Lorna Woods, Professor of Internet Law, University of
Essex
Introduction
Advocate General Campos
Sanchez-Bordana has handed down his opinions in three more cases (SpaceNet
and Telekom Deutschland (Joined Cases C-793/19 and C-794/19), GD
v Commissioner of the Garda Síochána (Case C-140/20)
and VD
and SR (Joined Cases C-339/20 and C-397/20)) which concern the retention of
communications data, and constitute the latest instalment of a saga that
started – ineffectually as far as rights-based arguments are concerned – in the
unsuccessful Irish challenge to the Treaty base chosen for the Data Retention
Directive (Directive 2006/24/EC) (Ireland
v European Parliament and Council (Case
C-301/06)).
The Data Retention Directive,
which provided for communications data retention, effectively within the scope
of the exceptions found in Article 15 of the e-Privacy Directive (Directive
2002/58/EC) to the principle of communications confidentiality, was struck
down in Digital
Rights Ireland (Joined Cases C-293/12 and C-594/12) (discussed here). Building on the principles there, a series of
cases developed the constraints on what was permitted by Article 15 e-Privacy
Directive, notably: Tele2 Sverige
and Watson (Joined cases C-203/15 and C-698/15) (discussed here and here), La
Quadrature du Net and Others (Joined cases
C-511/18, C-512/18 and C-520/18) and Privacy
International (Case C-623/17) (discussed here). Points of detail have been added in Ministerio
Fiscal (Case C-207/16) (discussed here) and HK
v Prokuratuur (Case C-746/18). The
principles underpin the data transfer cases: Schrems
I and Schrems
II. As well as
recommending that the Court continue with its approach, maintaining the gap
between it and the European Court of Human Rights, the Opinion of the Advocate
General indicated a certain irritation with the national courts unwilling to
apply clear principles and necessitating more Grand Chamber rulings on this
topic. In other words, not much is new
here, but rather a re-iteration of the principles and distinctions on which
this juriprudence has been built.
The Cases
SpaceNet
and Telekom
Deutschland concern the German
legislation requiring internet service providers to retain communications data.
Reflecting to some degree the concerns highlighted in the CJEU’s previous
jurisprudence, the German law had excluded the communications data of certain
help lines from the regime, the data collected was retained for a comparatively
short period, and there were safeguards against misuse of the retained data.
SpaceNet and Telekom Deutschland had each challenged this law on the basis of
the CJEU’s jurisprudence.
GD v Commissioner
of the Garda Síochána arises from a
murder case, the prosecution of which was based on communications data retained
and accessed via legislation that provided for mass retention of data. The
defendant challenged the admissibility of this data arguing it was contrary to
EU law requirements.
Joined cases VD and SR also concern criminal prosecution for financial offences,
based on communications data. This time the data retention was based on
national law implementing Directive 2003/6/EC, as well as Regulation 596/2014,
rather than concerning the e-Privacy Directive. These rules allowed access to
existing communications data held by telecommunications operators. The reference
raised the question of these rules’ compliance with the fundamental rights of
Article 7 and 8 EU Charter, as interpreted by the case law on the e-Privacy
Directive.
In each case, the Advocate General suggested that the Court hold that
the national laws were incompatible with Charter rights, re-iterating that the
relevant provisions
‘must be interpreted as precluding national legislation
which obliges providers of publicly available electronic communications
services to retain traffic and location data of end users of those services on
a precautionary, general and indiscriminate basis for purposes other than that
of safeguarding national security in the face of a serious threat that is shown
to be genuine and present or foreseeable’ (Spacenet, para 84)
In all three opinions, he re-stated the conditions found in La
Quadrature du Net, para 128. This
principle was specifically applied to investigations into insider dealing or
market abuse (ie not national security) in VD
and SR (para 97). In GD it added that access to such data legitimately retained
must be subject to prior independent authorisation, and that the temporal
effect of the ruling could not be limited (so that the ruling had prospective
effect only) (GD, para 82 – see to similar effect VD
and SR, para 97). The
Advocate General also noted that there was a distinction between the approach
of the CJEU and the European Court of Human Rights, but that the jurisprudence
of that Court provided a base level and the requirements of the Charter could
be higher than those of the Convention.
Comment
The jurisprudence has built on a series of, generally binary,
distinctions, the most basic of which is that between EU and national
competence, given that Article
4(2) TEU requires the EU to respect Member
States’ essential state functions, including maintaining law and order. It
specifically states:
“national security remains the sole responsibility of each
Member State”.
Many Member States use data retention and the analysis of data as part
of their fight against terrorism and in support of national security. On this
basis it has been argued that national laws providing for such schemes fall
outside the competence of the EU, and in SpaceNet a number of governments intervened to make the same
argument again. This argument in the
words of the Advocate General has been “emphatically rejected” (SpaceNet, para 32), citing La
Quadrature du Net, though this
position is more clearly seen in Privacy International and had already been established in Tele2
Sverige and Watson (and could be seen
as implicit in the distinctions employed in Ireland
v European Parliament and Council). While Article 4
TEU does exclude national security from the scope of EU law, it is to be
narrowly understood - applicable to the activities of intelligence agencies for
the purposes of safeguarding national security. This seems to be a
well-established principle and unlikely to be disturbed now, no matter the
representations of the Member States.
Another longstanding distinction made in the case law is between
content of communications and communications data (meta data), including
traffic data (which seemingly also includes the subscriber name and the IMEI
address of the mobile device according to Ministerio
Fiscal, paras 40-42) and
location data. Mass acquisition of the
content of communications goes to the essence of the right and cannot
be justified. The Court has
accepted that the acquisition of communications data in principle could be
justified, as can be seen in Tele2 Sverge and Watson, Privacy International and La Quadrature du Net, suggesting that the intrusion cause by mass acquisition of
communications data is less intrusive than knowledge of content. Whether –
given the harm attributed to this collection: the possibility of creating
detailed profiles on individuals – this is wholly true is debatable. Note, however, that the Court has accepted
that some sorts of data may be seen as less sensitive – notably identity and IP
addresses in the context of criminal investigations.
The Court suggested in Ministerio Fiscal that the intrusion was less (perhaps to enable itself to
justify taking a different approach from Tele2
Sverige and Watson), though it was
unclear as to whether this was to do with the type of data in issue or because
of the limited amount of data involved (and its severability from other data).
In its ruling, the Court confirmed that access to retained data which reveals
the date, time, duration and recipients of the communications, or the locations
where the communications took place, must be regarded as a serious interference
since that data allows precise conclusions to be drawn about the private lives
of the persons concerned (para 60), suggesting it is what you can do with the
data that is important rather than the amount of data. The Court has suggested in other contexts
that certain types of data are less important: see the data involved in PNR
cases (Opinion
1/15, especially para 151, discussed here). In the current opinions, the Advocate General reiterated
the position in La Quadrature du Net as regards IP addresses and identity (Spacenet, paras 81-82; VD and SR, para 80) but did not elaborate further. The question about small sets of eg location
data remains open.
This possibility of profiling and its impact on users has led the Court
to develop stringent conditions for the collection of data which are based on
two interlinking sets of distinctions: that between general and targeted
measures, and between national security and the fight against crime (with a
sub-division between serious and other sorts of crime). For all three cases, the Advocate General
re-iterated the general principles established by the case law to date- though
it is worth noting that he relied for preference on La
Quadrature du Net (as a judgment
which synthesised or summarised preceding case law), rather than other landmark
cases – notably Tele2 Sverige and Watson – perhaps because (in
the eyes of some) La
Quadrature du Net allowed some State
measures that would not seem on first glance to fall within Tele
2 Sverige and Watson – and which the
Advocate General described as “supplementary qualifications” (GD, para 4). So, “general and indiscriminate retention of
traffic and location data can be justified only by the objective of
safeguarding national security”, which is distinct and more serious or
important than the other objectives listed in Article 15 e-Privacy Directive (GD, para 36, Spacenet, para 37, VD and SR, para 75, each citing La
Quadrature du Net). In sum, provided
all the other conditions are satisfied, national security threats justify
indiscriminate data retention, whereas serious crimes only suffice to legitimise
targeted data retention.
Of course, this begs the question of what falls within national
security for the purposes of Article 15 and what constitutes serious crime.
According to Ministero Fiscal, the boundary between crime and serious crime falls to be
determined by the Member States. While respecting national procedural autonomy,
this might be open to manipulation or interpreted
broadly (as the special, expansive definition of
serious crime in the Investigatory Powers Act – when the UK was still a member
of the EU – suggests). The Court in La
Quadrature du Net suggested that
national security
“encompasses the prevention and punishment of activities capable of seriously
destabilizing the fundamental constitutional, political, economic or social
structures of a country and, in particular, of directly threatening society,
the population or the State itself” (para 135).
In VD and SR the Advocate General emphasised that the two types of
measures – those aimed at safeguarding national security and those which are
aimed at combatting crime – cannot have the same scope as otherwise the
distinctions in La Quadrature du Net (with regard to the possibility of indiscriminate
surveillance) would have no purpose and the fundamental rights protections
would likely be undermined – and this is true no matter how serious the crime (VD
and SR, paras 83-86).
As regards targeting, the Court has suggested that this need not be at
the level of the individual but could relate to localities or to groups –
suggestions which may raise all manner of social, political as well as
technical questions (and see here, Interpol’s distinctions). As the Advocate General pointed
out, it is not the responsibility of the CJEU to draft compliant regimes; this
is the responsibility of the Member States.
La
Quadrature du Net imposed conditions
on national security and generalised surveillance, as well as on targeted
surveillance for serious crime. In Privacy
International, the CJEU restated
its position that national legislation must develop objective criteria for both
the acquisition of a particular dataset from a service provider and its actual
use by the relevant authorities (see paras 78-81). Moreover, it seems that these
conditions apply not just to traffic and location data, but also provisions
regarding the preventive retention of IP addresses, subscriber information and
other measures aimed at combatting serious crime. But, there are questions
about the extent to which various sorts of safeguards may compensate for other
weaknesses in the system (and this same question can be seen in respect of the
European Court of Human Right’s jurisprudence where it blends lawfulness with
safeguards and safeguards with proportionality, effectively reducing the
scrutiny over acquisition in favour of control over use – an approach which
does not deal with the chilling effect of Government access to and storage of
data). The Advocate General here rejects this blurring of safeguards over
access with control over acquisition and retention:
“for the Court, ‘the retention of traffic and location data
constitutes, in itself … an interference with the fundamental rights to respect
for private life and the protection of personal data’. In this regard ‘access
to such data is a separate interference’ with those fundamental fights,
irrespective of the subsequent use made of it.
For the present purposes it is therefore irrelevant that the
data protection arrangements for retained data provided for in the German
legislation (a) provide effective safeguards to protect those data; (b) place
rigorous and effective limits on access conditions, restricting the circle of
people who can access the data; and (c) allow the retained data to be used
solely for the purposes of investigating serious offences and preventing
specific risks to life or a person’s freedom or to the security of the state.
The truly decisive element is that, … , the retention
obligation at issue is not in itself subject to any specific conditions.”
(paras 74-76)
Limited retention periods constitute another such safeguard; as the
German Government argued in Spacenet, it means that less detailed profiles might be drawn – and
in this seems similar to the approach of the Advocate General in HK
v Prokuratuur (para 82). While
the Court agreed that the period of data retention was a relevant factor in
determining the severity of the intrusion, however, it took the view that
traffic and location data are generally sensitive because they allow for far-reaching
conclusions about private life and that therefore should only be permitted in
relation to serious crime (and presumably the protection of national
security). The Advocate General noted in
Spacenet that a limited
retention period cannot justify a general retention requirement (in relation to
crime) (para 66). Moreover, the time period must be considered alongside the
quantity of data retained and the techniques available for analysis (Spacenet, para 70).
While acquisition, storage and access of data constitute different
infringements (and real-time access may give rise to different levels of
intrusion from analysis of historic data), there are questions about the links
between them. If retention may be justified only for serious crime, presumably
access is likewise limited (the Court did not discuss this point in Ministerio
Fiscal). This link was
discussed in VD and SR. The legislation permitted access to existing records, but
did not provide a basis for storage in the first instance. While the French
Government argued that the market manipulation legislation implicitly allowed
for data retention, the Advocate General argued that these existing records
“can only be ‘lawfully existing records’, that is to say those compiled in
accordance with Directive 2002/58” (VD and SR, para 62, emphasis in original).
This makes clear that matters pertaining to communications
confidentiality are not easily to be displaced. In any event, even if such
‘implicit authorisation’ were to be accepted, “such retention would be subject
to the same conditions as would necessarily apply if it were based on any other
EU legislative provision”. That is, all EU legislation must comply with the
requirements of the EU Charter and the Court’s interpretation of the requirements
of Article 7 and 8, arising in the context of the e-Privacy Directive, do not
apply to Article 7 and 8 only in the context of that directive but more
generally. This recognition is important given the increasing acquisition of
data by the private sector and its sharing with the public sector with the aim
of delivery of public services of all kinds. For this reason, the requirement
of approval of access requests by an independent body (seen also in GD in the
context of the e-Privacy Directive) also arose in relation to the insider
dealing and market manipulation legislation (para 95). We might see in this the beginnings of a
general approach to constraining state surveillance activities; it will be
interesting to see the extent to which the Court pulls through concerns about
profiling from this group of cases through to, for example, PNR. There is a new reference pending challenging
the broad nature of PNR data collected in Directive 2016/681/EU (Ligue
des droits humans (Case C-817/19) –
the hearing for this case is discussed here). The next question is where the boundary is between
concerns about profiling in the context of national security and combatting
crime, and profiling to support data-driven public service delivery more
generally. This distinction does not yet seem to have been considered.
Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: EFF-Graphics, via Wikicommons
No comments:
Post a Comment