Matthew White, Ph.D candidate,
Sheffield Hallam University
On 12 December 2016, a document
containing the draft of the ePrivacy Regulation (draft Regulation) was leaked.
This has resulted in some commentary (here
and here)
highlighting the good, the bad and even missing points. This post deals only
with the data retention aspect.
Prior to the leak, earlier this
year, the Article
29 Data Protection Working Party (A29DPWP) in its opinion on the evaluation
and review of the ePrivacy Directive observed that:
The EC should
explicitly state that it will not introduce any new European data retention
requirement. Any similar retention of communications data in general must be
prohibited in the revised ePrivacy instrument. (p8).
This of course is referring to
Article 15(1) of the current ePrivacy
Directive, which Advocate General Saugmandsgaard Øe in the joined cases of C‑203/15
and C‑698/15
Watson and Tele2 opined puts general
data retention obligations within the scope of the ePrivacy Directive (paras
84-95) and thus EU law. The AG further observed that Article 15(1) gave Member
States a choice as to whether they should adopt national data retention regimes
(para 106). Further, the AG maintained that the ePrivacy Directive did not
preclude Member States from taking other measures necessary for the protection
of public security etc (para 117).
The A29DPWP’s opinion is reflected
in the draft Regulation, in the last paragraph of section 1.3 (p4). It states
that the draft Regulation does not include any specific provision in the field
of data retention, but Member State would remain able to establish and maintain
national data retention legislation so long as they comply with general
principles of EU law and the Charter of Fundamental Rights (CFR). This falls in
line with the AG in Watson and Tele 2
insofar that Member States can take other measures necessary e.g. data
retention for the protection of public security etc.
This ability to adopt national
data retention legislation is implied in Article 11 which stipulates that the
EU and Member States may restrict (by legislative means) the obligations and
rights provided for by Articles 5, 6, 7 and 8 of the draft Regulation when they
respect the essence of those rights and if it is necessary, appropriate and
proportionate in a democratic society to safeguard a list of objectives. These
restrictions must in accordance with the CFR, particularly Articles 7, 8, 10
and 52.
From Article 11, it is clear that
at an EU and Member State level, data retention obligations can still be
created. In contrast to the current provision in Article 15(1), there is no
mention of the restrictions being in conformity with general principles of EU
law or Article 6(1) and (2) of the Treaty
of the European Union (TEU). More specifically, Article 6(3) of the TEU
regards the European Convention on Human Rights (ECHR) as general principals of
EU law. It is not clear why this has been omitted from Article 11, but the
protection of fundamental rights should not be based on the exclusive
interpretation of the CFR. Although compliance with the ECHR is mentioned in
Recital 10 and 30, it should be mentioned in Article 11 itself as the Court of
Justice of the European Union (CJEU) noted in Case C-162/97 Nilsson that ‘the preamble to a
Community act has no binding legal force and cannot be relied on as a ground
for derogating from the actual provisions of the act in question’ (para 54). What
if there is diverging jurisprudence between the ECHR and the CFR, what if the
former better protects fundamental rights than the latter in a particular
circumstance?
This relates to the next issue;
Article 11 only allows restrictions that respect the essence of the right. In Schrems
the CJEU regarded the transfer of data from the EU to the US (under the Safe
Harbour rules) compromised the essence of the right because of the generalised
access to the content of electronic communications (para 94) and therefore
ruled it invalid (para 107). This may also be the case, if Brexit happens, for
many of the provisions of the Investigatory
Powers Act 2016 (IPA 2016) when it comes into force in 2017.
I say many of the provisions, but
this may not be the case for data retention (who concerns, for instance, information
about who someone called, texted or e-mailed, as distinct from the content of those communications). In Case
C‑203/15
Digital Rights Ireland the CJEU held
that general data retention obligations do not adversely affect the essence of
Article 7 (right to privacy) and Article 8 (data protection) of the CFR (paras
39-40). This already gives Member States unjustified leeway when it comes to
national data retention, even more significantly in that the CJEU felt that a general
data retention obligation ‘genuinely satisfies an objective of general
interest’ (para 44). Therefore, a data retention obligation by itself,
according to EU law, would actually respect the essence of the right.
I have said before
that this construction of data retention is damaging to fundamental rights and
I will say it again. The AG in Watson and
Tele2 acknowledges that data retention is just as serious as interception
(para 254), yet did not feel this was enough to adversely affect the essence of
the right. Both the AG and CJEU do not fully appreciate just how revealing
communications (or meta) data truly are, this is shown through their
differential treatment of content, despite communications data and content
being thinly (if it even can be anymore) distinguished. The CJEU and AG
primarily focus on access mechanisms, rather than the fact that the initial
interference, and arguably destruction of the right (and this is more than just
about privacy and data protection) posed by data retention. This creates a
conflict with the ECHR, as a violation can occur irrespective of the access
mechanisms. This highlights the importance of (re)adding compliance with the
ECHR into Article 11 of the draft Regulation and not to leave it in the
preamble, because in this particular context, the interpretation of the CFR
does not, ironically, fully protect those fundamental rights.
The CJEU is set to hand down its
judgment in Watson and Tele2 on 21
December 2016. If they follow the AG in that judicial or independent
authorisation for access to communications data is to be regarded as mandatory
(para 221) then Part 3 of
the IPA 2016 is going to have to be revised. But therein lies the problem,
firstly, if the CJEU does not change its stance, then data retention will be
acceptable in the EU. Therefore, this may also be acceptable in third
countries like the US or even Australia where the Telecommunications
(Interception and Access) Amendment (Data Retention) Act 2015 requires
judicial authorisation (6DC Part 4‑1 issuing authorities). This
assumes that respect for fundamental rights is primarily based on the
independence of the issuing authority, where the UK can further claim retention
notices are in fact issued by judges (see s.89
of the IPA 2016). But this is an oversimplication of the issue as a transfer of
competence does not reduce the infringing capability of data retention, all it
does is ensure higher degrees of independence (see forthcoming Matthew White, Protection by Judicial Oversight, or an
Oversight in Protection? (2017)).
And so, while mandating judicial
or independent authorisation of access to communications data would be a
welcomed step in safeguarding fundamental rights. This early Christmas present
may in fact be a lump of coal waiting to be opened. This is because as EU law
is likely to stand, there is nothing wrong with general obligations to retain.
Cartoon credit: Royston, The New
Yorker
This comment has been removed by a blog administrator.
ReplyDelete