European Area of Freedom Security & Justice

National legal challenges to the Data Retention Directive
by Chris Jones, Researcher for Statewatch

This post, which examines the numerous legal challenges against the EU’s Data Retention Directive at both national and EU level (not including today’s judgment), is the third post in a series examining the EU’s mandatory data retention legislation, which was struck down today by the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).

EU Court of Justice legal basis challenge

The first legal challenge to the Data Retention Directive came when Ireland, supported by Slovakia, asked the EU Court of Justice to annul the Directive on the grounds that it had the wrong legal basis. They argued that the correct legal basis for data retention resided “in the provisions of the EU Treaty concerning police and judicial cooperation in criminal matters,” rather than those on the internal market. The ECJ dismissed the case in February 2009, stating that:“Directive 2006/24… regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities… “It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of the service provides in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty”.

Bulgaria

The first ruling on national laws transposing the Directive came from Bulgaria in proceedings launched by the NGO Access to Information Program. In December 2008 the country’s Supreme Administrative Court annulled an article of the transposing legislation permitting the Ministry of Interior “passive access through a computer terminal” to retained data, as well as providing access without judicial permission to “security services and other law enforcement bodies”. The court found that:“[T]he provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution. No mechanism was established for the respect of the constitutionally granted right of protection against unlawful interference in one’s private or family affairs and against encroachments on one’s honour, dignity and reputation.”The court also found the legislation failed to make reference to other relevant laws – the Penal Procedure Code, the Special Surveillance Means Act and the Personal Data Protection Act – “which specify conditions under which access to personal data shall be granted.”

Hungary

In June 2008 the Hungarian Civil Liberties Union (HCLU or TASZ, Társaság a Szabadságjogkért) requested “the ex-post examination” by the Hungarian Constitutional Court of the amendment of Act C of 2003 on electronic communications, “for unconstitutionality and the annulment of the data retention provisions.”According to the HCLU, Act C “already comprised numerous restrictive data retention provisions prior to the directive. The only changes brought in by the amendments were the retention of Internet communications data and the elimination of the lax – but at least pre-defined – legal purposes of the data processing”. The HCLU argued that “the amendments completely disregarded the provisions of the directive [stating] that data should be ‘available for the purpose of investigation, detection and prosecution of serious crimes’.” Despite being filed in 2008, the case is yet to be heard. According to Fanny Hidvégi of the HCLU, this is because as of 1 January 2012 new restrictions were placed on submitting cases to the Constitutional Court, and “every pending case submitted by a person or institution which no longer has the right to do so were automatically terminated”. The HCLU has begun a new and lengthy procedure that requires the exhaustion of all other remedies before the Constitutional Court can examine the Hungarian data retention measures.

Romania

In October 2009, the Romanian Constitutional Court found that proposed national legislation implementing the Data Retention Directive violated Romanian constitutional provisions protecting freedom of movement; the right to intimate, private and family life; secrecy of correspondence; and freedom of expression. The court found that the government’s attempt to justify the mandatory retention of telecommunications data by invoking undefined “threats to national security” was unlawful. The Court also referred to the 1978 ECHR ruling in Klass v Germany, which stated that “taking surveillance measures without adequate and sufficient safeguards can lead to ‘destroying democracy on the ground of defending it’.”

In October 2011 the European Commission asked the Romanian government to bring forward new laws transposing the Directive, issuing a “reasoned opinion” under Article 258 of the TFEU, which carries the threat of full infringement proceedings at the European Court of Justice if the request is not met. A new law was duly drafted, but was rejected by the Romanian Senate. The law was heavily criticised in the media prior to the vote and the country’s Data Protection Authority had refused to endorse it, claiming that articles relating to the security services were “still vague”. Civil society organisations also opposed it and even the government refused to sponsor it, leaving the Minister of Communications and Information Society to propose it in his role as MP rather than minister. Strong support from the Minister of European Affairs fuelled criticism that it was motivated solely by the need to escape sanction by the European Court of Justice.

Ultimately the Senate vote was not decisive and the law continued its journey to the Chamber of Deputies, where at the end of May 2012 it was adopted with 197 votes for and 18 against, with many abstentions amongst the 332 deputies. There was no substantive discussion of fundamental rights issues in the Chamber of Deputies or the main two committees that debated the law and critics have argued that the provisions on access to retained data are even more problematic than the original statute. On 21 February 2013 the European Commission withdrew the infringement procedure that it had opened in 2011.

Cyprus

In February 2011 the Supreme Court of Cyprus ruled that aspects of the national transposing legislation breached the Cypriot constitution and case law on surveillance. The case was brought by individuals whose telecommunications data had been disclosed to the police in accordance with District Court orders. They argued that the laws underlying the orders were based (Articles 4 and 5 of Law 183(I) 2007, that sought to harmonise Cypriot law with the Directive), and therefore the District Court orders themselves violated their rights to privacy and confidentiality of communications. The Supreme Court found that petitioners had indeed been subject to a violation of their rights and annulled provisions it said went beyond the requirements of the Data Retention Directive. However, the legality of the Directive itself was not called into question.

Germany

Legislation transposing the Data Retention Directive into the Telecommunication Act and Code of Criminal Procedure was passed by the Bundestag on 9 November 2007 and entered into force on 1 January 2008. The day before, 31 December 2007, 35,000 German citizens (represented by the NGO AK Vorrat) filed a complaint against the legislation at the Federal Constitutional Court. On 2 March 2010 the Court ruled that the transposing provisions were a disproportionate interference with Article 10 (confidentiality of communications) of the Basic Law (Grundgesetz), and contravened legal standards on purpose limitation, data security, transparency and legal remedies.

However, the Court made no ruling on the actual Directive, stating that data retention is in principle proportionate to the aim of investigating serious crime and preventing imminent threats against life, body, freedom of persons, and the existence and security of the Federal Republic or one of its states. The Court found that the new domestic law failed to comply with legal standards on purpose limitation (restrictions on use of the retained data), data security, transparency and legal remedies.

In January 2011 the Ministry of Justice (MoJ) presented a paper proposing an alternative to data retention – a “quick freeze” system of limited data preservation for criminal investigations. The police and/or public prosecutors would issue a “quick freeze” order seeking access to metadata already held by telecommunications providers, for example for billing purposes. To actually access the “frozen”’ data would require the approval of a judge. In addition, the MoJ proposed an obligation for ISPs to store internet traffic data for seven days, allowing criminal investigators to identify persons behind (already known) IP addresses in particular in cases of child pornography. Criminal investigators would request the traffic and communications data via service providers without having direct access to these traffic data. This paper reflected proposals made in June 2010 by the Federal Commissioner for Data Protection, as well as the suggestions of more pragmatic privacy advocates.

More radical activists claim that any mandatory storage of communications data should be prohibited. The Interior Ministry rejected these proposals and insisted on full implementation of the Directive, arguing that the Constitutional Court had already shown that it is possible to implement the Directive and ensure individual privacy through high data security standards, including encryption and the “four eyes principle” (approval by at least two people) as prerequisite for accessing data and log files; strict purpose limitation; and the protection of professions whose confidentiality must be ensured.

The MoJ produced a “quick freeze” bill in April 2012 but continued opposition from the Interior Ministry meant that it was never tabled in Parliament. The Interior Ministry was unhappy with the length of the proposed freezing periods, demanding three months instead of the one month suggested by the Ministry of Justice. Moreover, the Interior Ministry wanted to include crimes such as fraud and hacking. The controversy continues and no new legislation has yet been introduced.

By this time the European Commission had initiated infringement proceedings and took its case to the European Court of Justice in July 2012. The Commission is seeking to impose a daily fine of €315,000.

Czech Republic

On 13 March 2011 the Czech Republic’s Constitutional Court declared national legislation implementing the Directive unconstitutional. It found that the retention period exceeded the requirements of the Directive, and that use of the data was not restricted to cases of serious crime and terrorism. “The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested.” As in Germany, the Court stated that it could not review the Directive itself, but noted there was nothing in principle preventing implementation in conformity with constitutional law.

A second Constitutional Court decision in December 2011 examined the procedures put in place for obtaining access to retained data and found the “procedure in question to be too vague, in breach of [the] proportionality rule (its second step) and thus unconstitutional due to interference with right to privacy and informational self-determination.” In the meantime the Czech government revised the implementing legislation with modifications that took account of the judgment.The NGO Iuridicum Remedium has lodged fresh proceedings against the revised legislation on the grounds that regulation remains inadequate and that the new decree could provide for the “monitoring of contents of Internet communications”.

Slovakia

In August 2012 a group of Slovakian MPs, supported by the European Information Society Institute, lodged a legal complaint against the legislation implementing the Data Directive. The complaint asks the Slovak Constitutional Court to examine whether the laws implementing the Directive and dealing with access by the authorities to retained data are compatible with constitutional provisions on proportionality, the rights to privacy and data protection, and the provision granting freedom of speech. It also argues that the measures infringe provisions guaranteeing privacy, data protection and freedom of expression in Slovakian human rights law, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. The complaint has not yet been resolved.

Sweden

The European Commission has engaged in a lengthy battle to try to bring Sweden’s domestic legislation into line with the Directive. After the country missed the initial September 2007 deadline, the Commission brought infringement proceedings, with the European Court of Justice finding Sweden guilty of failing to fulfil its obligations in February 2010. A proposal for transposing legislation was put forward in December 2010 and adopted in March 2012. The new law should have taken effect in May 2012 but despite an overwhelming vote in favour of the new measures in the Swedish parliament (233 MPs voted in favour with 41 against and 19 abstaining), the Left Party and the Greens invoked a constitutional provision allowing the entry into force of new measures to be delayed by a motion of one sixth of the parliament’s members.

In May 2013, the European Court of Justice ordered Sweden to pay a €3 million fine for its delay in implementing the legislation. The Court rejected Swedish pleas regarding the domestic controversy over the implementation of the law:“As the Court has repeatedly emphasised, a Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under European Union law… The same is true of a decision, such as the one made by the Swedish Parliament, to which paragraph 8 of this judgment makes reference, to postpone for a year the adoption of the draft bill intended to transpose that directive.”

The Court of Justice of the European Union (CJEU)

The most serious challenge to the implementation of the Data Retention Directive has come from joined cases brought by the NGO Digital Rights and the plaintiffs in a case referred from the Austrian Constitutional Court. The Advocate General’s opinion on the case, published in December 2013 following a hearing in July, proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). The case focuses on the compatibility of the Directive with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Union Charter of Fundamental Rights. At the hearing the representatives of those who brought the cases argued that the Directive is fundamentally incompatible with the Charter and that there is still no evidence to demonstrate that its necessity or proportionality.

On behalf of Austrian privacy group AK Vorrat, Edward Scheucher argued that:“[T]he cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result [than] at the time when the German [Constitutional] Court took its decision [to annul certain provisions of German transposing legislation]. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the Data Retention Directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11,139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court.”

In response to requests for evidence demonstrating the necessity of the Directive, the Austrian and Irish governments presented new statistics on the use of retained data at the hearing. Also arguing in favour of the Directive were representatives of Italy, Spain and the UK, as well as the Commission, the Council and the Parliament. However, the Directive’s advocates still “had to acknowledge a lack of statistical evidence”, with the UK admitting that “there was no ‘scientific data’ to underpin the need” for data retention. Judge Thomas von Danwitz, the Court’s main rapporteur for the hearing, asked for information that had led to the adoption of the Directive in 2006, given that “the Commission in 2008 claimed not to have enough information for a sound review”. The Council’s lawyers, meanwhile, “implored the Court not to take away instruments from law enforcement”.

Ultimately, Advocate-General Cruz Villalón concluded that the Court answer the cases in the following way:“(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directivecontains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.“(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.”

Today’s Grand Chamber judgment, which is analysed in Steve Peers’ separate post, ultimately agreed with this recommendation. The EU has finally been forced to redraft its mandatory data retention rules.

Monday, 7 April 2014
Background to the EU Data Retention Directive
By Chris Jones, Researcher for Statewatch

As the fallout from the Snowden leaks rumbles on, the Court of Justice of the European Union (CJEU) will today decide a case (Digital Rights Ireland, Seitlinger and Others that could spell the end for the EU’s Data Retention Directive in its current form. The Directive mandates the mass storage by private companies of individuals’ telecommunications data, in case it is required by law enforcement authorities to investigate cases of serious crime or terrorism.

The judgment follows the handing down of a critical opinion by Advocate General Cruz Villalón in December 2013, which proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). This post, based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness), outlines the history of the 2006 Data Retention Directive; the key points of the legislation; and its problematic national implementation, which has been the subject of legal challenges across Europe. Two further posts will examine the implementation of the Directive and the challenges to it.

The Data Retention Directive: a brief overview

The 2006 Data Retention Directive obliges Member States to ensure that telecommunications and Internet Service Providers (ISPs) retain various types of data generated by individuals through the use of landline phones, fax machines, mobile phones, and the internet, “in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime”.The data that must be retained are:

The source of a communication;
The destination of a communication;
The date, time and duration of a communication;
The type of a communication;
Users’ communication equipment or what purports to be their equipment; and
The location of mobile communication equipment.

The retention period is a minimum of six months and a maximum of two years.
Member States decide exact duration as well as the conditions under which it may be accessed.

The European Data Protection Supervisor has called the Directive “without doubt the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects,” and it ranks among the most controversial pieces of counter-terrorism legislation the EU has ever adopted. Fierce debate as to its legitimacy and effectiveness has raged since the earliest stages of its drafting to the present day.

The policy-making process

According to the preamble of the Data Retention Directive, the terrorist attacks in Madrid in March 2004 and in London in July 2005 “reaffirmed… the need to adopt common measures on the retention of telecommunications data as soon as possible.” However, law enforcement agencies had been seeking data retention legislation long before the destruction of the World Trade Centre on 11 September 2001, and the Directive does not limit data retention to combating terrorism.

Demands for data retention can be traced back to the “International Law Enforcement and Telecommunications Seminars” (ILETS) held at the FBI academy in Quantico, Virginia, which commenced in 1993 with the aim of developing global “interception requirements” – standards for telephone-tapping by police and security agencies to be provided in all telephone networks.
Following the first ILETS meeting, the very first EU Council of Justice and Home Affairs (JHA) Ministers adopted a Resolution in November 1993 – which was not published – calling on experts to compare the needs of the EU vis-à-vis the interception of telecommunications “with those of the FBI”.

A second EU Resolution based on ILETS’ work was adopted in January 1995 and introduced obligations on telecommunications companies to cooperate with law enforcement agencies in the “real-time” surveillance of their customers. This was never actually discussed by the Council of Ministers. It was adopted instead by “written procedure” (where legislative texts are circulated among ministries and adopted if there are no objections). The Resolution, which was not published in any form until November 1996, formed the basis of the provisions on the interception of telecommunications in the EU Convention on Mutual Legal Assistance of 2000.
ILETS continued every year and in 1999 identified a new problem. Valuable “traffic data” – particularly mobile phone and internet usage records – were being erased by service providers after customers had been billed, a particularly acute issue in the EU because of the recently enacted EC Directive on privacy in telecommunications, which obliged service providers to delete traffic data after its use for billing purposes (usually within three months).
ILETS thus introduced the principle of mandatory data retention regimes that would oblige service providers to keep data for much longer periods. This demand then surfaced in other intergovernmental fora concerned with police and judicial cooperation, such as the G8. The American Civil Liberties Union, Privacy International and Statewatch would later dub this process “policy laundering”: “the use by governments of foreign and international forums as an indirect means of pushing policies unlikely to win direct approval through the regular domestic political process.”

In 2000 the EU decided to update the aforementioned 1997 Directive on privacy in telecommunications to take into account “new technologies” and proposed what would become known as the “e-Privacy” Directive. The draft Directive proposed scrapping the clause obliging service providers to delete traffic data after billing use. As a First Pillar matter (dealing with the functioning of the internal market), the European Parliament had what was then a rare vote on what was effectively a Justice and Home Affairs or Third Pillar issue (police surveillance). Following an extensive campaign by privacy advocates the proposal was rejected. However in 2002, with the events of 11 September 2001 providing a fresh justification, a left-right alliance of the European Socialist Party (PSE) and the European People’s Party (PPE) agreed the e-Privacy Directive and the “data retention amendment”, with the liberals, greens and left parties opposed. This paved the way for Member States to introduce their own optional national data retention regimes.
Yet no sooner was the ink dry on the e-Privacy Directive than a confidential draft Framework Decision on the compulsory retention of subscriber and traffic data for 12-24 months across the EU was circulated among Member States and leaked by Statewatch.
Following widespread criticism of the proposal in European media, the then-Danish presidency of the EU was moved to issue a statement saying that the proposal was “not on the table”.
If not ‘on the table’, the proposal appears to have remained close at hand – following the Madrid train bombings in March 2004, the ‘EU Declaration on combating terrorism’ endorsed the principle of mandatory data retention across the EU.
One month later the UK, France, Sweden and Ireland submitted a revised draft Framework Decision on data retention to the Council. By now, a majority of EU Member States had also introduced national data retention regimes. The EU proposal suffered another major setback when Statewatch published the confidential legal advice of the EU Council and Commission Legal Services, both of which had been withheld from MEPs and the public despite stating that the Framework Decision was unlawful because it had the wrong legal basis. Data retention, said the EU’s lawyers, was a First Pillar issue because it regulated the activities of service providers in the single market.

The European Commission, despite previously opposing data retention, redrafted the proposal as a Directive. This complicated things further. Whereas the European Parliament was only consulted on the draft Framework Decision, with the EU Council free to ignore its opinion, it would now enjoy full powers of “co-decision”. Moreover, during the consultation process on the Framework Decision, the Parliament had voted to reject mandatory data retention because it was “incompatible with Article 8” of the ECHR (protection of personal data).

However, between the defeat of the proposal for a Framework Decision and the publication of the proposal for a Directive, the July 2005 London tube bombings happened. These were used as a fresh justification for an EU data retention law, although the UK prime minister suggested at the time that “all the surveillance in the world” could not have prevented the attacks.

The UK then used its presidency of the EU Council to impose a deadline of the end of 2005 for the European Parliament to agree the measure, with Charles Clarke, UK Secretary of State, lecturing the EP on the need to adopt the proposal. Home Office officials were reported to have told MEPs in private that if parliament failed to do this they “would make sure the European Parliament would no longer have a say on any justice and home affairs matter.”
Led by Privacy International and the European Digital Rights Initiative, 90 NGOs and 80 telecommunications service providers wrote to MEPs, imploring them to reject the measure.
Despite their efforts, the EP finally agreed the measure on 14 December 2005, with another PSE-PPE alliance reversing the position on the draft Framework Decision that the parliament had taken just eight months earlier. The Directive completed its passage through parliament following a single reading, meeting the UK’s demands on the timeframe.
The Council of the EU adopted the legislation by qualified majority, with Ireland and the Slovakia voting against, and the Directive passed into law in March 2006.

Two further observations are relevant to any substantive consideration of the policy-making process.
The first concerns the role of the UK government, which took its attempts to enforce data retention to EU institutions after it had been prevented from a domestic mandatory data retention regime by the houses of parliament. In what appears to be a clear case of “policy laundering”, the subsequent EU Directive, championed by the UK government, was binding on the UK and implemented by statutory instrument, in the form of the Data Retention (EC Directive) Regulations 2007 and 2009.

The second observation concerns the role played by the US government in pushing for mandatory data retention in Europe, bilaterally in its discussions with the European Commission and EU Presidency, and in multilateral fora like the G8. This is noteworthy because at that time there were no corresponding powers in the USA, nor any intention to introduce them.
In place of blanket “data retention”, US law enforcement and security agencies are obliged to seek “preservation orders” from special surveillance courts.
However, recent leaks such as that of the FISA court order imposed on Verizon, demonstrate that US agencies and their special “surveillance court” have interpreted these principles so widely as to cover entire telephone networks and all of their users.

Nevertheless, a more principled implementation of such a regime would be more privacy-friendly than the EU’s current blanket approach.
Opposition to the Data Retention Directive in Europe included advocacy from civil society organisations for the development of this model as an alternative, with judicial supervision to try and ensure that access to private data is necessary and legitimate. This is still the preferred option of the Ministry of Justice in Germany, where implementation of the Directive has been highly controversial and the subject of a Constitutional Court ruling that demanded its redrafting.