Matthew White, Ph.D candidate,
Sheffield Hallam University
Introduction
In a follow-up to last Christmas’s
post, on 10 January 2017, the European Commission released the official
version of the
proposed Regulation on Privacy and Electronic Communications (e-Privacy
Regs). Just as the last post concerned the particular aspect of data retention,
this post will too.
Just as the former leaked
version maintained, the proposal does not include any specific provisions in
the field of data retention (para 1.3). This paragraph continues that Member
States are free to keep or create national data retention laws, provided that
they are ‘targeted’ and that they comply with European Union (EU) taking into
account the case-law of the Court of Justice of the European Union (CJEU) and
its interpretation of the e-Privacy Directive and the Charter of Fundamental
Rights (CFR). Regarding the CJEU’s interpretation, the proposals specifically
refers to Joined Cases C-293/12 and C-594/12 Digital
Rights Ireland and Seitlinger and Others, and Joined Cases C-203/15 and
C-698/15 Tele2
Sverige AB and Secretary of State for the Home Department. Aspects of
the latter case is the focus of this post; the case itself has been thoroughly
discussed by Professor
Lorna Woods.
So, when is the essence of the right adversely affected?
Before discussing certain aspects
of Tele2 and Watson, it is first
important to draw attention to the provision which enables data retention in
the new e-Privacy Regs. Article 11 allows the EU or its Member States to
restrict the rights contained in Articles 5-8 (confidentiality of
communications, permissions on processing, storage and erasure of electronic
communications data and protection of information stored in and related to
end-users’ terminal equipment). From Article 11, it is clear that this can include
data retention obligations, so long as they respect the essence of the right
and are necessary, appropriate and proportionate. In Tele2 and Watson the CJEU noted that any limitation of rights
recognised by the CFR must respect the essence of said rights [94]. The CJEU
accepted the Advocate General (AG)’s Opinion that data retention creates an
equally serious interference as interception and that the risks associated with
the access to communications maybe greater than access to the content of
communications [99]. Yet the CJEU were reluctant to hold that data retention
(and access to) adversely affects the essence of those rights [101]. This
appears to highlight a problem in the CJEU’s reasoning, if the CJEU, like the
AG accept that retention of and access to communications data is at least on
par with access to the content, it makes little sense to then be reluctant to
hold that data retention adversely affects the essence of those rights. The
CJEU does so without making any distinction or reasoning for this differential
treatment, and thus serves to highlight that perhaps the CJEU themselves do not
fully respect the essence of those rights in the context of data retention.
The CJEU’s answer seems only limited catch all powers
The thrust of the CJEU’s judgment
in Tele2 and Watson was that general
and indiscriminate data retention obligations are prohibited at an EU level.
But as I have highlighted
previously, the CJEU’s answer was only in response to a very broad question
from Sweden,
which asked was:
[A] general
obligation to retain traffic data covering all persons, all means of electronic
communication and all traffic data without any distinctions, limitations or
exceptions for the purpose of combating crime…compatible with [EU law]?
Therefore, provided that national
laws do not provide for the capturing of all data of all subscribers and users
for all services in one fell swoop, this may be argued to be compatible with EU
law. Both the e-Privacy Regs and the CJEU refer to ‘targeted’ retention [108, 113].
The CJEU gave an example of geographical criterions for retention in which
David Anderson Q.C. asks
whether the CJEU meant that ‘it could be acceptable to perform “general and
indiscriminate retention” of data generated by persons living in a particular
town, or housing estate, whereas it would not be acceptable to retain the data
of persons living elsewhere? This is entirely possible given the reference from
Sweden and the answer from the CJEU. In essence the CJEU have permitted
discriminatory general and indiscriminate data retention which would in any
event respect the essence of those rights.
Data retention is our cake, and only we can eat it
A final point on Tele2 and Watson was that the CJEU held
that national laws on data retention are within the scope of EU law [81]. This
by itself may not raise any concerns about protecting fundamental rights, but
it is what the CJEU rules later on in the judgment that may be of concern. The
CJEU held that the interpretation of the e-Privacy Directive (and therefore
national Member State data retention laws) “must be undertaken solely in the
light of the fundamental rights guaranteed by the Charter” [128]. The CJEU has
seemingly given itself exclusive competence to determine how rights are best
protected in the field of data retention. It is clear from the subsequent
paragraph that the CJEU seeks to protect the autonomy of EU law above anything
else, even fundamental rights [129]. This is despite the ECHR forming general
principles of EU law and is mentioned in Article 15(1) (refers Article 6(3) of
the Treaty
of the European Union (TEU) specifically referring to the ECHR as
such). Article 11 of the e-Privacy Regs refers to restrictions respecting the
‘essence of fundamental rights and freedoms’ and only time will tell whether
the CJEU would interpret this as only referring to the CFR. Recital 27 of the
e-Privacy Regs just like Recital 10 and 30 of the e-Privacy Directive refers to
compliance with the ECHR, but as highlighted previously, Recitals
are not legally binding.
Is the CJEU assuming too much?
A further concern, is that had
the European Commission added general principles of EU law into Article 11, the
CJEU may simply have ignored it, just as it has done in Tele2 and Watson. The problem with the CJEU’s approach is that it
assumes that this judgment offers an adequate protection of human rights in
this context. The ECHR has always been the minimum floor, but it appears the
CJEU wants the CFR to be the ceiling whether it be national
human rights protection, or protection guaranteed by the ECHR. What if that
ceiling is lower than the floor? The AG in Tele2
and Watson stressed that the CFR must never be inferior to the ECHR
[141]. But I have argued before,
the EU jurisprudence on data retention is just that, offering inferior
protection to the ECHR, and the qualification by the CJEU in Tele2 and Watson does not alter this. This
position is strengthened by Judge Pinto De Albuquerque in his concurring
opinion in the European Court of Human Rights judgment in Szabo. He
believed that:
[M]andatory
third-party data retention, whereby Governments require telephone companies and
Internet service providers to store metadata about their customers’
communications and location for subsequent law-enforcement and intelligence
agency access, appeared neither necessary nor proportionate [6].
Of course, Judge Pinto De Albuquerque
could have been referring to the type of third party data retention which
requires Internet Service Providers (ISPs) to intercept data from Over The Top
(OTT) services, but his description is more in line with data retention of
services’ own users and subscribers.
Conclusions
Although the CJEU has prohibited
general indiscriminate data retention, the CJEU does not seem to have prevented
targeted indiscriminate data retention. If the European Court of Human Rights
(ECtHR) were to ever rule on data retention and follow its jurisprudence and
the opinion of Judge Pinto De Albuquerque, this may put EU law in violation of
the ECHR. This would ultimately put Member States in a damned if they do,
damned if they do not situation, comply with the ECHR, and violate EU law
autonomy; comply with EU law and violate the ECHR. When the minimum standards
of human rights protection in this context are not adhered to, because of EU
law, the ECHR should prevail. As anything less is a threat to human rights,
meaning that the (even if well intentioned) CJEU can also be.
JHA4: chapter II:7
Photo credit: goldenfrog.com
No comments:
Post a Comment