Tuesday 8 April 2014

The data retention judgment: The CJEU prohibits mass surveillance



Steve Peers

On July 7, 2005 a relative of mine started her journey to work on a London tube train. Within half an hour, bombs on that train left by terrorists exploded, in conjunction with three other bombs across London. Dozens of people died (although my relative was not injured).

Understandably, public concern about terrorist incidents, following on from the earlier outrages of 9/11 and the Madrid bombings, led to further EU anti-terrorist legislation. In particular, the British Presidency of the EU Council made it a top priority to adopt legislation providing for retention of a large amount of communications data. But according to the Court of Justice of the European Union (CJEU), in a crucial judgment today, that legislation was essentially an over-reaction to these terrorist atrocities. The Court has effectively prohibited mass surveillance in the EU, and thus taken significant steps to entrench itself as the EU’s constitutional court.


Summary of the judgment


As discussed in detail by Chris Jones’ post on this blog, the Directive requires Member States to require telecommunications service providers to retain significant amounts of data on the use of all forms of telecommunications by all individuals within the EU, for a period of between 6 months and 2 years. This data is collected for the use of law enforcement agencies as regards investigations into serious crime or terrorism, but there are no detailed rules in the Directive governing the access to and use of the data by those authorities. The CJEU only found it necessary to address the question of the validity on the Directive in light of the Charter rights to privacy and data protection (Articles 7 and 8 of the Charter).

First of all, the Court unsurprisingly had no difficulty finding that the Directive interfered with the protection of those two rights. Its analysis focussed instead on whether such an interference could be justified.

The rules on justifying interferences with Charter rights are set out in Article 52 of the Charter. Any limitation upon Charter rights must be laid down by law, respect the essence of the right, and subject to the principle of proportionality, limit rights and freedoms only if it is necessary and genuinely meets public interest objectives and the rights and freedoms of others. The Court easily found that there was a public interest justification (public safety) for the restriction of the Charter rights at issue. It also found that the ‘essence’ of the rights was not affected, because (as regards the right to privacy) the content of communications was not recorded, and (as regards the right to data protection) certain data processing and data security rules had to be respected.

Therefore the key issues in the Court’s ruling were the proportionality of the interference with Charter rights. The Court indicated that judicial review of the EU legislature’s discretion should be ‘strict’ in this case, applying factors such as the area of law concerned, the nature of the right, the nature and seriousness of the infringement and the objective pursued. Here, it followed from the nature of the right and the nature and seriousness of the infringement that the EU legislature’s discretion was reduced; the CJEU took no account expressly of the objective being pursued.

The first aspect of proportionality (the appropriateness of the interference with the right for obtaining the objective) was fulfilled, because the data concerned might be useful to investigations. However, the CJEU found that the Directive was problematic as regards the second facet: the necessity of the measure in question. Crucially the Court ruled that the important objective of investigating serious crime and terrorism did ‘not, in itself’ justify data retention. So for the CJEU, the safety of the people is not the supreme law.

Its analysis proceeded by setting out the general importance of safeguards as regards the protection of privacy and data protection rights (building upon the case law of the European Court of Human Rights). These safeguards are even more necessary when data is processed automatically, with a risk of unlawful access.

 Applying this test, the Court gave three reasons why the rules on data retention in the Directive were not strictly necessary. First of all, the Directive had an extremely broad scope, given that it applied to all means of electronic communication, which have ‘widespread and growing importance’ in everyday life, without being sufficiently targeted. Indeed, it ‘entails an interference with the fundamental rights of practically the entire European population’. In other words (the Court does not use the term), it amounts to mass surveillance.

Secondly, besides the ‘general absence of limits’ in the Directive, it failed to limit access to the data concerned by law enforcement authorities, and the subsequent use of that data, sufficiently precisely. In particular: it referred generally to ‘serious crime’ as defined in national law; it did not restrict the purpose of subsequent access to that data; it did not limit the number of persons who could access the data; and it did not control access to the data by means of a court or other independent administrative authority.

Thirdly, the Directive did not set out sufficient safeguards, as regards: the data retention period, for instance as regards the categories of data to be retained for the whole period; the protection of the data from unlawful access and use (here the CJEU criticises the possible limits on protection measures due to reasons of cost); the absence of an obligation to destroy the data; and the omission of a requirement to retain the data within the EU only.


Comments


The CJEU reached the same conclusion as the Advocate-General’s opinion, but for different reasons. In the Advocate-General’s view, the Directive was invalid because it breached the ‘quality of law’ requirement applicable to interferences with Charter rights, having failed to establish sufficient safeguards relating to access to and use of the data. It also was disproportionate for failing to explain why storage periods of up to two years were necessary. The Court’s ruling appears to go further, by ruling out mass surveillance in principle.

The opinion discussed some interesting and important issues that the Court does not directly address, in particular: the existence of a ‘quality of law’ requirement as regards breaches of the Charter; whether the EU or the Member States have responsibility for ensuring the satisfaction of that requirement in this case; and the complications of the ‘legal base’ issue, ie the awkward point that inserting safeguards relating to law enforcement authorities might go beyond the ‘internal market’ legal base of the legislation. It might be deduced that the CJEU has a view on these issues: there is a ‘quality of law’ rule; the EU is responsible for upholding that requirement in this case; and the ‘legal base’ point is not a barrier to the EU adoption of rules regulating law enforcement authorities. But unfortunately, the Court did not expressly spell out its reasoning on these issues. It is certainly peculiar that, having ruled previously that the Directive was validly based on EU internal market powers, the CJEU rules here that its interference with Charter rights is justified by the objective of public safety.

As for the reasoning which the Court did provide, as usual it was easy to find public interest objectives for the interference with rights. The most important part of the reasoning is therefore the analysis of the interference with the ‘essence’ of the right, and of proportionality. It is very significant that the Court makes clear that these are two different issues: even if the essence of a right is respected, legislation can be disproportionate. Earlier case law on restriction of rights often seemed to suggest that respecting the essence of rights was sufficient.

Another important aspect of the judgment is the development of a doctrine indicating when strict scrutiny of the EU legislature’s interference with fundamental rights should apply. This is based upon Strasbourg case law, not the standards of national constitutional courts, which have of course addressed this issue in their own way. Obvious questions arise as to whether the same standards should apply to national implementation of EU law, or to Charter rights not based upon the ECHR.

While many data protection specialists argue that there is a fundamental distinction between the right to privacy and the right to data protection, the Court’s judgment only reflects that distinction to a limited degree. It assesses separately whether there is an interference with Articles 7 and 8 of the Charter, and whether the essence of each right has been affected. However, it made no distinction between the rights when assessing the required intensity of judicial review, and linked the two rights together when assessing the proportionality of the interference with them.


Consequences of the judgment


First and foremost, the data retention Directive is entirely invalid. The Court did not in any way rule that it could continue in force. So the immediate consequence is that we return to the status quo before 2005. This means that Member States have an option, not an obligation, to retain data pursuant to the e-privacy Directive (see further Chris Jones’ post on the background to the data retention Directive). However, Member States’ exercise of this option will still be subject to the requirements set out in this judgment, since their actions will fall within the scope of the Charter, given that the e-privacy Directive regulates the issue of interference with telecommunications.

Would it be possible for the EU to adopt a new Directive on mandatory data retention? In other words, can the Directive in some way be ‘fixed’?

First of all, since the 2006 Directive is entirely invalid, the EU legislature has to start from scratch, rather than amend it. Secondly, it is clear from the Court’s judgment that some form of mandatory data retention in order to combat serious crime and terrorism is acceptable from the perspective of the EU Charter.

How would such a new Directive differ from the measure the Court has just struck down? The Court sets out unusually detailed guidelines for the legislature (and, in the meantime, for national legislature) in its judgment. First of all, any new Directive would have to be in some sense targeted upon communication which has a particular link with serious crime and terrorism. Very simply, mass surveillance is an unjustifiable infringement of Charter rights.

Secondly, a new Directive would have to contain rules on: the definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; and control of access to the data by means of a court or other independent administrative authority.

Thirdly, the new Directive would have to include stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use. It would also have to contain rules on the absence of an obligation to destroy the data, and require that data be retained within the EU only. The Court did not rule on whether subsequent processing of the data in third States would be acceptable, but logically there must be some rules on this issue too. Probably it would be simplest to extend the external processing rules in the main EU data protection legislation to this issue.

Depending on the timing of a proposal for a new Directive (assuming that there is one), it might possibly get mixed up with the conclusion of negotiations over main the main data protection package being negotiated by the EU institutions. Alternatively, if those negotiations have concluded, they will establish a template that the negotiation of the new Directive can take account of.


Final comments


The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance. Its reference to the retention of data by third States is a thinly-disguised allusion to the spying scandals emanating from the United States. It also responds, sotto voce, to the very great concerns of national constitutional courts about this Directive, discussed in detail in Chris Jones’ post on this issue.

More broadly, the CJEU has seized the chance to give an ‘iconic’ judgment on the protection of human rights in the EU legal order. Time will deal whether the Digital Rights judgment is seen as the EU’s equivalent of classic civil rights judgments of the US Supreme Court, on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). If the Charter ultimately contributes to the development of a ‘constitutional patriotism’ in the European Union, this judgment will be one of its foundations.


Barnard & Peers: chapter 9, chapter 25

No comments:

Post a Comment