Matthew
White, Ph.D candidate, Sheffield Hallam University
Introduction
Has an Advocate General (AG) in
the Court of Justice of the EU unleashed the power of the European Convention
on Human Rights (ECHR)? On 19 July 2016, the AG gave his Opinion in the joined
cases of C‑203/15
and C‑698/15
Watson and Tele2. The AG felt that
general data retention obligations
imposed by Member States may be compatible with fundamental rights
enshrined in EU law, provided that there are robust safeguards (para 7). This
post briefly outlines the background (for a more detailed background, see Professor Lorna Woods’s take) to this case whilst
highlighting aspects relating to the ECHR and that some of the AG’s conclusions
become self defeating for requiring EU law to be no less stringent than the
ECHR.
Background
Case
C‑203/15
A day after Digital
Rights Ireland (where the Court of Justice of
the European Union (CJEU) ruled that the EU’s Data Retention Directive (DRD)
was invalid for being incompatible with the Charter of Fundamental Rights
(CFR)), the first claimant, Tele2, notified the Swedish Post and Telecommunications
Authority (PTS) of its decision to cease retaining data in Chapter 6 of the LEK
(the relevant Swedish law) with the aim of deleting (para 50). The National
Police Board (RPS) complained to the PTS about Tele2’s actions as having
serious consequences for law enforcement activities (para 51). PTS ordered
Tele2 to resume retention in accordance with Chapter 6 (para 52), to which
Tele2 appealed to the Stockholm Administrative Court (SAC) but lost (para
53). Tele2 then sought to appeal against
the SAC (para 54), but the Stockholm Administrative Court of Appeal (SACA) felt
making a preliminary reference to the CJEU would be more appropriate where it
asked:
·
Is
a general obligation to retain all traffic data indiscriminately compatible
with Art.15(1) of the (ePrivacy) Directive (Directive) and Articles 7, 8
and 52(1) of the CFR?
·
If
no, is such an obligation nevertheless permitted where:
§ access by national authorities
was governed in a specified manner, and
§ the protection and security of
data are regulated in a specified manner, and
§ all relevant data is retained for
six months?
Case
C‑698/15
I previously blogged on the situation in the UK, but
will make a quick summary for the purposes of this post (or alternatively see
paras 56-60 of the Opinion). The UK responded to Digital Rights Ireland by introducing the Data Retention
Investigatory Powers Act 2014 (DRIPA 2014). This was successfully challenged in
the High Court by Tom Watson MP and David Davis MP. But the success was short
lived when the Court of Appeal disagreed with the High Court, but made a
preliminary reference to the CJEU asking:
·
Did
the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of
EU law with which the national legislation of Member States must comply?
·
Did
the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7
and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the
jurisprudence of the ECtHR?
AG’s
Opinion
Asking
the wrong question?
The AG initially dealt with the
question regarding whether Digital Rights
Ireland extended the scope of Article 7 and/or Article 8 of the CFR beyond
that of Article 8 of the ECHR. The AG considered this question inadmissible
(para 70 and 83) because that possibility was not directly relevant to the
resolution of the current dispute (para 75). The AG admitted that the first
sentence of Article 52(3) (which lays down rules of interpretation) of the CFR
makes clear that any corresponding rights must be the same in meaning and scope
to that of the ECHR (para 77). But highlighted, the second sentence of Article
52(3), can permit CJEU to extend the scope of the CFR beyond that of the ECHR
(para 78). The ECHR has always been a minimum benchmark as in Trucl and Others v
Slovenia it was noted that ‘rights
guaranteed by the Convention represented minimum
standards’ (para 115). Thus if the EU did acceded to the ECHR (and even if
it did not), with or without the second sentence Article 52(3), the CJEU would
be free to extend the scope CFR as it saw fit. Therefore in agreement with the
AG, the Court of Appeal asked the wrong question.
Lack
of corresponding right means rules of interpretation does not apply?
Another important aspect was pointed out by the AG, who maintained that
Article 8 of the CFR has no ECHR corresponding right and therefore the rules of
interpretation laid out in the first sentence of Article 52(3) does not apply
(para 79). However, there is cause for slight disagreement on this
interpretation of Article 52(3). While the High Court admitted that protection of
personal data fell within the ambit of Article 8 of the ECHR, they felt Article
8 of the CFR went beyond this because it was more specific and the ECHR had no
counterpart (para 80). However, the High Court did so without actually
considering Article 8 ECHR case law, therefore their conclusions did not appear
to based on anything but mere conjecture and the wording of Article 8 CFR. This was also questioned by Stalla-Bourdillon because it
appeared the High Court followed this interpretation based on there not being
an ECHR counterpart. But on closer inspection, as Stalla-Bourdillon
highlighted, there is extensive Article 8 case law on the protection of personal
data, which is suggested, does in fact correspond with Article 8 CFR.
Therefore, both the High Court and AG has fallen prey to only considering the
provisions of the ECHR and not the European Court of Human Rights’s (ECtHR) interpretation of those provisions, thus
substance over form seemingly prevailed.
It is suggested because there is such extensive case law
on the protection of personal data in light of Article 8 ECHR, it is only right
that it should be used as a guide
when considering Article 8 CFR. Article 52(3) notes that ‘the meaning and scope of those rights shall be the same as those laid down by
the said Convention.’ In PPU
J McB v LE
the CJEU held that not only does the rights set out in ECHR are to correspond,
but also the meaning given through the ECtHR’s jurisprudence (para 53) (see also). In Schecke the CJEU held that:
[T]he
right to respect for private life with regard to the processing of personal
data, recognised by Articles 7 and 8 of the Charter, concerns any information
relating to an identified or identifiable individual...and the limitations
which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to
Article 8 of the Convention.’(para 52).
It has been maintained that such
an interpretation can be problematic because the CJEU has allowed
Article 8 CFR to be absorbed by Article 7. However, this does not and would not
weaken the stance that Article 8 CFR as a standalone right should be
interpreted (where possible) in accordance with principles of data protection
embedded within the ECtHR’s jurisprudence. Read as a whole, Article 52(3) would
therefore be properly adhered to, and would also allow the CJEU to deviate, if
need be, to offer a higher standard of protection.
A
general obligation to retain:
The AG then considered whether
Article 15(1) of the Directive allowed Member States to impose a general data
retention obligation (para 84) by establishing whether such an obligation fell
within the scope of the Directive (para 86). The Czech, French, Polish and
United Kingdom Governments all contended that data retention was excluded by
Article 1(3) (which excludes matters such as public security, defence, State
security from the scope of the Directive) (para 88). However, the AG rejected
this by highlighting that:
·
Article
15(1) governed precisely that (retention of data) (para 90),
·
Provisions
of access falling within Article 1(3) does not preclude retention from falling
within Article 1(3) (para 92-94),
·
The
approach taken by the CJEU in Ireland
v Parliament and Council
meant that general data obligations were not within the scope of criminal law
(para 95).
When it came to the issue of
whether the Directive applied the AG referred to the Member States
‘entitlement’ under Article 15(1) i.e. Member States have a choice (para 106).
The AG then referred to Recital 11 of the Directive which did not alter the
balance between an individual’s right to privacy and the possibility of Member
States to take measures necessary for the protection of public security etc
(para 107). Moreover, the AG highlighted that the Directive did not alter the ability
of Member States to carry out lawful interception of electronic communications,
or take other measures, if necessary for any of these purposes and in accordance with the ECHR (para 107).
The AG opined that general data retention obligations were consistent with the
Directive and therefore Member States were entitled to avail themselves of that
possibility under Article 15(1), subject not only to its requirements, but that
of the CFR in light of Digital Rights
Ireland (para 116). Although the AG felt that general obligations of data
retention were permissible under EU law (subject to restrictions), an avenue
was created for testing the general obligations itself under the ECHR.
In
accordance with the law? But does this
not defeat the AG’s premise?
When the AG considered the
requirement for legal basis in national law, he invited that CJEU to confirm
that the interpretation of ‘provided for by law’ in Article 52(1) CFR accorded
with that of the ECtHR’s jurisprudence on a measure being ‘in accordance with
the law’(para 134-137). The AG highlighted that the ECtHR has developed a
substantial body of jurisprudence on the matter which could be summarised as
follows:
·
A
legal basis that is adequately accessible and foreseeable i.e. the law is
formulated with sufficient precision to enable the individual — if need be with
appropriate advice — to regulate their conduct,
·
This
legal basis must provide adequate protection against arbitrary interference,
and
·
Must
define with sufficient clarity the scope and manner of exercise of the power
conferred on the competent authorities (para 139).
The AG was of the opinion that
‘provided for by law’ in Article 52(1) CFR needs to be the same as that
ascribed to it in connection with the ECHR (para 140). The AG’s reasoning was
as follows:
·
Article
53 CFR explains that its provisions must never
be inferior to what is guaranteed by the ECHR and therefore the CFR must at least be as stringent as the ECHR
(para 141),
·
It
would be inappropriate to impose different criteria on the Member States
depending on which of those two instruments was under consideration (para 142).
The AG felt that general data
retention obligations must be founded on a legal basis that is adequately
accessible and foreseeable and provides adequate protection against arbitrary
interference (para 143). This would solve the problem of the CJEU falling into
‘the trap of tautologically
regarding a legal norm, the validity of which is being questioned, as being
allegedly in accordance with the law because it is a law.’
This then raises the interesting
issue, if this is the preferred interpretation, how could a general obligation
to retain data not amount to
arbitrary interference? The AG later admits that the disadvantage of this general
obligation arises ‘from the fact that the vast
majority of the data retained will relate to persons who will never be
connected in any way with serious crime’ (para 252). If the vast majority
of data retained is of individuals who are unrelated to any serious crime, how
could this even be suggested to not
be arbitrary?
If in line with the ECtHR’s
jurisprudence, that for a measure to be in accordance with the law, a measure
must be sufficiently precise so individuals can regulate their conduct, how
could this square with general obligations to retain data which occurs irrespective of conduct? The ECtHR’s
Grand Chamber in Zakharov v Russia
maintained that
the ‘automatic storage for six months of clearly
irrelevant data cannot be considered justified under Article 8’ (para 255).
As the AG indicated, most data retained will have no relation to the fight
against serious crime and therefore, in line with Zakharov, cannot be
justified under Article 8. Member States would then have to justify why most
data unrelated to serious crime is relevant to
the fight against serious crime. In stressing that Article 52(1) should
reflect the ECtHR’s jurisprudence the AG may have undermined his own position
when believing that general obligations to retain data were permissible under
EU law by unleashing the ECHR in terms of Recital 11 and the interpretation of
‘provided for by law.’
Data
retention does not adversely affect the essence of the right, or does it, or
should it?
The AG listed six requirements a
general data retention obligation must meet to be justified, one of such is
that it ‘must observe the essence of the rights enshrined in the Charter’ (para
132). The AG recalled that Article 52(1) CFR provides that any limitation to
the rights enshrined must respect the essence of those rights and freedoms
(para 155). The AG referred to para 39 of Digital
Rights Ireland where the CJEU held that the DRD did not adversely affect
Article 7 CFR since it did not permit the acquisition of knowledge of the
content of the electronic communications as such (para 156). The AG felt this
also applied to the current case (para 157) and this was equally the case for
Article 8 CFR (paras 158-9) but ultimately left it for the CJEU to decide (para
160).
However, the AG later contradicts
his own opinion when considering the disadvantages of data retention. The AG
accepted that ‘a general data retention obligation will facilitate equally serious interference as targeted
surveillance measures, including those which
intercept the content of communications’ (para 254). The AG stopped short
of referring to data retention as mass surveillance, but instead referred to it
as mass interference (para 255) and that it affected a substantial portion, if
not all of the relevant population (para 256). The AG even went further by
describing with the example of an individual who access retained data (instead
of analysing content) to screen out those within the Member State who have a
psychological disorder or any field specialist medicine (para 257). The AG
continues, this same person who sought to find out who opposed government
policies, could do so with the possibility of identifying individuals taking
part in public demonstrations against the government (para 258).
The AG agreed with the position
of several civil society groups, the Law Society and United Nations High
Commissioner for Human Rights that the ‘risks associated with access to
communications data (or ‘metadata’) may
be as great or even greater than those arising from access to the content of
communications’ (para 259). The AG further added that the examples given
demonstrate that ‘metadata’ can facilitate ‘the almost instantaneous
cataloguing of entire populations, something
which the content of communications does not’ (para 259). The AG also added
that there is was nothing theoretical about the risks of abuse or illegal
access to retained data (based on the number of requests by Swedish and UK
authorities) and that such risk of ‘illegal access on the part of any person, is as substantial as the existence of
computerised databases is extensive’ (para 260).
Considering the incredible detail
the AG went to describe the risks posed by the retention of data, it makes
little sense to have the opinion that a general data retention obligation does
not adversely affect the essence of the right. The AG and CJEU in Digital Rights Ireland premise of this
was based on the idea that communications data would not permit acquisition of
knowledge of the content of the electronic communications. Yet the AG described
in great detail the amount of knowledge that could be gained from
communications data. And it is this acquisition of knowledge that is the
important factor, the AG described the example of the ability of gaining
sensitive knowledge without analysing
the content. And so the AG, like the CJEU has created an arbitrary distinction
that although the same knowledge can be gained from communications data or
content, it is only access to content that
could adversely affect the essence of the right (para 94). If it is acknowledged
that similar knowledge can be gained from both measures, the CJEU and indeed
the AG has not sufficient explained this differential treatment. Furthermore,
by only considering that access to content adversely affects the essence of the
right, this would promote the use of retention and access to communications
data to a greater degree which as the AG admits, can provide far richer information than content.
Indiscriminate
data retention maybe EU compliant, but not ECHR compliant
The AG highlighted that the CJEU
in Digital Rights Ireland pointed out
that the DRD covered all users and all traffic data without differentiation or
limitation (para 197). The AG described what the CJEU considered the practical
implications of the absence of differentiation i.e. concerning those with no
link to serious crime, no relationship between retention and threat to public
security, and no temporal, geographical and associate based restriction (para
198). The AG concluded that the CJEU did not hold that the absence of
differentiation in itself went beyond what was strictly necessary (para 199).
The AG justified this one four
grounds, firstly, the CJEU ruled the DRD as invalid because of the cumulative effects of generalised data
retention and the lack of safeguards which sought to limit what strictly
necessary for the interference with Article 7 and 8 CFR (paras 201-202).
Secondly, in light of Schrems (para 93) the AG inferred again
that only general data retention obligations accompanied by sufficient
safeguards would be EU law compatible (para 205). Thirdly, the AG felt national
measures should be scrutinised at a national level, where the national courts
should rigorously verify whether general data retention obligations are the
most effective at fighting serious crime i.e. whether there are other less
intrusive alternatives (paras 209-210). Fourthly, the AG agreed with the
Estonian Government that limiting data retention to a particular geographical
area may cause a geographical shift in criminal activity (para 214).
Considering indiscriminate data
retention as permissible under EU law if there is a sufficiently robust
safeguard mechanism creates problems with the ECHR. In the case of S and Marper v
United Kingdom the issue at hand was the
retention of finger print and DNA records. In finding the retention regime
incompatible with Article 8 (para 126) the ECtHR was struck by blanket and
indiscriminate nature of the power because:
[119]
material may be retained irrespective of the nature or
gravity of the offence with which the individual was originally suspected
or of the age of the suspected offender...
[122]
Of particular concern in
the present context is the risk of stigmatisation, stemming from the fact that persons in the position of the applicants,
who have not been convicted of any offence and are entitled to the presumption
of innocence, are treated in the same way as convicted persons...
[125]
In conclusion, the Court
finds that the blanket and indiscriminate nature of the powers of retention of
the fingerprints, cellular samples and DNA profiles of persons suspected but
not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between
the competing public and private interests and that the respondent State has overstepped any acceptable margin of
appreciation in this regard. Accordingly, the retention at issue
constitutes a disproportionate interference with the applicants’ right to
respect for private life and cannot be regarded as necessary in a democratic
society. This conclusion obviates the
need for the Court to consider the applicants’ criticism regarding the adequacy
of certain particular safeguards, such as too broad an access to the personal
data concerned and insufficient protection against the misuse or abuse of such
data.
S and
Marper’s significance has been linked to data retention, and therefore
it is important to apply the principles to the AG’s Opinion. The ECtHR
criticised the UK regime for not distinguishing between those who had been
suspected and those who had committed offences. Regarding data retention
obligations, this indiscriminate power is more profound because suspicion would
not be a necessary component for the justification of retention. As the AG
highlighted, most data retained is of individuals who bare no relation to
serious crime and therefore creates issue with the presumption of innocence to
an unacceptable level. The most important aspect of the ECtHR’s reasoning in S and Marper was that the retention itself was contrary to the Convention without having to consider the
safeguards that may have been in place. This is direct contrast with Digital Rights Ireland and the AG’s
Opinion.
Regarding the fourth point, it is
submitted that the Estonian Government and the AG misunderstood how data
retention and location data works in practice. It is not the physical area that
is the important factor, but the location of the device in question at a particular time. This was apparent in Uzun v Germany
when the ECtHR
described Global Positioning System (GPS) as allowing ‘continuous location,
without lapse of time, of objects
equipped with a GPS receiver anywhere on earth, with a maximum tolerance of
50 metres at the time’ (para 12-13). This is all the more relevant as location
data is becoming more and more sophisticated. Therefore applying a data
retention obligation in a specific geographical area creates a false premise as
the obligation on the service provider is to keep record of the location data
of a device when it’s service is used (which will indicate where an individual
might be) irrespective of geographical area. Furthermore a targeted data
retention approach would not be confined to a geographical as such, but to
criminal activity (based on individual use of device and service) within a
particular area.
Six
months retention is reasonable?
The issue of retention period was
also considered by the AG (para 242) who felt that according to Zakharov a period of six months would be
reasonable provided irrelevant data was immediately destroyed (para 243).
However, by making this connection, the AG created a false analogy of what the
ECtHR held. Zakharov concerned
judicially authorised interception and monitoring of communications data of individuals for six months (para 44-48). Therefore the analogy
with targeted measures and that of general data retention begins to falter, as
in the AG’s own words ‘metadata’ facilitates the almost instantaneous
cataloguing of entire populations, something which the content of
communications (via interception) does not (para 259).
Conclusion
Although most of the finer
details, in the Opinion of the AG should be left to national courts (para 263)
the issue of data retention as a challenge to fundamental rights persists. The
AG, by placing great significance on the ECHR and the ECtHR’s jurisprudence
unwittingly undermined some of his own key points because they do not accord
with the ECHR. It is unlikely that the CJEU are going to rule per se that a
general obligation to retain communications data is incompatible with EU law,
and therefore maybe an issue for the ECtHR to decide themselves. In light of S and Marper it is possible that the
ECtHR would produce a ruling that is in contrast to the CJEU. The United Nations General
Assembly has
affirmed that same rights that people have offline must also be protected online. The late Caspar Bowden once
described data retention as akin to having CCTV inside your head. And so the question becomes,
would the AG/CJEU consider that CCTV inside every home would be compatible with
EU law provided that access to that footage would be circumscribed by adequate
safeguards?
Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: xgtnigeria.com
No comments:
Post a Comment