Steve Peers
Following the judgment of the Court of Justice of the European Union (CJEU) from April this year,
invalidating the EU’s data retention directive, several Member States’ courts
have declared their national law invalid. However, the UK government is going
in the other direction, tabling emergency legislation today in order to
retain data retention powers for the UK.
Does this proposed law fall within the scope of EU law? If
so, does it violate the EU Charter of Fundamental Rights? A previous post on this
blog assessed generally the question of how the judgment applies to national
data retention laws, and this post applies that analysis to the specific case
of the new UK bill.
First of all, according to Article 51 of the Charter as
interpreted by the CJEU, there must be a link between the national law and EU
law. In this case, the link is Article 15(1)
of the EU’s e-privacy Directive, which specifies that
Member States may restrict the rights in that Directive relating to the
confidentiality of communications, location and other traffic data and caller
identification:
'when
such restriction constitutes a necessary, appropriate and proportionate measure
within a democratic society to safeguard national security (i.e. State
security), defence, public security, and the prevention, investigation,
detection and prosecution of criminal offences or of unauthorised use of the
electronic communication system, as referred to in Article 13(1) of Directive
95/46/EC. To this end, Member States may, inter alia, adopt legislative
measures providing for the retention of data for a limited period justified on
the grounds laid down in this paragraph. All the measures referred to in this
paragraph shall be in accordance with the general principles of Community law,
including those referred to in Article 6(1) and (2) of the Treaty on European
Union.'
The
CJEU has recently confirmed that the EU Charter applies to derogations
from EU law. More specifically, the CJEU has ruled repeatedly on the
application of the Charter to cases where copyright holders have invoked this
clause of the e-privacy Directive to justify planned restrictions upon Internet
use (see most recently the Telekabel Wien judgment). So
logically there is equally a link between EU law and the invocation of this
clause for other purposes, most obviously in the criminal law context.
Does the proposed Bill constitute an invocation of this clause in the
e-privacy Directive? Not explicitly. But
there is no legal requirement that such an express link has to be made in the
national legislation concerned.
So let’s look at the wording of the Bill. Clause 1 allows the
government to draw up a statutory instrument that can require ‘a public
telecommunications operator to retain relevant communications data’. Clause
2(1) defines a ‘public telecommunications operator’ as ‘a person who (a)
controls or provides a public telecommunication system, or (b) provides a
public telecommunications service’. The Directive applies to (similarly defined)
providers of a ‘public
communications network’ or ‘electronic communications services’. The data being
retained would be ‘traffic data’ as defined by earlier UK law, whereas the rule
in the e-privacy directive also applies to traffic data. The purposes for which
the data would be retained in part match those referred to in the Directive,
most obviously as regards national security, crime, disorder and public safety.
So to the extent that
there is a correspondence between the data being retained, the body retaining
it, and the purposes for retaining it, the UK Bill will, if enacted, be linked
to EU law, and therefore the EU Charter of Fundamental Rights. There will
clearly be such a correspondence in many cases.
The second question is
whether the new UK law would violate the Charter. To a large extent, it will be
difficult to be certain on this point until the statutory instrument is
proposed and adopted, since the Bill would only confer broad powers to act on
the government. But Clause 1(2) of the Bill does provide that the telecoms
companies might be required to collect ‘all’ data as defined by the future Act.
If that means that
untargeted data might be collected, that brings us to the question of what the
EU’s data retention judgment actually means. Does it ban mass surveillance in
general, or simply require that such surveillance be subject to safeguards? If
the latter, narrower meaning is correct, such safeguards could be provided for
either in this Bill and/or in the statutory instrument.
According to the CJEU,
the safeguards missing from the data retention directive were: a definition of ‘serious crime’; the purpose of
subsequent access to the data; limits on the number of persons who could access
the data; control of access to the data by means of a court or other
independent administrative authority; stronger rules on the data retention
period, for instance as regards the categories of data to be retained for the
whole period, as well as the protection of the data from unlawful access and
use; rules on an obligation to destroy the data; and an obligation to retain
the data within the EU only.
Clause 1(4) of the Bill sets
out a non-exhaustive list of certain safeguards which the government could include in a statutory instrument.
This list partly, but not wholly, corresponds to the list of safeguards
referred to in the CJEU judgment. In order to satisfy the CJEU, the subsequent
act will have to include all of the relevant safeguards to a satisfactory standard.
But even if all such
safeguards are indeed provided for, I have argued previously that the broader
interpretation of the Court’s judgment is correct: no mass surveillance is
possible. If that is correct, then the provision in the draft Bill to permit a
requirement to collect ‘all’ data is inherently suspect, and it would certainly
be a breach of EU law to require telecom providers to retain all traffic data within the scope of the
e-privacy Directive without some form of further targeting.
In conclusion, much of the
UK’s draft Bill would, if adopted, fall within the scope of EU law, and therefore
the Charter of Rights. It is possible, depending on the future statutory
instrument, that the rules, when applied, will comply with the data retention safeguards
demanded by the CJEU. But the government’s intention, as manifested by the
Bill, to reinstitute mass surveillance of telecoms traffic data is a clear
breach of the EU Charter of Fundamental Rights.
Barnard & Peers: chapter 6, chapter 9
No comments:
Post a Comment