Matthew
White, Ph.D candidate, Sheffield Hallam University
Should
governments be able to retain data on everyone’s use of the Internet and their
phones – because it might arguably aid the fight against terrorism and serious
crime? This ‘data retention’ issue raises fundamental questions about the
balance between privacy and security, at both national and EU level. Initially,
in the electronic privacy (e-Privacy) Directive, EU legislation set out
an option for Member States to adopt
data retention rules, as a derogation from the normal rule of confidentiality
of communications in that Directive. Subsequently, in 2006, at the urging of
the UK government in particular, the EU went a step further. It adopted the
Data Retention Directive (DRD), which required
telecom and Internet access providers to keep data on all use of the Internet
and phones in case law enforcement authorities requested it.
However,
on 8 April 2014, the Court of Justice of the European Union (CJEU) ruled that
the latter Directive went too far. In its Digital Rights Ireland
judgment (discussed here), that Court said that the EU’s Data Retention
Directive (DRD) was invalid in light of a lack of compliance with the rights to
privacy and data protection set out in Articles 7 and 8 of the EU Charter of
Fundamental Rights (CFR) (para 69 and 73). This left open an important
question: what happens to national
data retention laws? Can they also be challenged for breach of the EU Charter
rights, on the grounds that they are linked to EU law (the derogation in the
e-Privacy Directive)? If so, do the standards in the Digital Rights Ireland judgment apply by analogy?
Instead
of addressing this matter urgently, the United Kingdom government sat on its
hands for a while and then unprecedentedly
rushed through the Data Retention and Investigatory Powers
Act 2014 (DRIPA 2014). DRIPA 2014 was intended to be a reaction
to the Digital Rights Ireland ruling,
giving the UK as a matter of national
law the power to retain data that had been struck down by the CJEU as a matter
of EU law.
In
2015, Tom Watson (now the deputy leader of the UK Labour Party), David Davis (a
Conservative party backbencher) and others challenged s.1 of DRIPA 2014 arguing
that the powers to obligate data retention on public telecommunication
operators set out in that section of DRIPA did not sufficiently reflect what
the CJEU ruled in Digital Rights Ireland.
Although that CJEU ruling only applied to EU legislation, they argued that it
also applied by analogy to national legislation on data retention, since such
legislation fell within the scope of the option to retain communications data
set out in the derogation in the e-Privacy Directive, and so was linked to EU law
(and therefore covered by the Charter). Even though the e-Privacy Directive
only related to publicly available electronic communications services (Article
3(1)), it is submitted that any extension of the definition of public
telecommunications operator would fall within the Data Protection Directive,
and thus the CFR would still apply.
The High Court (HC) ruled in the claimants’ favour in Davis
where an order was made for s.1 of DRIPA to be disapplied by the 31st
of March 2016, insofar as it is incompatible with Digital Rights Ireland (para 122). This was in the hopes that it would give Parliament sufficient
time to come up with a CFR compliant data retention law (para 121).
The
government appealed
to the Court of Appeal (CoA) which took a radically
different approach maintaining that ‘the CJEU in Digital Rights Ireland was not
laying down definitive mandatory requirements in relation to retained
communications data’ (para 106). But for the sake of caution, the CoA made a
preliminary reference to the CJEU asking:
(1)
Did the CJEU in Digital Rights Ireland intend to lay down mandatory
requirements of EU law with which the national legislation of Member States
must comply?
(2)
Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles
7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in
the jurisprudence of the ECtHR?
The
CoA was not the only national court to make a preliminary reference to the CJEU
on matters regarding data retention and the reach of Digital Rights Ireland. On the 4th May 2015, the Force
was with Kammarrätten i Stockholm when it asked the CJEU:
Is
a general obligation to retain traffic data covering all persons, all means of
electronic communication and all traffic data without any distinctions,
limitations or exceptions for the purpose of combating crime (as described
[below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC
[the electronic privacy Directive], 1 taking account of Articles 7, 8 and 15(1)
of the Charter?
If
the answer to question 1 is in the negative, may the retention nevertheless be
permitted where:
access
by the national authorities to the retained data is determined as [described
below under paragraphs 7-24], and
security
requirements are regulated as [described below under paragraphs 26-31],
and
all relevant data are to be retained for six months, calculated as from the day
the communication is ended, and subsequently deleted as [described below under
paragraphs 25]?
The
way in which the first question in Davis
and Watson is asked doesn’t specify whether the general obligation applies
to every service provider under the state’s jurisdiction or specific service
providers to retain what they individually process. The assumption is the
former as ‘all means of electronic
communication and all traffic data without
any distinctions’ implies a catch all to the relevant services. The Home
Secretary (and indeed the government) may argue that if the CJEU rules in the
negative (note that Article 15(1) of the e-Privacy Directive only applies to publically available electronic
communications services, thus the justification for retaining data from
other services would have to be found in the Data Protection Directive (DPD))
it would mostly have affected cl.78 of the Investigatory
Powers Bill (IPB) (currently before Parliament)
which would grant the Secretary of State the power to issue retention notices
on a telecommunications or any number of operators to retain for e.g. any or
all data for 12 if the power in cl.1
of the draft
Communications Data Bill (dCDB) had been replicated. The
dCDB was a legislative measure introduced in 2012 to allow public authorities
to keep up to date with the sophistication of e-Crime. Clause 1 maintained
that:
1 Power to ensure or facilitate
availability of data
(1)
The Secretary of State may by order—
(a)
ensure that communications data is
available to be obtained from telecommunications operators by relevant
public authorities in accordance with Part 2, or
(b)
otherwise facilitate the availability of
communications data to be so obtained from telecommunications operators.
(2)
An order under this section may, in particular—
(a)
provide for—
(i)
the obtaining (whether by collection,
generation or otherwise) by telecommunications operators of communications data,
(ii)
the processing, retention or
destruction by such operators of data so obtained or other data held by such
operators.
This
measure was, however abandoned because the Liberal Democrats (in the then
Coalition Government) did not approve of the far reaching nature of the
proposal. In regards to cl.1, it clearly was a general power, as no distinction
was made on who the obligation to retain may fall upon, and thus it is
submitted that this power is analogous to the power which is the subject of the
question being asked of the CJEU. Clause 78(1) of the IPB on the other hand,
makes the distinction that a data retention notice may require a telecommunications
operator to retain relevant
communications data. Though there are two possible conflicts, the first, based
on the assumption that the CJEU rules in the negative (to the first question)
is cl.78(2)(a) and (b). This gives the Secretary of State the discretion to
issue retention notices on any
description of operators to retain all or any description of data. This
could be considered a general obligation because it could affect all telecommunications operators and then be classed
as a general obligation.
Secondly,
retention ‘without distinction’ or ‘exceptions’ may be important when it comes
to traffic data pertaining to journalists, politicians, and the medical and
legal professions. But because the reference doesn’t mention specific service
providers it cannot be said with certainty how much this would affect cl.78(1)
which doesn’t make distinctions or
exceptions.
When
it comes to limitations on data retention, there is at least one, which was
first noted in s.1(5) of DRIPA 2014 which allowed for a 12 month maximum period
of retention. This is replicated in cl.78(3) and takes on board the
recommendation of the Advocate
General’s opinion (AG) in Digital Rights Ireland (para 149).
The
President of the CJEU felt it was desirable to combine
both preliminary references. The questions of access by both
the Swedish and UK courts do not directly affect the cl.78 issuing of retention
notices (insofar that it at least doesn’t involve every telecommunications operator) nor does answering whether
Article 7 and 8 was intended to extend beyond Article 8 ECHR jurisprudence. The
security arrangements are dealt with by cl.81 (whether they are adequate is a
different matter) and thus not relevant to the issuing of retention notices.
This,
however, proceeds on the assumption that the CJEU will rule in the negative to
the Swedish preliminary reference regarding retention being lawful for the
purposes of access, because if it
does not, cl.78(2)(a) and (b) would not be affected at all. Moreover, the HC in Davis
felt that the CJEU believed that data retention genuinely satisfied an objective of general interest (para 44) and
that it must be understood to have held that a general retention regime is
unlawful unless it is accompanied by
an access regime which has sufficiently stringent safeguards to protect
citizens' rights set out in Articles 7 and 8 of the CFR (para 70). The CoA was
silent on this matter, and therefore for the mean time, it is understood that
if the CJEU rules in the positive, cl.78 would not be affected as a matter of
EU law.
On
the matter of whether the HC or the CoA had interpreted Digital Rights Ireland correctly, it is important to highlight one
of the justifications for the CoA conclusions. It maintained in relation to
mandatory requirements, that in the opinion of the AG,
he was at least, not looking for the Directive to provide detailed regulation
(para 77). Yet the CoA failed to mention his conclusions, where it was stated
that the DRD was invalid as a result
of the absence of sufficient regulation
of the guarantees governing access to (by limiting access, if not solely to
judicial authorities, at least to independent
authorities, or, failing that, by making any request for access subject to review by the judicial authorities or
independent authorities and it should have required a case-by-case examination of requests for access in order to
limit the data provided to what is strictly necessary (para 127)) the data
collected/retained and that the DRD should be suspended until the EU
legislature adopts measures necessary to remedy the invalidity, but such
measures must be adopted within a
reasonable period (para 157-158). So at least in this regard the AG actually
supports the stance of the HC (even though no reference was made on this point)
and may therefore have had implications for the IPB (which does not require
judicial or independent authorisation/review) in relation to access to
communications data without a word
from the CJEU.
Many
thanks to Steve Peers for helpful comments on an earlier draft.
Photo credit: gizmondo.com.au
No comments:
Post a Comment