Thursday, 10 July 2014

Does the UK’s new data retention bill violate the EU Charter of Fundamental Rights?

Steve Peers

Following the judgment of the Court of Justice of the European Union (CJEU) from April this year, invalidating the EU’s data retention directive, several Member States’ courts have declared their national law invalid. However, the UK government is going in the other direction, tabling emergency legislation today in order to retain data retention powers for the UK.  

Does this proposed law fall within the scope of EU law? If so, does it violate the EU Charter of Fundamental Rights? A previous post on this blog assessed generally the question of how the judgment applies to national data retention laws, and this post applies that analysis to the specific case of the new UK bill.

First of all, according to Article 51 of the Charter as interpreted by the CJEU, there must be a link between the national law and EU law. In this case, the link is Article 15(1) of the EU’s e-privacy Directive, which specifies that Member States may restrict the rights in that Directive relating to the confidentiality of communications, location and other traffic data and caller identification:

'when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.'

The CJEU has recently confirmed that the EU Charter applies to derogations from EU law. More specifically, the CJEU has ruled repeatedly on the application of the Charter to cases where copyright holders have invoked this clause of the e-privacy Directive to justify planned restrictions upon Internet use (see most recently the Telekabel Wien judgment). So logically there is equally a link between EU law and the invocation of this clause for other purposes, most obviously in the criminal law context.

Does the proposed Bill constitute an invocation of this clause in the e-privacy Directive?  Not explicitly. But there is no legal requirement that such an express link has to be made in the national legislation concerned.

So let’s look at the wording of the Bill. Clause 1 allows the government to draw up a statutory instrument that can require ‘a public telecommunications operator to retain relevant communications data’. Clause 2(1) defines a ‘public telecommunications operator’ as ‘a person who (a) controls or provides a public telecommunication system, or (b) provides a public telecommunications service’. The Directive applies to (similarly defined) providers of a ‘public communications network’ or ‘electronic communications services’. The data being retained would be ‘traffic data’ as defined by earlier UK law, whereas the rule in the e-privacy directive also applies to traffic data. The purposes for which the data would be retained in part match those referred to in the Directive, most obviously as regards national security, crime, disorder and public safety.

So to the extent that there is a correspondence between the data being retained, the body retaining it, and the purposes for retaining it, the UK Bill will, if enacted, be linked to EU law, and therefore the EU Charter of Fundamental Rights. There will clearly be such a correspondence in many cases.

The second question is whether the new UK law would violate the Charter. To a large extent, it will be difficult to be certain on this point until the statutory instrument is proposed and adopted, since the Bill would only confer broad powers to act on the government. But Clause 1(2) of the Bill does provide that the telecoms companies might be required to collect ‘all’ data as defined by the future Act.

If that means that untargeted data might be collected, that brings us to the question of what the EU’s data retention judgment actually means. Does it ban mass surveillance in general, or simply require that such surveillance be subject to safeguards? If the latter, narrower meaning is correct, such safeguards could be provided for either in this Bill and/or in the statutory instrument.

According to the CJEU, the safeguards missing from the data retention directive were: a definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; control of access to the data by means of a court or other independent administrative authority; stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use; rules on an obligation to destroy the data; and an obligation to retain the data within the EU only.

Clause 1(4) of the Bill sets out a non-exhaustive list of certain safeguards which the government could include in a statutory instrument. This list partly, but not wholly, corresponds to the list of safeguards referred to in the CJEU judgment. In order to satisfy the CJEU, the subsequent act will have to include all of the relevant safeguards to a satisfactory standard.

But even if all such safeguards are indeed provided for, I have argued previously that the broader interpretation of the Court’s judgment is correct: no mass surveillance is possible. If that is correct, then the provision in the draft Bill to permit a requirement to collect ‘all’ data is inherently suspect, and it would certainly be a breach of EU law to require telecom providers to retain all traffic data within the scope of the e-privacy Directive without some form of further targeting.

In conclusion, much of the UK’s draft Bill would, if adopted, fall within the scope of EU law, and therefore the Charter of Rights. It is possible, depending on the future statutory instrument, that the rules, when applied, will comply with the data retention safeguards demanded by the CJEU. But the government’s intention, as manifested by the Bill, to reinstitute mass surveillance of telecoms traffic data is a clear breach of the EU Charter of Fundamental Rights.

Barnard & Peers: chapter 6, chapter 9

No comments:

Post a Comment