reveal a link, even an indirect one, with serious criminal offences, and thereby contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. The Court accepted that geographical factors could be one such ground, on the basis that “that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences” [para 111].
…Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication [para 112].
Acceptability of legislation where (1) the measure is not limited to serious crime; (2) where there is no prior review; and (3) where there is no requirement that the data stays in the EU.
This next section deals with the first question referred in the Watson case, as well as the Tele 2 reference.
As regards the first point, the answer following the Court’s approach at paragraphs 90 and 102 is clear: only measures justified by reference to serious crime would be justifiable. As regards the second element, the Court noted that it is for national law to law conditions of access so as to ensure that the measure does not exceed what is strictly necessary. The conditions must be clear and legally binding. The Court argued that since general access could not be considered strictly necessary, national legislation must set out by reference to objective criteria the circumstances in which access would be permissible. Referring to the European Court of Human Rights (ECtHR) judgment in Zakharov, the Court specified:
access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime [para 119].
It then distinguished the general fight against crime from the fight against terrorism to suggest that in the latter case:
access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities [para 119].
The conditions set down must be respected. The Court therefore held that, save in cases of genuine emergency, prior review by an independent body must be carried out on the basis of a reasoned request by the investigating bodies. In making this point, the Court referred to the ECtHR judgment in Szabó and Vissy v. Hungary, as well as its own previous ruling in DRI. Furthermore, once there was no danger to the investigation by so doing, individuals affected should be notified, so as to those affected people the possibility to exercise their right to a remedy as specified in Article 15(2) read with Article 22 of the Data Protection Directive (Directive 95/46).
Article 15(1) permits derogation only in relation to specified provisions in the directive; it does not permit derogation with regard to the security obligations contained in Article 4(1) and 4(1a). the Court noted the quantity of data as well as its sensitivity to suggest that a high level of security measures would be required on the part of the electronic communications providers. Following this, the Court then stated:
…, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraphs 66 to 68) [para 122].
The Court noted that as a separate obligation from the approval of access to data, that States should ensure that independent review of compliance with the required regulatory framework was carried out by an independent body. In the view of the Court, this followed from Article 8(3) EUCFR. This is an essential element of individuals’ ability to make claims in respect of infringements of their data protection rights, as noted previously in DRI and Schrems.
The Court then summarised the outcome of this reasoning, that Article 15 and the EUCFR:
must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union. [para 125]
Relationship between the EUCFR, EU law and the ECHR
The English Court of Appeal had referred a question about the impact of the ECHR on the scope of the EUCFR in the light of Article 52 EUCFR. While the Court declared the question inadmissible, it –like the Advocate General – took the time to point out that the ECHR is not part of EU law, so the key issue is the scope of the EUCFR; and in any event Article 52(3) does not preclude Union law from providing protection that is more extensive than the ECHR. As a further point, the Court added that Article 8 EUCFR, which provides a separate right to data protection, does not have an exact equivalent in the ECHR and that there is therefore a difference between the two regimes.
Given the trend of recent case law, the outcome in this case is not surprising. There are some points that are worth emphasising.
The first relates to the scope of EU law, which is a threshold barrier to any claim based on the EUCFR. The Advocate General seemed prepared to accept a distinction between the retention of data and the access thereto (although conditions relating to the latter could bear on the proportionality of the former). The Court took a different approach and held that the access also fell within the scope of the Directive/EU law, because the national regime imposed an obligation on the communications service provider to provide access to the relevant authorities. Given this was an obligation on the service provider, it fell within the regulatory schema. This approach thus avoids the slightly unconvincing reasoning which the Advocate General adopted. It also possibly enlarges the scope of EU law.
In general terms, the Court’s reasoning looks at certain provisions of the Privacy and Electronic Communications Directive. While the reasoning is set in that context, it does not mean that the Court’s interpretation of the requirements deriving from the EUCFR is limited only to this set of surveillance measures. The rules of interpretation of particularly Articles 7 and 8 could apply more generally – perhaps to PNR data (another form of mass surveillance) – and beyond. It is also worth noting that according to a leaked Commission document, it is proposed to extend the scope of the Privacy and Electronic Communications Directive to other communications service providers not currently regulated by the directive, but who may be subject to some data retention requirements already.
Whilst the Court makes the point that Articles 7 and 8 EUCFR are separate and different, and that data retention implicates also Article 11 EUCFR, in its analysis of the impact of national measures providing for retention it does not deal with Articles 7 and 8 separately (contrast DRI where a limited consideration was given to this). Having flagged Article 11 EUCFR, it takes that analysis no further. This is the leaves questions as to the scope of the rights, and particularly how Article 11 issues play out.
Note that the Court does not state that data retention itself is impermissible; indeed, it specifies circumstances when data retention would be acceptable. It challenges the compatibility of mass data retention with Articles 7 and 8 EUCFR, however, even in the context of the fight against terrorism. In this, it is arguable that the Court has taken a tougher stance than its Advocate General on this point of principle. In this we see a mirror of the approach in DRI, when the Court took a different approach to its Advocate General. In that case too, the Advocate General focussed on safeguards and the quality of law, as has the Advocate General here. For the Court here, differentiation – between people and between types of offences and threats – based on objective, evidenced grounds is central to showing that national measures are proportionate and no more than – in the terms of the directive – strictly necessary. This seems to go close to disagreeing with the Opinion of the Advocate General that in DRI, the Court ‘did not, however, hold that that absence of differentiation meant that such obligations, in themselves, went beyond what was strictly necessary’ (Opinion, para 199). The Advocate General used this point to argue that DRI did not suggest that mass surveillance was per se unlawful (see Opinion, para 205). Certainly, in neither case did the Court expressly hold that mass surveillance was per so unlawful, so the question still remains. What is clear, however, is that the Court supports the retention of data following justified suspicion – even perhaps generalised suspicion – rather than using the analysis of retained data to justify suspicion.
In its reasoning, the Court did not –unlike the Advocate General – specifically make a ruling on whether or not the safeguards set down in DRI, paras 60-68, should be seen as mandatory – in effect creating a 6 point check list. Nonetheless, it repeatedly cited DRI approvingly. Within this framework, it highlighted specific aspects – such as the need for prior approval; the need for security and control over data; a prohibition on transferring data outside the EU; the need for subjects to be able to exercise their right to a remedy. Some of these points will be difficult to reconcile with the current regime in the United Kingdom regarding communications data.
It did not, however, touch on acceptable periods for retention (even though it – like its Advocate General – referred to Zakharov). More generally, the Court’s analysis – by comparison with that of the Advocate General – was less detailed and structured, particularly about the meaning of necessity and proportionality. It did not directly address the points the Advocate General made about lawfulness, with specific reference to reliance on codes (an essential feature of the UK arrangements); it did in passing note that the conditions for access to data should be binding within the domestic legal system. Is this implicit agreement with the Advocate General on this point? It certainly agreed with him that the seriousness of the interference meant that data retention of communications data should be restricted to ‘serious crime’ and not just any crime.
One final issue relates to the judicial relationship between Strasbourg and Luxembourg. Despite emphasising that the ECHR is not part of EU law, the Court relies on two recent cases from the ECtHR, perhaps seeking to emphasis the consistency in this area between the two courts – or perhaps seeking to put pressure on Strasbourg to hold the line as it faces a number of state surveillance cases on its own docket, many against the UK. The position of Strasbourg is significant for the UK. While many assume that the UK will maintain the GDPR after Brexit in the interests of ensuring equivalence, it could be that the EUCFR will no longer be applicable in the UK post-Brexit. For UK citizens, the ECHR then is the only route to challenge state intrusion into privacy. For those in the EU, data transfers to the UK post-Brexit could be challenged on the basis that the UK’s law is not sufficiently adequate compared to EU standards. Today’s ruling – and the UK’s response to it, if any – could be a significant element in arguing that issue.