Wednesday, 14 December 2016

Early Christmas present or a lump of coal?: Data retention and the leaked ePrivacy Regulation

Matthew White, Ph.D candidate, Sheffield Hallam University

On 12 December 2016, a document containing the draft of the ePrivacy Regulation (draft Regulation) was leaked. This has resulted in some commentary (here and here) highlighting the good, the bad and even missing points. This post deals only with the data retention aspect.

Prior to the leak, earlier this year, the Article 29 Data Protection Working Party (A29DPWP) in its opinion on the evaluation and review of the ePrivacy Directive observed that:

The EC should explicitly state that it will not introduce any new European data retention requirement. Any similar retention of communications data in general must be prohibited in the revised ePrivacy instrument. (p8).     

This of course is referring to Article 15(1) of the current ePrivacy Directive, which Advocate General Saugmandsgaard Øe in the joined cases of C203/15 and C698/15 Watson and Tele2 opined puts general data retention obligations within the scope of the ePrivacy Directive (paras 84-95) and thus EU law. The AG further observed that Article 15(1) gave Member States a choice as to whether they should adopt national data retention regimes (para 106). Further, the AG maintained that the ePrivacy Directive did not preclude Member States from taking other measures necessary for the protection of public security etc (para 117).

The A29DPWP’s opinion is reflected in the draft Regulation, in the last paragraph of section 1.3 (p4). It states that the draft Regulation does not include any specific provision in the field of data retention, but Member State would remain able to establish and maintain national data retention legislation so long as they comply with general principles of EU law and the Charter of Fundamental Rights (CFR). This falls in line with the AG in Watson and Tele 2 insofar that Member States can take other measures necessary e.g. data retention for the protection of public security etc.

This ability to adopt national data retention legislation is implied in Article 11 which stipulates that the EU and Member States may restrict (by legislative means) the obligations and rights provided for by Articles 5, 6, 7 and 8 of the draft Regulation when they respect the essence of those rights and if it is necessary, appropriate and proportionate in a democratic society to safeguard a list of objectives. These restrictions must in accordance with the CFR, particularly Articles 7, 8, 10 and 52.

From Article 11, it is clear that at an EU and Member State level, data retention obligations can still be created. In contrast to the current provision in Article 15(1), there is no mention of the restrictions being in conformity with general principles of EU law or Article 6(1) and (2) of the Treaty of the European Union (TEU). More specifically, Article 6(3) of the TEU regards the European Convention on Human Rights (ECHR) as general principals of EU law. It is not clear why this has been omitted from Article 11, but the protection of fundamental rights should not be based on the exclusive interpretation of the CFR. Although compliance with the ECHR is mentioned in Recital 10 and 30, it should be mentioned in Article 11 itself as the Court of Justice of the European Union (CJEU) noted in Case C-162/97 Nilsson that ‘the preamble to a Community act has no binding legal force and cannot be relied on as a ground for derogating from the actual provisions of the act in question’ (para 54). What if there is diverging jurisprudence between the ECHR and the CFR, what if the former better protects fundamental rights than the latter in a particular circumstance?

This relates to the next issue; Article 11 only allows restrictions that respect the essence of the right. In Schrems the CJEU regarded the transfer of data from the EU to the US (under the Safe Harbour rules) compromised the essence of the right because of the generalised access to the content of electronic communications (para 94) and therefore ruled it invalid (para 107). This may also be the case, if Brexit happens, for many of the provisions of the Investigatory Powers Act 2016 (IPA 2016) when it comes into force in 2017.

I say many of the provisions, but this may not be the case for data retention (who concerns, for instance, information about who someone called, texted or e-mailed, as distinct from the content of those communications). In Case C203/15 Digital Rights Ireland the CJEU held that general data retention obligations do not adversely affect the essence of Article 7 (right to privacy) and Article 8 (data protection) of the CFR (paras 39-40). This already gives Member States unjustified leeway when it comes to national data retention, even more significantly in that the CJEU felt that a general data retention obligation ‘genuinely satisfies an objective of general interest’ (para 44). Therefore, a data retention obligation by itself, according to EU law, would actually respect the essence of the right.

I have said before that this construction of data retention is damaging to fundamental rights and I will say it again. The AG in Watson and Tele2 acknowledges that data retention is just as serious as interception (para 254), yet did not feel this was enough to adversely affect the essence of the right. Both the AG and CJEU do not fully appreciate just how revealing communications (or meta) data truly are, this is shown through their differential treatment of content, despite communications data and content being thinly (if it even can be anymore) distinguished. The CJEU and AG primarily focus on access mechanisms, rather than the fact that the initial interference, and arguably destruction of the right (and this is more than just about privacy and data protection) posed by data retention. This creates a conflict with the ECHR, as a violation can occur irrespective of the access mechanisms. This highlights the importance of (re)adding compliance with the ECHR into Article 11 of the draft Regulation and not to leave it in the preamble, because in this particular context, the interpretation of the CFR does not, ironically, fully protect those fundamental rights.

The CJEU is set to hand down its judgment in Watson and Tele2 on 21 December 2016. If they follow the AG in that judicial or independent authorisation for access to communications data is to be regarded as mandatory (para 221) then Part 3 of the IPA 2016 is going to have to be revised. But therein lies the problem, firstly, if the CJEU does not change its stance, then data retention will be acceptable in the EU. Therefore, this may also be acceptable in third countries like the US or even Australia where the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 requires judicial authorisation (6DC Part 41 issuing authorities). This assumes that respect for fundamental rights is primarily based on the independence of the issuing authority, where the UK can further claim retention notices are in fact issued by judges (see s.89 of the IPA 2016). But this is an oversimplication of the issue as a transfer of competence does not reduce the infringing capability of data retention, all it does is ensure higher degrees of independence (see forthcoming Matthew White, Protection by Judicial Oversight, or an Oversight in Protection? (2017)).   

And so, while mandating judicial or independent authorisation of access to communications data would be a welcomed step in safeguarding fundamental rights. This early Christmas present may in fact be a lump of coal waiting to be opened. This is because as EU law is likely to stand, there is nothing wrong with general obligations to retain.

Cartoon credit: Royston, The New Yorker

No comments:

Post a Comment