Wednesday, 16 March 2016

Data retention and national law: whatever the CJEU rules, data retention may still survive!

Matthew White, Ph.D candidate, Sheffield Hallam University

Should governments be able to retain data on everyone’s use of the Internet and their phones – because it might arguably aid the fight against terrorism and serious crime? This ‘data retention’ issue raises fundamental questions about the balance between privacy and security, at both national and EU level. Initially, in the electronic privacy (e-Privacy) Directive, EU legislation set out an option for Member States to adopt data retention rules, as a derogation from the normal rule of confidentiality of communications in that Directive. Subsequently, in 2006, at the urging of the UK government in particular, the EU went a step further. It adopted the Data Retention Directive (DRD), which required telecom and Internet access providers to keep data on all use of the Internet and phones in case law enforcement authorities requested it.

However, on 8 April 2014, the Court of Justice of the European Union (CJEU) ruled that the latter Directive went too far. In its Digital Rights Ireland judgment (discussed here), that Court said that the EU’s Data Retention Directive (DRD) was invalid in light of a lack of compliance with the rights to privacy and data protection set out in Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR) (para 69 and 73). This left open an important question: what happens to national data retention laws? Can they also be challenged for breach of the EU Charter rights, on the grounds that they are linked to EU law (the derogation in the e-Privacy Directive)? If so, do the standards in the Digital Rights Ireland judgment apply by analogy?

Instead of addressing this matter urgently, the United Kingdom government sat on its hands for a while and then unprecedentedly rushed through the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). DRIPA 2014 was intended to be a reaction to the Digital Rights Ireland ruling, giving the UK as a matter of national law the power to retain data that had been struck down by the CJEU as a matter of EU law.

In 2015, Tom Watson (now the deputy leader of the UK Labour Party), David Davis (a Conservative party backbencher) and others challenged s.1 of DRIPA 2014 arguing that the powers to obligate data retention on public telecommunication operators set out in that section of DRIPA did not sufficiently reflect what the CJEU ruled in Digital Rights Ireland. Although that CJEU ruling only applied to EU legislation, they argued that it also applied by analogy to national legislation on data retention, since such legislation fell within the scope of the option to retain communications data set out in the derogation in the e-Privacy Directive, and so was linked to EU law (and therefore covered by the Charter). Even though the e-Privacy Directive only related to publicly available electronic communications services (Article 3(1)), it is submitted that any extension of the definition of public telecommunications operator would fall within the Data Protection Directive, and thus the CFR would still apply. The High Court (HC) ruled in the claimants’ favour in Davis where an order was made for s.1 of DRIPA to be disapplied by the 31st of March 2016, insofar as it is incompatible with Digital Rights Ireland (para 122). This was in the hopes that it would give Parliament sufficient time to come up with a CFR compliant data retention law (para 121).

The government appealed to the Court of Appeal (CoA) which took a radically different approach maintaining that ‘the CJEU in Digital Rights Ireland was not laying down definitive mandatory requirements in relation to retained communications data’ (para 106). But for the sake of caution, the CoA made a preliminary reference to the CJEU asking:

(1) Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?

(2) Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?  

The CoA was not the only national court to make a preliminary reference to the CJEU on matters regarding data retention and the reach of Digital Rights Ireland. On the 4th May 2015, the Force was with Kammarrätten i Stockholm when it asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC [the electronic privacy Directive], 1 taking account of Articles 7, 8 and 15(1) of the Charter?

If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and

security requirements are regulated as [described below under paragraphs 26-31],

and all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?

The way in which the first question in Davis and Watson is asked doesn’t specify whether the general obligation applies to every service provider under the state’s jurisdiction or specific service providers to retain what they individually process. The assumption is the former as ‘all means of electronic communication and all traffic data without any distinctions’ implies a catch all to the relevant services. The Home Secretary (and indeed the government) may argue that if the CJEU rules in the negative (note that Article 15(1) of the e-Privacy Directive only applies to publically available electronic communications services, thus the justification for retaining data from other services would have to be found in the Data Protection Directive (DPD)) it would mostly have affected cl.78 of the Investigatory Powers Bill (IPB) (currently before Parliament) which would grant the Secretary of State the power to issue retention notices on a telecommunications or any number of operators to retain for e.g. any or all data for 12 if the power in cl.1 of the draft Communications Data Bill (dCDB) had been replicated. The dCDB was a legislative measure introduced in 2012 to allow public authorities to keep up to date with the sophistication of e-Crime. Clause 1 maintained that:

1 Power to ensure or facilitate availability of data
(1) The Secretary of State may by order—
(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or
(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.
(2) An order under this section may, in particular—
(a) provide for—
(i) the obtaining (whether by collection, generation or otherwise) by telecommunications operators of communications data,
(ii) the processing, retention or destruction by such operators of data so obtained or other data held by such operators.

This measure was, however abandoned because the Liberal Democrats (in the then Coalition Government) did not approve of the far reaching nature of the proposal. In regards to cl.1, it clearly was a general power, as no distinction was made on who the obligation to retain may fall upon, and thus it is submitted that this power is analogous to the power which is the subject of the question being asked of the CJEU. Clause 78(1) of the IPB on the other hand, makes the distinction that a data retention notice may require a telecommunications operator to retain relevant communications data. Though there are two possible conflicts, the first, based on the assumption that the CJEU rules in the negative (to the first question) is cl.78(2)(a) and (b). This gives the Secretary of State the discretion to issue retention notices on any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation. 

 Secondly, retention ‘without distinction’ or ‘exceptions’ may be important when it comes to traffic data pertaining to journalists, politicians, and the medical and legal professions. But because the reference doesn’t mention specific service providers it cannot be said with certainty how much this would affect cl.78(1) which doesn’t make distinctions or exceptions.

When it comes to limitations on data retention, there is at least one, which was first noted in s.1(5) of DRIPA 2014 which allowed for a 12 month maximum period of retention. This is replicated in cl.78(3) and takes on board the recommendation of the Advocate General’s opinion (AG) in Digital Rights Ireland (para 149).

The President of the CJEU felt it was desirable to combine both preliminary references. The questions of access by both the Swedish and UK courts do not directly affect the cl.78 issuing of retention notices (insofar that it at least doesn’t involve every telecommunications operator) nor does answering whether Article 7 and 8 was intended to extend beyond Article 8 ECHR jurisprudence. The security arrangements are dealt with by cl.81 (whether they are adequate is a different matter) and thus not relevant to the issuing of retention notices.

This, however, proceeds on the assumption that the CJEU will rule in the negative to the Swedish preliminary reference regarding retention being lawful for the purposes of access, because if it does not, cl.78(2)(a) and (b) would not be affected at all. Moreover, the HC in Davis felt that the CJEU believed that data retention genuinely satisfied an objective of general interest (para 44) and that it must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens' rights set out in Articles 7 and 8 of the CFR (para 70). The CoA was silent on this matter, and therefore for the mean time, it is understood that if the CJEU rules in the positive, cl.78 would not be affected as a matter of EU law.

On the matter of whether the HC or the CoA had interpreted Digital Rights Ireland correctly, it is important to highlight one of the justifications for the CoA conclusions. It maintained in relation to mandatory requirements, that in the opinion of the AG, he was at least, not looking for the Directive to provide detailed regulation (para 77). Yet the CoA failed to mention his conclusions, where it was stated that the DRD was invalid as a result of the absence of sufficient regulation of the guarantees governing access to (by limiting access, if not solely to judicial authorities, at least to independent authorities, or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary (para 127)) the data collected/retained and that the DRD should be suspended until the EU legislature adopts measures necessary to remedy the invalidity, but such measures must be adopted within a reasonable period (para 157-158). So at least in this regard the AG actually supports the stance of the HC (even though no reference was made on this point) and may therefore have had implications for the IPB (which does not require judicial or independent authorisation/review) in relation to access to communications data without a word from the CJEU.

Many thanks to Steve Peers for helpful comments on an earlier draft.

Photo credit:

No comments:

Post a Comment