Pages

Wednesday, 27 July 2016

The new Opinion on Data Retention: Does it protect the right to privacy?





Matthew White, Ph.D candidate, Sheffield Hallam University

Introduction

Has an Advocate General (AG) in the Court of Justice of the EU unleashed the power of the European Convention on Human Rights (ECHR)? On 19 July 2016, the AG gave his Opinion in the joined cases of C203/15 and C698/15 Watson and Tele2. The AG felt that general data retention obligations  imposed by Member States may be compatible with fundamental rights enshrined in EU law, provided that there are robust safeguards (para 7). This post briefly outlines the background (for a more detailed background, see Professor Lorna Woods’s take) to this case whilst highlighting aspects relating to the ECHR and that some of the AG’s conclusions become self defeating for requiring EU law to be no less stringent than the ECHR.

Background

Case C203/15

A day after Digital Rights Ireland (where the Court of Justice of the European Union (CJEU) ruled that the EU’s Data Retention Directive (DRD) was invalid for being incompatible with the Charter of Fundamental Rights (CFR)), the first claimant, Tele2, notified the Swedish Post and Telecommunications Authority (PTS) of its decision to cease retaining data in Chapter 6 of the LEK (the relevant Swedish law) with the aim of deleting (para 50). The National Police Board (RPS) complained to the PTS about Tele2’s actions as having serious consequences for law enforcement activities (para 51). PTS ordered Tele2 to resume retention in accordance with Chapter 6 (para 52), to which Tele2 appealed to the Stockholm Administrative Court (SAC) but lost (para 53).  Tele2 then sought to appeal against the SAC (para 54), but the Stockholm Administrative Court of Appeal (SACA) felt making a preliminary reference to the CJEU would be more appropriate where it asked:

·         Is a general obligation to retain all traffic data indiscriminately compatible with Art.15(1) of the (ePrivacy) Directive (Directive) and Articles 7, 8 and 52(1) of the CFR?

·         If no, is such an obligation nevertheless permitted  where:
§  access by national authorities was governed in a specified manner, and
§  the protection and security of data are regulated in a specified manner, and
§  all relevant data is retained for six months?

Case C698/15 

I previously blogged on the situation in the UK, but will make a quick summary for the purposes of this post (or alternatively see paras 56-60 of the Opinion). The UK responded to Digital Rights Ireland by introducing the Data Retention Investigatory Powers Act 2014 (DRIPA 2014). This was successfully challenged in the High Court by Tom Watson MP and David Davis MP. But the success was short lived when the Court of Appeal disagreed with the High Court, but made a preliminary reference to the CJEU asking:

·         Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?
·         Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?

AG’s Opinion

Asking the wrong question?

The AG initially dealt with the question regarding whether Digital Rights Ireland extended the scope of Article 7 and/or Article 8 of the CFR beyond that of Article 8 of the ECHR. The AG considered this question inadmissible (para 70 and 83) because that possibility was not directly relevant to the resolution of the current dispute (para 75). The AG admitted that the first sentence of Article 52(3) (which lays down rules of interpretation) of the CFR makes clear that any corresponding rights must be the same in meaning and scope to that of the ECHR (para 77). But highlighted, the second sentence of Article 52(3), can permit CJEU to extend the scope of the CFR beyond that of the ECHR (para 78). The ECHR has always been a minimum benchmark as in Trucl and Others v Slovenia it was noted that ‘rights guaranteed by the Convention represented minimum standards’ (para 115). Thus if the EU did acceded to the ECHR (and even if it did not), with or without the second sentence Article 52(3), the CJEU would be free to extend the scope CFR as it saw fit. Therefore in agreement with the AG, the Court of Appeal asked the wrong question.

Lack of corresponding right means rules of interpretation does not apply?

Another important aspect was  pointed out by the AG, who maintained that Article 8 of the CFR has no ECHR corresponding right and therefore the rules of interpretation laid out in the first sentence of Article 52(3) does not apply (para 79). However, there is cause for slight disagreement on this interpretation of Article 52(3). While the High Court admitted that protection of personal data fell within the ambit of Article 8 of the ECHR, they felt Article 8 of the CFR went beyond this because it was more specific and the ECHR had no counterpart (para 80). However, the High Court did so without actually considering Article 8 ECHR case law, therefore their conclusions did not appear to based on anything but mere conjecture and the wording of Article 8 CFR.  This was also questioned by Stalla-Bourdillon because it appeared the High Court followed this interpretation based on there not being an ECHR counterpart. But on closer inspection, as Stalla-Bourdillon highlighted, there is extensive Article 8 case law on the protection of personal data, which is suggested, does in fact correspond with Article 8 CFR. Therefore, both the High Court and AG has fallen prey to only considering the provisions of the ECHR and not the European Court of Human Rights’s (ECtHR) interpretation of those provisions, thus substance over form seemingly prevailed.

It is suggested because there is such extensive case law on the protection of personal data in light of Article 8 ECHR, it is only right that it should be used as a guide when considering Article 8 CFR. Article 52(3) notes that ‘the meaning and scope of those rights shall be the same as those laid down by the said Convention.’ In PPU J McB v LE the CJEU held that not only does the rights set out in ECHR are to correspond, but also the meaning given through the ECtHR’s jurisprudence (para 53) (see also). In Schecke the CJEU held that:

[T]he right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual...and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention.’(para 52). 

It has been maintained that such an interpretation can be problematic because the CJEU has allowed Article 8 CFR to be absorbed by Article 7. However, this does not and would not weaken the stance that Article 8 CFR as a standalone right should be interpreted (where possible) in accordance with principles of data protection embedded within the ECtHR’s jurisprudence. Read as a whole, Article 52(3) would therefore be properly adhered to, and would also allow the CJEU to deviate, if need be, to offer a higher standard of protection.

A general obligation to retain:

The AG then considered whether Article 15(1) of the Directive allowed Member States to impose a general data retention obligation (para 84) by establishing whether such an obligation fell within the scope of the Directive (para 86). The Czech, French, Polish and United Kingdom Governments all contended that data retention was excluded by Article 1(3) (which excludes matters such as public security, defence, State security from the scope of the Directive) (para 88). However, the AG rejected this by highlighting that:

·         Article 15(1) governed precisely that (retention of data) (para 90),
·         Provisions of access falling within Article 1(3) does not preclude retention from falling within Article 1(3) (para 92-94),
·         The approach taken by the CJEU in Ireland v Parliament and Council meant that general data obligations were not within the scope of criminal law (para 95).

When it came to the issue of whether the Directive applied the AG referred to the Member States ‘entitlement’ under Article 15(1) i.e. Member States have a choice (para 106). The AG then referred to Recital 11 of the Directive which did not alter the balance between an individual’s right to privacy and the possibility of Member States to take measures necessary for the protection of public security etc (para 107). Moreover, the AG highlighted that the Directive did not alter the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the ECHR (para 107). The AG opined that general data retention obligations were consistent with the Directive and therefore Member States were entitled to avail themselves of that possibility under Article 15(1), subject not only to its requirements, but that of the CFR in light of Digital Rights Ireland (para 116). Although the AG felt that general obligations of data retention were permissible under EU law (subject to restrictions), an avenue was created for testing the general obligations itself under the ECHR.

In accordance with  the law? But does this not defeat the AG’s premise?

When the AG considered the requirement for legal basis in national law, he invited that CJEU to confirm that the interpretation of ‘provided for by law’ in Article 52(1) CFR accorded with that of the ECtHR’s jurisprudence on a measure being ‘in accordance with the law’(para 134-137). The AG highlighted that the ECtHR has developed a substantial body of jurisprudence on the matter which could be summarised as follows:

·         A legal basis that is adequately accessible and foreseeable i.e. the law is formulated with sufficient precision to enable the individual — if need be with appropriate advice — to regulate their conduct,
·         This legal basis must provide adequate protection against arbitrary interference, and
·         Must define with sufficient clarity the scope and manner of exercise of the power conferred on the competent authorities (para 139).

The AG was of the opinion that ‘provided for by law’ in Article 52(1) CFR needs to be the same as that ascribed to it in connection with the ECHR (para 140). The AG’s reasoning was as follows:

·         Article 53 CFR explains that its provisions must never be inferior to what is guaranteed by the ECHR and therefore the CFR must at least be as stringent as the ECHR (para 141),
·         It would be inappropriate to impose different criteria on the Member States depending on which of those two instruments was under consideration (para 142).

The AG felt that general data retention obligations must be founded on a legal basis that is adequately accessible and foreseeable and provides adequate protection against arbitrary interference (para 143). This would solve the problem of the CJEU falling into ‘the trap of tautologically regarding a legal norm, the validity of which is being questioned, as being allegedly in accordance with the law because it is a law.

This then raises the interesting issue, if this is the preferred interpretation, how could a general obligation to retain data not amount to arbitrary interference? The AG later admits that the disadvantage of this general obligation arises ‘from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime’ (para 252). If the vast majority of data retained is of individuals who are unrelated to any serious crime, how could this even be suggested to not be arbitrary?

If in line with the ECtHR’s jurisprudence, that for a measure to be in accordance with the law, a measure must be sufficiently precise so individuals can regulate their conduct, how could this square with general obligations to retain data which occurs irrespective of conduct? The ECtHR’s Grand Chamber in Zakharov v Russia maintained that the ‘automatic storage for six months of clearly irrelevant data cannot be considered justified under Article 8’ (para 255). As the AG indicated, most data retained will have no relation to the fight against serious crime and therefore, in line with Zakharov, cannot be justified under Article 8. Member States would then have to justify why most data unrelated to serious crime is relevant to the fight against serious crime. In stressing that Article 52(1) should reflect the ECtHR’s jurisprudence the AG may have undermined his own position when believing that general obligations to retain data were permissible under EU law by unleashing the ECHR in terms of Recital 11 and the interpretation of ‘provided for by law.’

Data retention does not adversely affect the essence of the right, or does it, or should it?

The AG listed six requirements a general data retention obligation must meet to be justified, one of such is that it ‘must observe the essence of the rights enshrined in the Charter’ (para 132). The AG recalled that Article 52(1) CFR provides that any limitation to the rights enshrined must respect the essence of those rights and freedoms (para 155). The AG referred to para 39 of Digital Rights Ireland where the CJEU held that the DRD did not adversely affect Article 7 CFR since it did not permit the acquisition of knowledge of the content of the electronic communications as such (para 156). The AG felt this also applied to the current case (para 157) and this was equally the case for Article 8 CFR (paras 158-9) but ultimately left it for the CJEU to decide (para 160).

However, the AG later contradicts his own opinion when considering the disadvantages of data retention. The AG accepted that ‘a general data retention obligation will facilitate equally serious interference as targeted surveillance measures, including those which intercept the content of communications’ (para 254). The AG stopped short of referring to data retention as mass surveillance, but instead referred to it as mass interference (para 255) and that it affected a substantial portion, if not all of the relevant population (para 256). The AG even went further by describing with the example of an individual who access retained data (instead of analysing content) to screen out those within the Member State who have a psychological disorder or any field specialist medicine (para 257). The AG continues, this same person who sought to find out who opposed government policies, could do so with the possibility of identifying individuals taking part in public demonstrations against the government (para 258). 

The AG agreed with the position of several civil society groups, the Law Society and United Nations High Commissioner for Human Rights that the ‘risks associated with access to communications data (or ‘metadata’) may be as great or even greater than those arising from access to the content of communications’ (para 259). The AG further added that the examples given demonstrate that ‘metadata’ can facilitate ‘the almost instantaneous cataloguing of entire populations, something which the content of communications does not’ (para 259). The AG also added that there is was nothing theoretical about the risks of abuse or illegal access to retained data (based on the number of requests by Swedish and UK authorities) and that such risk of ‘illegal access on the part of any person, is as substantial as the existence of computerised databases is extensive’ (para 260).

Considering the incredible detail the AG went to describe the risks posed by the retention of data, it makes little sense to have the opinion that a general data retention obligation does not adversely affect the essence of the right. The AG and CJEU in Digital Rights Ireland premise of this was based on the idea that communications data would not permit acquisition of knowledge of the content of the electronic communications. Yet the AG described in great detail the amount of knowledge that could be gained from communications data. And it is this acquisition of knowledge that is the important factor, the AG described the example of the ability of gaining sensitive knowledge without analysing the content. And so the AG, like the CJEU has created an arbitrary distinction that although the same knowledge can be gained from communications data or content, it is only access to content that could adversely affect the essence of the right (para 94). If it is acknowledged that similar knowledge can be gained from both measures, the CJEU and indeed the AG has not sufficient explained this differential treatment. Furthermore, by only considering that access to content adversely affects the essence of the right, this would promote the use of retention and access to communications data to a greater degree which as the AG admits, can provide far richer information than content.

Indiscriminate data retention maybe EU compliant, but not ECHR compliant

The AG highlighted that the CJEU in Digital Rights Ireland pointed out that the DRD covered all users and all traffic data without differentiation or limitation (para 197). The AG described what the CJEU considered the practical implications of the absence of differentiation i.e. concerning those with no link to serious crime, no relationship between retention and threat to public security, and no temporal, geographical and associate based restriction (para 198). The AG concluded that the CJEU did not hold that the absence of differentiation in itself went beyond what was strictly necessary (para 199).

The AG justified this one four grounds, firstly, the CJEU ruled the DRD as invalid because of the cumulative effects of generalised data retention and the lack of safeguards which sought to limit what strictly necessary for the interference with Article 7 and 8 CFR (paras 201-202). Secondly, in light of Schrems (para 93) the AG inferred again that only general data retention obligations accompanied by sufficient safeguards would be EU law compatible (para 205). Thirdly, the AG felt national measures should be scrutinised at a national level, where the national courts should rigorously verify whether general data retention obligations are the most effective at fighting serious crime i.e. whether there are other less intrusive alternatives (paras 209-210). Fourthly, the AG agreed with the Estonian Government that limiting data retention to a particular geographical area may cause a geographical shift in criminal activity (para 214).

Considering indiscriminate data retention as permissible under EU law if there is a sufficiently robust safeguard mechanism creates problems with the ECHR. In the case of S and Marper v United Kingdom the issue at hand was the retention of finger print and DNA records. In finding the retention regime incompatible with Article 8 (para 126) the ECtHR was struck by blanket and indiscriminate nature of the power because:

[119] material may be retained irrespective of the nature or gravity of the offence with which the individual was originally suspected or of the age of the suspected offender...
[122] Of particular concern in the present context is the risk of stigmatisation, stemming from the fact that persons in the position of the applicants, who have not been convicted of any offence and are entitled to the presumption of innocence, are treated in the same way as convicted persons...
[125] In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society. This conclusion obviates the need for the Court to consider the applicants’ criticism regarding the adequacy of certain particular safeguards, such as too broad an access to the personal data concerned and insufficient protection against the misuse or abuse of such data.

 S and Marper’s significance has been linked to data retention, and therefore it is important to apply the principles to the AG’s Opinion. The ECtHR criticised the UK regime for not distinguishing between those who had been suspected and those who had committed offences. Regarding data retention obligations, this indiscriminate power is more profound because suspicion would not be a necessary component for the justification of retention. As the AG highlighted, most data retained is of individuals who bare no relation to serious crime and therefore creates issue with the presumption of innocence to an unacceptable level. The most important aspect of the ECtHR’s reasoning in S and Marper was that the retention itself was contrary to the Convention without having to consider the safeguards that may have been in place. This is direct contrast with Digital Rights Ireland and the AG’s Opinion.

Regarding the fourth point, it is submitted that the Estonian Government and the AG misunderstood how data retention and location data works in practice. It is not the physical area that is the important factor, but the location of the device in question at a particular time. This was apparent in Uzun v Germany when the ECtHR described Global Positioning System (GPS) as allowing ‘continuous location, without lapse of time, of objects equipped with a GPS receiver anywhere on earth, with a maximum tolerance of 50 metres at the time’ (para 12-13). This is all the more relevant as location data is becoming more and more sophisticated. Therefore applying a data retention obligation in a specific geographical area creates a false premise as the obligation on the service provider is to keep record of the location data of a device when it’s service is used (which will indicate where an individual might be) irrespective of geographical area. Furthermore a targeted data retention approach would not be confined to a geographical as such, but to criminal activity (based on individual use of device and service) within a particular area.      
  
Six months retention is reasonable?

The issue of retention period was also considered by the AG (para 242) who felt that according to Zakharov a period of six months would be reasonable provided irrelevant data was immediately destroyed (para 243). However, by making this connection, the AG created a false analogy of what the ECtHR held. Zakharov concerned judicially authorised interception and monitoring of communications data of individuals for six months (para 44-48). Therefore the analogy with targeted measures and that of general data retention begins to falter, as in the AG’s own words ‘metadata’ facilitates the almost instantaneous cataloguing of entire populations, something which the content of communications (via interception) does not (para 259).

Conclusion  

Although most of the finer details, in the Opinion of the AG should be left to national courts (para 263) the issue of data retention as a challenge to fundamental rights persists. The AG, by placing great significance on the ECHR and the ECtHR’s jurisprudence unwittingly undermined some of his own key points because they do not accord with the ECHR. It is unlikely that the CJEU are going to rule per se that a general obligation to retain communications data is incompatible with EU law, and therefore maybe an issue for the ECtHR to decide themselves. In light of S and Marper it is possible that the ECtHR would produce a ruling that is in contrast to the CJEU. The United Nations General Assembly has affirmed that same rights that people have offline must also be protected online. The late Caspar Bowden once described data retention as akin to having CCTV inside your head. And so the question becomes, would the AG/CJEU consider that CCTV inside every home would be compatible with EU law provided that access to that footage would be circumscribed by adequate safeguards?

Barnard & Peers: chapter 9
JHA4: chapter II:7

Photo credit: xgtnigeria.com

No comments:

Post a Comment