Steve Peers
I’m writing this post on ‘The Day We Fight Back’
against mass surveillance. So it seems a suitable day to comment (a bit
belatedly) on the Advocate-General’s opinion from last December on the validity
of the EU’s data retention Directive (Directive 2006/24; Cases C-293/12 Digital Rights and C-594/12 Seitlinger).
Overall
context
These cases, referred from the Irish and Austrian
courts, present the Court of Justice of the EU (CJEU) with its best chance yet
to deliver an iconic judgment relating to the EU’s Charter of Fundamental
Rights. The Test-Achats judgment
of 2011, concerning the invalidity of EU rules permitting insurance
discrimination between men and women, just didn’t amount to such a judgment,
resulting as it did in higher car insurance rates for women drivers without
much analysis of the key issues by the CJEU.
This time around, the CJEU is aware that: the
constitutional courts of Germany and Romania have criticised the Directive on
fundamental rights grounds; the European Court of Human Rights is dubious about
mass surveillance (cf the S and Marper judgment); and there is considerable public concern across the EU about mass
surveillance, in particular in the current context of revelations about spying
by American security agencies.
As for the Directive itself, it requires Member
States to compel telecom and Internet access providers to keep records of all phone calls, Internet use and mobile
phone location data for at least six months, with no real fixed upper limit, so
the police can access those records for the purposes of investigations into
serious crime. (There is a nominal two-year upper limit for keeping this data,
but Member States can keep in place any higher limits that they already
applied, or ask the Commission for the power to set new higher limits in place
if they didn’t already apply them). Other EU laws giving Member States an
option to require that telecom providers keep such data for other reasons were
unaffected. Overall, as I pointed out at the time, ‘Member
States could insist on (or at least request) the retention of any type of data
for any type of security purpose for any period at all’.
Furthermore, the Directive set no
safeguards as regards the use of that data which industry was required to
retain. This was because the Directive had to limit itself to
regulation of the telecoms industry, due to its ‘internal market’ legal base
(upheld by the CJEU in Case C-301/06 Ireland
v EP and Council), so it couldn’t regulate what police forces did with the
data when they got it.
While it is possible that this mass surveillance may
assist in the prosecution of crime or the prevention of terrorism, that does
not automatically excuse it. No doubt there is less crime in totalitarian
states, but democratic states need to strike a balance between liberty and
security. According to the long-standing case law of the European Court of
Human Rights, targeted surveillance
is only acceptable if the law in question is very precise and sets out detailed
safeguards for the persons concerned. This must surely apply a fortiori to laws such as this Directive,
which provide for mass surveillance – if indeed such surveillance can ever be
justified at all.
The
Advocate-General’s opinion
The opinion takes as its starting point (correctly)
that the data retention Directive interferes with the rights to privacy and
data protection (Articles 7 and 8 of the Charter). So the focus of the case is
whether such interference can be justified. Article 52(1) of the Charter allows
restriction of Charter rights where those restrictions are provided for by law,
respect the essence of the rights, and are proportionate to protecting a public
interest recognised by EU law or the rights of others. Here there is clearly a
public interest, so the Advocate-General examines the other facets of the test.
He concludes that the EU Directive is not ‘prescribed
by law’, within the meaning of that phrase set out in the jurisprudence of the
European Court of Human Rights. The crucial problem here is the quality of the law set out in the Directive.
In particular, it is not sufficiently precise as regards the limitation on
Charter rights, and it does not set out guarantees for use of the data.
This raises an issue specific to the nature of the relationship
between the EU and its Member States. Since Directives must be applied by
Member States in their national law, it could potentially be left to the Member States to provide for such
precise details concerning the interference with Charter rights when they
transpose the Directive. It would be possible for the CJEU to clarify further
what such rules must address, as it has in a line of case law concerning
interference with privacy rights justified by the protection of intellectual
property (ie downloads of music, et al, in breach of copyright).
The Advocate-General rejects that possibility here –
and quite rightly. The difference is that the data retention Directive requires the Member States to interfere
with Charter rights, whereas the legislation at issue in the other cases merely
permits them to do so. In such a case
the EU must surely bear a significant part of the responsibility – if not the whole
responsibility – for satisfying the ‘quality of law’ test. This would be
consistent with the case law of the European Court of Human Rights in the Bosphorus Airways v Ireland case, and the draft EU
accession agreement for the ECHR, which both distinguish between cases where
the EU requires its Member States to act, and where it simply permits them to
do so.
Yet on this point, there is another complication arising
from the nature of EU law. Before the entry into force of the Treaty of Lisbon,
the legal order of the Union was divided into three so-called ‘pillars’. While
the internal market was part of the first pillar (Community law), police
cooperation was part of the third pillar (policing and criminal law). So a
Directive based on the internal market could not address issues relating to
police cooperation, and this Directive does not. That was precisely why the
CJEU rejected the Irish government’s challenge to the Directive in 2009.
To address this problem, the Advocate-General suggests
that the EU should at least have agreed some guarantees informally. But this
would not be good enough, as non-binding guarantees would not satisfy the ‘quality
of law’ test. The EU could, however, have adopted a third pillar ‘Framework
Decision’ setting out such guarantees before the Treaty of Lisbon; and now it can
set them out in the form of a Directive.
Finally, the Advocate-General concludes that the
Directive is also disproportionate, since there is not a good enough reason for
the possibly unlimited period of retaining personal data. Yet it must be
pointed out that Member States’ power to retain existing national laws allowing for longer periods of data retention
is built into the internal market rules of the Treaty. To disable the
application of those provisions, the Court of Justice would have to rule that
the Charter took priority over the Treaty (ie, other EU primary law).
Conclusions
These cases give the
opportunity to the CJEU to add a lot of flesh to the bones of the rules
concerning interference with Charter rights – in particular the application of
the ‘quality of law’ test, which the CJEU has not referred to at all before.
The difficulties created by the previous division of EU law into pillars, and the
particular rules set out in the internal market provisions of the Treaties,
must also be addressed. Yet in light of the overall context of these cases, the
established jurisprudence of the European Court of Human Rights, and the strong
opinion of the Advocate-General, it would simply be shocking if the Court of
Justice did not either rule the Directive invalid, or at the very least lay
down detailed rules which Member States have to follow when applying it.
[update: the CJEU gave its ruling in April 2014. For discussion of the judgment see here.]
Barnard & Peers: chapter 9
No comments:
Post a Comment