Human Rights and National Data Retention Law: the Opinion in Tele 2 and Watson

Lorna Woods, Professor of Internet Law, University of Essex

Yesterday’s Advocate-General’s opinion concerns two references from national courts which both arose in the aftermath of the invalidation of the Data Retention Directive (Directive 2006/24) in Digital Rights Ireland dealing with whether the retention of communications data en masse complies with EU law.  The question is important for the regimes that triggered the references, but in the background is a larger question: can mass retention of data ever being human rights compliant. While the Advocate General clearly states this is possible, things may not be that straightforward.

Background

Under the Privacy and Electronic Communications Directive (Directive 2002/58), EU law guarantees the confidentiality of communications transmitted via a public electronic communications network.  Article 1(3) of that Directive limits the field of application of the directive to activities falling with the TFEU, thereby excluding matters covered by Titles V and VI of the TEU at that time (e.g. public security, defence, State security).  Even within the scope of the directive, Article 15 permits Member States to restrict the rights granted by the directive

‘when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic system..’.

Specifically, Member States were permitted to legislate for the retention of communications data (ie details of communications but not the content of the communication) for the population generally. The subsequent Data Retention Directive specified common maximum periods of retention and safeguards, and was implemented (in certain instances with some difficulty) by the Member States.

Following the invalidation of the Data Retention Directive, the status of Member State data retention laws was uncertain. This led both Tele2 and Watson (along with a Conservative MP, David Davis, who withdrew his name when he became a cabinet minister) to challenge their respective national data retention regimes, essentially arguing that such regimes were incompatible with the standards set down in Digital Rights Ireland. The Tele2 case concerned the Swedish legislation which implemented the Data Retention Directive. The Watson case concerned UK legislation which was implemented afterwards: the Data Retention and Investigatory Powers Act (DRIPA). Given this similarity, the cases were joined.

The Swedish reference asked whether traffic data retention laws that apply generally are compatible with EU law, and asked further questions regarding the specifics of the Swedish regime. Watson et al asked two questions: whether the reasoning in Digital Rights Ireland laid down requirements that were applicable to a national regime; and whether Articles 7 and 8 of the EU Charter of Fundamental Rights (EUCFR) established stricter requirements than Article 8 of the European Convention on Human Rights (ECHR) – the right to private life. Although the latter case concerns the UK, the Court’s will still be relevant if the UK leaves the EU because the CJEU case law provides that non-Member States’ data protection law must be very similar to EU data protection law in order to facilitate data flows (see Steve Peers’ discussion here).

Opinion of the Advocate General

The Advocate General dealt first with the question about the scope of the protection under the EUCFR.  This question the Advocate General ruled as inadmissible because it was not relevant to resolving the dispute.  In so doing, he confirmed that the obligation in Article 52 EUCFR to read the rights granted by the EUCFR in line with the interpretation of the ECHR provided a base line and not a ceiling of protection.  The EU could give a higher level of protection; indeed Article 52(3) EUCFR expressly allows for the possibility of ‘… Union law providing more extensive protection’. 

Moreover, Article 8 EUCFR, in providing a specific right to data protection, is a right that has no direct equivalent in the ECHR; the Advocate General therefore argued that the rule of consistent interpretation in Article 52(3) EUCFR does not apply to Article 8 EUCFR (Opinion, para 79). Later in the Opinion, the Advocate General also dismissed the suggestion that Digital Rights Ireland did not apply because the regime in issue in Watson et al was a national regime and not one established by the EU legislature. Articles 7, 8 and 52 EUCFR were interpreted in Digital Rights Ireland and are again at issue here: Digital Rights Ireland is therefore relevant despite the different jurisdiction of the court (paras 190-191).

The Advocate General then went on to consider whether EU law permits Member States to establish general data retention regimes.  The first question was whether Article 1(3) meant general data retention regimes were excluded from the scope of Directive 2002/58 because the sole use of the data was for the purposes of national security and other grounds mentioned in Art 1(3).  The Advocate General made three points in response:

Given that Article 15(1) specifically envisaged data retention regimes, national laws establishing  such a regime were in fact implementing Article 15(1) (para 90).

The argument the governments put forward was related to the access to the data by public authorities, the national schemes concerned the acquisition and retention of that data by private bodies – that the former might lie outside the directive did not imply that the latter also did (paras 92-94).

The approach of the Court in Ireland v Parliament and Council (Case C-301/06), which was a challenge to the Data Retention Directive as regards the Treaty provision on which it was enacted, meant that general data retention obligations ‘do not fall within the sphere of criminal law’ (para 95).

The next question was whether Article 15 of the Directive applied. The express wording of Article 15, which refers to data retention, makes clear that data retention is not per se incompatible with Directive 2002/58. The intention was rather to make any such measures subject to certain safeguards. This means that data retention can be legal provided the scheme complies with the safeguards (para 108). Indeed, following his earlier reasoning, the Advocate General rejected the argument that Article 15 is a derogation and should therefore be read restrictively.

This brings us to the question of whether sufficient safeguards are in place. Since the Advocate General took the view that in providing for general data retention regimes the Member States are implementing Article 15, such measures fall within the scope of EU law and therefore, according to Article 51 EUCFR, the Charter applies, even if rules relating to access to the data by the authorities lie outside the scope of EU law (paras 122-23).  Nonetheless, given the close link between access and retention, constraints on access are of significance in assessing the proportionality of the data retention regime.

Assessing compliance with the EUCFR requires as a first step an interference with rights protected. The Advocate General referred to Digital Rights Ireland to accept that ‘[g]eneral data retention obligations are in fact a serious interference’ with the rights to privacy (Art 7 EUCFR) and to data protection (Art. 8 EUCFR) (para 128). Justification of any such interferences must satisfy both the requirements set down in Article 15(1) Directive 2002/58 AND Article 52(1) EUCFR which sets out the circumstances in which a member State may derogate from a right guaranteed by the EUCFR (para 131). The Advocate General then identified 6 factors arising from these two obligations (para 132):

Legal basis for retention;

Observe the essence of the rights in the EUCFR (just Article 52 EUCFR, rather than Art 15 of the directive);

Pursue an objective of general interest;

Be appropriate for achieving that objective;

Be necessary to achieve that objective; and

Be proportionate within a democratic society to the pursuit of the objective.

As regards the requirement for a legal basis the Advocate General argued that the ‘quality’ considerations that are found in the ECHR jurisprudence should be expressly applied within EU law too. They must have the characteristics of accessibility, foreseeability and providing adequate protection against arbitrary interference, as well as being binding on the relevant authorities (para 150). These factual assessments fall to the national court. 

In the Opinion of the Advocate General, the ‘essence of the rights’ requirement – as understood in the light of Digital Rights Ireland – was unproblematic. The data retention regime gave no access to the content of the communication and the data held was required to be held securely. A general interest objective can also easily be shown: the fight against serious crime and protecting national security. The Advocate General, however, rejected the argument that the fight against non-serious crime and the smooth running of proceedings outside the criminal context could constitute a public interest objective. Likewise, data retention gives national authorities ‘an additional means of investigation to prevent or shed light on serious crime’ (para 177) and it is specifically useful in that general measures give the authorities the power to examine communications of persons of interest which were carried out before they were so identified. They are thus appropriate.

A measure must be necessary which means that ‘no other measure exists that would be equally appropriate and less restrictive’ (Opinion, para 185). Further, according to Digital Rights Ireland, derogations and limitations on the right of privacy apply only insofar as strictly necessary.  The first question was whether a general data retention regime can ever be necessary. The Advocate General argued that Digital Rights Ireland only ruled on a system where insufficient safeguards were in place; there is no actual statement that a general data retention scheme is not necessary. While the lack of differentiation was problematic in Digital Rights Ireland, the Court ‘did not, however, hold that that absence of differentiation meant that such obligations, in themselves, went beyond what was strictly necessary’ (Opinion, para 199).  The fact that the Court in Digital Rights Ireland examined the safeguards suggests that the Court did not view general data retention regimes as per se unlawful. (see also Schrems (Case C-362/14), para 93, cited here in para 203). On this basis the Advocate General opined:

a general data retention obligation need not invariably be regarded as, in itself, going beyond the bounds of what is strictly necessary for the purposes of fighting serious crime. However, such an obligation will invariably go beyond the bounds of what is strictly necessary if it is not accompanied by safeguards concerning access to the data, the retention period and the protection and security of the data. (para 205)

The comparison as to the effectiveness of this sort of measure with other measures must be carried out within the relevant national regime bearing in mind the possibility that generalised data retention gives of being able to ‘examine the past’ (para 208). The test to be applied, however, is not one of utility but that no other measure or combination of measures can be as effective.

The question is then of safeguards and in particular whether the safeguards identified in paras 60-68 of Digital Rights Ireland are mandatory for all regimes. These rules concern:

Access to and use of retained data by the relevant authorities;

The period of data retention; and

The security and protection of the data while retained.

Contrary to the arguments put forward by various governments, the Advocate General argued that ‘all the safeguards described by the Court in paragraphs 60 to 68 of Digital Rights Ireland must be regarded as mandatory’ (para 221, italics in original). Firstly, the Court made no mention of the possibility of compensating for a weakness in respect of one safeguard by strengthening another. Further, such an approach would no longer give guarantees to individuals to protect them from unauthorised access to and abuse of that data: each of the aspects identified needs to be protected. Strict access controls and short retention periods are of little value if the security pertaining to retained data is weak and that data is exposed. The Advocate General noted that the European Court of Human Rights in Szabo v Hungary emphasised the importance of these safeguards, citing Digital Rights Ireland.

While the Advocate General emphasised that it is for the national courts to make that assessment, the following points were noted:

In respect of the purposes for which data is accessed, the national regimes are not sufficiently restricted (only the fight against serious crime, not crime in general, is a general objective) (para 231)

There is no prior independent review (as required by para 62 Digital Rights Ireland) which is needed because of the severity of the interference and the need to deal with sensitive cases (such as the legal profession) on a case by case basis. The Advocate General did accept that in some cases emergency procedures may be acceptable (para 237).

The retention criteria must be determined by reference to objective criteria and limited to what is strictly necessary. In Zacharov, the European Court of Human Rights accepted 6 months as being reasonable but required that data be deleted as soon as it was not needed. This obligation to delete should be found in national regimes and apply to the security services as well as the service providers (para 243).

The final question relates to proportionality, an aspect which was not considered in Digital Rights Ireland.  The test is:

‘a measure which interferes with fundamental rights may be regarded as proportionate only if the disadvantages caused are not disproportionate to the aims pursued’ (para 247).

This opens a debate about the importance of the values protected. In terms of the advantages of the system, these had been rehearsed in the discussion about necessity. As regards the disadvantages, the Advocate General referred to the Opinion in Digital Rights Ireland, paras 72-74 and noted that

‘in an individual context, a general data retention obligation will facilitate equally serious interference as targeted surveillance measures, including those which intercept the content of communications’ (para 254)

and it has the capacity to affect a large number of people. Given the number of requests for access received, the risk of abuse is not theoretical.  While it falls to the national courts to balance the advantages and disadvantages, the Advocate General emphasised that even if a regime includes all the safeguards in Digital Rights Ireland, which should be seen as the minimum, that regime could still be found to be disproportionate (para 262).

Comment

It is interesting that the Court of Appeal’s reference did not ask the Court whether DRIPA was compliant with fundamental rights in the EUCFR. Rather, the questions sought to close off that possibility – firstly by limiting the scope of the EUCFR to a particular conception of Article 8 ECHR and secondly by seeking to treat Digital Rights Ireland as a challenge to the validity of a directive as not relevant within the national field.  Although the Advocate General did not answer the first question, the reasons given for dismissing it make clear that the Court of Appeal’s approach was wrong. Indeed, it is hard to see how Art 52(3) when read in its entirety could support the argument that the EUCFR should be ‘read down’ to the level of the ECHR. The entire text of Article 52(3) follows:

In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.

The focus of the second question was likewise misguided. As the Advocate General pointed out, Digital Rights Ireland was based on the interpretation of the meaning of two provisions of the EUCFR, Articles 7 and 8.  They should have the same meaning wherever they are applied.

Quite clearly, the Advocate General aims to avoid saying that mass surveillance – here in the form of general data protection rules – is per se incompatible with human rights. Indeed, one of the headline statements in the Opinion is that ‘a general data retention obligation imposed by a Member State may be compatible with the fundamental rights enshrined in EU law’ (para 7). The question then becomes about reviewing safeguards rather than saying there are some activities a member State cannot carry out.  This debate is common in this area, as the case law of the European Court of Human Rights illustrates (see Szabo, particularly the dissenting opinion).

Fine distinction abound. For example, where the Advocate General relies on the distinction between meta data and content to reaffirm that the essence of Article 7 and 8 has not been undermined.  Yet while the Advocate General tries hard to hold that general data retention may be possible, tensions creep in.  The point the Advocate General made in relation to the ‘essence of the right’ was based on the assumption that meta data collection is less intrusive than intercepting content.  In assessing the impact of a general data protection regime, the Advocate General then implies the opposite (paras 254-5). Indeed, the Advocate General quotes Advocate General Cruz Villalon in Digital Rights Ireland that such surveillance techniques allow the creation of:

‘a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity’.

The Advocate General here concludes that:

‘the risks associated with access to communications data (or ‘metadata’) may be as great or even greater than those arising from access to the content of communications’ (para 259).

Another example relates to the scope of EU law. The Advocate General separates access to the collected data (which is about policing and security) and the acquisition and storage of data which concerns the activities of private entities. The data retention regime concerns this latter group and their activities which fall within the scope of EU law. In this the Advocate General is following the Court in the Irish judicial review action challenging the legal basis of the Data Retention Directive (the outcome of which was that it was correctly based on Article 114 TFEU).  The Advocate General having separated these two aspects at the question of scope of EU law, then glues them back together to assess the acceptability of the safeguards.

In terms of safeguards, the Advocate General resoundingly reaffirms the requirements in Digital Rights Ireland.  All of the safeguards mentioned are mandatory minima, and weakness in one area of safeguards cannot be offset by strength in another area. If the Court takes a similar line, this may have repercussions for the relevant national regimes, for example as regards the need for prior independent review (save in emergencies). Indeed, in this regard the Advocate General might be seen to going further than either European Court has.  Further, the Advocate General restricts the purposes for which general data retention may be permitted to serious crime only (contrast here, for example, the approach to Internet connect records in the Investigatory Powers Bill currently before the UK Parliament). 

Another novelty is the discussion of lawfulness. As the Advocate General noted, there has not been much express discussion of this issue by the Court of Justice, though the requirement of lawfulness is well developed in the Strasbourg case law. While this then might be seen not to be particularly new or noteworthy, the Advocate General pointed out that the law must be binding and that therefore:

‘[i]t would not be sufficient, for example, if the safeguards surrounding access to data were provided for in codes of practice or internal guidelines having no binding effect’ (para 150)

Typically, much of the detail of surveillance practice in the UK has been found in codes; as the security forces’ various practices became public many of these have been formalised as codes under the relevant legislation (see e.g. s. 71 Regulation of Investigatory Powers Act; codes available here). Historically, however, not all were publicly available, binding documents.

While the headlines may focus on the fact that general data retention may be acceptable, and the final assessment of compliance with the 6 requirements falls to the national courts, it seems that this is more a theoretical possibility than easy reality. The Advocate General goes beyond endorsing the principles in Digital Rights Ireland: even regimes which satisfy the safeguards set out in Digital Rights Ireland may still be found to be disproportionate. While Member States may not have wanted to have a checklist of safeguards imposed on them, here even following that checklist may not suffice. Of course, this opinion is not binding; while it is designed to inform the Court, the Court may come to a different conclusion. The date of the judgment has not yet been scheduled.

Photo credit: choice.com.au

Barnard & Peers: chapter 9

JHA4: chapter II:7

Open letter on the UK's Data Retention and Investigatory Powers Bill

Tuesday 15^th July 2014

To all Members of Parliament,

Re: An open letter from UK internet law academic experts

On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.

In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.

On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;

·         compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));

·         compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));

·         compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).

·         order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and

·         order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).

The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.

Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU's e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.

Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.

DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.

Signed,

Dr Subhajit Basu, University of Leeds

Dr Paul Bernal, University of East Anglia

Professor Ian Brown, Oxford University

Ray Corrigan, The Open University

Professor Lilian Edwards, University of Strathclyde

Dr Theodore Konstadinides, University of Surrey

Professor Chris Marsden, University of Sussex

Dr Karen Mc Cullagh, University of East Anglia

Dr. Daithí Mac Síthigh, Newcastle University

Professor David Mead, University of East Anglia

Professor Andrew Murray, London School of Economics

Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge

Professor Burkhard Schafer, University of Edinburgh

Professor Lorna Woods, University of Essex

Does the UK’s new data retention bill violate the EU Charter of Fundamental Rights?

Steve Peers

Following the judgment of the Court of Justice of the European Union (CJEU) from April this year, invalidating the EU’s data retention directive, several Member States’ courts have declared their national law invalid. However, the UK government is going in the other direction, tabling emergency legislation today in order to retain data retention powers for the UK.  

Does this proposed law fall within the scope of EU law? If so, does it violate the EU Charter of Fundamental Rights? A previous post on this blog assessed generally the question of how the judgment applies to national data retention laws, and this post applies that analysis to the specific case of the new UK bill.

First of all, according to Article 51 of the Charter as interpreted by the CJEU, there must be a link between the national law and EU law. In this case, the link is Article 15(1) of the EU’s e-privacy Directive, which specifies that Member States may restrict the rights in that Directive relating to the confidentiality of communications, location and other traffic data and caller identification:

'when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.'

The CJEU has recently confirmed that the EU Charter applies to derogations from EU law. More specifically, the CJEU has ruled repeatedly on the application of the Charter to cases where copyright holders have invoked this clause of the e-privacy Directive to justify planned restrictions upon Internet use (see most recently the Telekabel Wien judgment). So logically there is equally a link between EU law and the invocation of this clause for other purposes, most obviously in the criminal law context.

Does the proposed Bill constitute an invocation of this clause in the e-privacy Directive?  Not explicitly. But there is no legal requirement that such an express link has to be made in the national legislation concerned.

So let’s look at the wording of the Bill. Clause 1 allows the government to draw up a statutory instrument that can require ‘a public telecommunications operator to retain relevant communications data’. Clause 2(1) defines a ‘public telecommunications operator’ as ‘a person who (a) controls or provides a public telecommunication system, or (b) provides a public telecommunications service’. The Directive applies to (similarly defined) providers of a ‘public communications network’ or ‘electronic communications services’. The data being retained would be ‘traffic data’ as defined by earlier UK law, whereas the rule in the e-privacy directive also applies to traffic data. The purposes for which the data would be retained in part match those referred to in the Directive, most obviously as regards national security, crime, disorder and public safety.

So to the extent that there is a correspondence between the data being retained, the body retaining it, and the purposes for retaining it, the UK Bill will, if enacted, be linked to EU law, and therefore the EU Charter of Fundamental Rights. There will clearly be such a correspondence in many cases.

The second question is whether the new UK law would violate the Charter. To a large extent, it will be difficult to be certain on this point until the statutory instrument is proposed and adopted, since the Bill would only confer broad powers to act on the government. But Clause 1(2) of the Bill does provide that the telecoms companies might be required to collect ‘all’ data as defined by the future Act.

If that means that untargeted data might be collected, that brings us to the question of what the EU’s data retention judgment actually means. Does it ban mass surveillance in general, or simply require that such surveillance be subject to safeguards? If the latter, narrower meaning is correct, such safeguards could be provided for either in this Bill and/or in the statutory instrument.

According to the CJEU, the safeguards missing from the data retention directive were: a definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; control of access to the data by means of a court or other independent administrative authority; stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use; rules on an obligation to destroy the data; and an obligation to retain the data within the EU only.

Clause 1(4) of the Bill sets out a non-exhaustive list of certain safeguards which the government could include in a statutory instrument. This list partly, but not wholly, corresponds to the list of safeguards referred to in the CJEU judgment. In order to satisfy the CJEU, the subsequent act will have to include all of the relevant safeguards to a satisfactory standard.

But even if all such safeguards are indeed provided for, I have argued previously that the broader interpretation of the Court’s judgment is correct: no mass surveillance is possible. If that is correct, then the provision in the draft Bill to permit a requirement to collect ‘all’ data is inherently suspect, and it would certainly be a breach of EU law to require telecom providers to retain all traffic data within the scope of the e-privacy Directive without some form of further targeting.

In conclusion, much of the UK’s draft Bill would, if adopted, fall within the scope of EU law, and therefore the Charter of Rights. It is possible, depending on the future statutory instrument, that the rules, when applied, will comply with the data retention safeguards demanded by the CJEU. But the government’s intention, as manifested by the Bill, to reinstitute mass surveillance of telecoms traffic data is a clear breach of the EU Charter of Fundamental Rights.

Barnard & Peers: chapter 6, chapter 9

Are national data retention laws within the scope of the Charter?

By Steve Peers

Following the annulment of the EU’s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons why they are.

The starting point for this analysis is Article 51 of the EU’s Charter of Fundamental Rights, which states that the Charter applies to the EU institutions and other EU bodies, but to the EU’s Member States ‘only’ when they are ‘implementing’ EU law. What does that mean? 

On the narrowest interpretation, Member States ceased to be implementing EU law on data retention from the moment that the data retention Directive became invalid. After all, from that point, there was no EU data retention law to implement. However, it is arguable that Member States can still be regarded as ‘implementing’ EU law where their national legislation was introduced to implement an EU obligation. It’s a novel point, because it’s rare for the CJEU to annul EU laws on substantive grounds. And where the Court has done so, it has more often annulled only a small part of those EU laws (in the Test-Achats judgment, for instance).

But that is merely an alternative argument that the EU Charter continues to apply to national data retention law. The main argument is based on solidly established case law of the CJEU regarding the scope of EU human rights protection where Member States derogate from EU law.

EU human rights rules and national derogations from EU law

As far back as 1991, the CJEU ruled in the ERT case that where Member States derogate from EU internal market rules, they are still subject to EU human rights obligations (which then took the form only of the EU’s ‘general principles of law’, since the Charter was not yet a gleam in anyone’s eye). This was confirmed in the Familiapress judgment, as regards exceptions from the internal market rules which are based on the CJEU’s ‘rule of reason’ case law, rather than the express exceptions in the Treaties.

Does the Charter take the same approach? While many assumed that the word ‘implementing’ in the text of Article 51 suggested a narrower interpretation than under the prior case law, in its judgment in Fransson the CJEU stated that its prior case law regarding the scope of the general principles applied equally to the Charter. While that judgment did not concern derogations from EU law, the CJEU should shortly be ruling on this point in the case of Pfleger (judgment due 30th April), where the Advocate-General’s opinion assumes as much. Pending the possible confirmation in that judgment, it should be assumed for the time being that the Charter does indeed apply to national derogations from EU law, given that the CJEU made no distinction in Fransson as regards the aspects of its prior case law which were still applicable.

In any event, even if the Charter does not apply to national derogations from EU law, the general principles still do, given that they have a continued existence independent from the Charter in Article 6(3) TEU.

Applying the case law

Two further issues arise. First of all, does EU human rights law apply where Member States are not derogating from EU internal market rules in the Treaty, but from other rules of EU law? In principle it should, given that the Treaties list other EU objectives besides the creation of an internal market. Why should EU human rights rules only apply as regards national derogations from EU rules in one particular area of EU law, but not as regards derogations from EU rules in other areas of law?

Anyway, the CJEU has in effect confirmed that Member States are bound by the Charter and the general principles even where the law in question does not concern the internal market. In EP v Council and the subsequent case of Chakroun, the CJEU ruled that national derogations from the EU’s family reunion Directive had to comply with human rights obligations, without suggesting any distinction in this regard between national derogations from EU internal market rules in the Treaty and national derogations from other EU rules set out in EU legislation.

Secondly, is there an EU law rule that Member States are derogating from when they continue to apply national data retention laws? Indeed, there is: Article 15(1) of the EU’s e-privacy Directive specifies that Member States may restrict the rights in that Directive relating to the confidentiality of communications, location and other traffic data and caller identification:

'when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.'

In fact, the CJEU has ruled repeatedly on the application of the Charter to cases where copyright holders have invoked this clause to justify planned restrictions upon Internet use (see most recently the Telekabel Wien judgment). There is no reason why the CJEU would not also apply the clause to data retention on crime-fighting grounds, given that the second sentence of Article 15(1) refers expressly to data retention and the first sentence refers expressly to criminal law.

Finally, while some forms of data retention might fall outside the scope of the e-privacy Directive, which in principle applies to telecommunications service providers (not, for instance, to social networks or search engines), those other forms of data retention would anyway fall within the scope of the similar Article 13 of the main data protection Directive, given that they would clearly constitute the processing of personal data within the scope of that Directive. Neither the ‘household exception’ to that Directive nor the exception for processing in the field of criminal law would apply – since the data retention would be taking place in the context of a commercial activity (since the judgment on the legal base of the data retention Directive by analogy).

[Update: see discussion of the later Pfleger judgment here. Two cases on national data retention laws were later referred to the CJEU; see discussion of them here.]

Barnard & Peers: chapter 6, chapter 9

The data retention judgment: The CJEU prohibits mass surveillance

Steve Peers

On July 7, 2005 a relative of mine started her journey to work on a London tube train. Within half an hour, bombs on that train left by terrorists exploded, in conjunction with three other bombs across London. Dozens of people died (although my relative was not injured).

Understandably, public concern about terrorist incidents, following on from the earlier outrages of 9/11 and the Madrid bombings, led to further EU anti-terrorist legislation. In particular, the British Presidency of the EU Council made it a top priority to adopt legislation providing for retention of a large amount of communications data. But according to the Court of Justice of the European Union (CJEU), in a crucial judgment today, that legislation was essentially an over-reaction to these terrorist atrocities. The Court has effectively prohibited mass surveillance in the EU, and thus taken significant steps to entrench itself as the EU’s constitutional court.

Summary of the judgment

As discussed in detail by Chris Jones’ post on this blog, the Directive requires Member States to require telecommunications service providers to retain significant amounts of data on the use of all forms of telecommunications by all individuals within the EU, for a period of between 6 months and 2 years. This data is collected for the use of law enforcement agencies as regards investigations into serious crime or terrorism, but there are no detailed rules in the Directive governing the access to and use of the data by those authorities. The CJEU only found it necessary to address the question of the validity on the Directive in light of the Charter rights to privacy and data protection (Articles 7 and 8 of the Charter).

First of all, the Court unsurprisingly had no difficulty finding that the Directive interfered with the protection of those two rights. Its analysis focussed instead on whether such an interference could be justified.

The rules on justifying interferences with Charter rights are set out in Article 52 of the Charter. Any limitation upon Charter rights must be laid down by law, respect the essence of the right, and subject to the principle of proportionality, limit rights and freedoms only if it is necessary and genuinely meets public interest objectives and the rights and freedoms of others. The Court easily found that there was a public interest justification (public safety) for the restriction of the Charter rights at issue. It also found that the ‘essence’ of the rights was not affected, because (as regards the right to privacy) the content of communications was not recorded, and (as regards the right to data protection) certain data processing and data security rules had to be respected.

Therefore the key issues in the Court’s ruling were the proportionality of the interference with Charter rights. The Court indicated that judicial review of the EU legislature’s discretion should be ‘strict’ in this case, applying factors such as the area of law concerned, the nature of the right, the nature and seriousness of the infringement and the objective pursued. Here, it followed from the nature of the right and the nature and seriousness of the infringement that the EU legislature’s discretion was reduced; the CJEU took no account expressly of the objective being pursued.

The first aspect of proportionality (the appropriateness of the interference with the right for obtaining the objective) was fulfilled, because the data concerned might be useful to investigations. However, the CJEU found that the Directive was problematic as regards the second facet: the necessity of the measure in question. Crucially the Court ruled that the important objective of investigating serious crime and terrorism did ‘not, in itself’ justify data retention. So for the CJEU, the safety of the people is not the supreme law.

Its analysis proceeded by setting out the general importance of safeguards as regards the protection of privacy and data protection rights (building upon the case law of the European Court of Human Rights). These safeguards are even more necessary when data is processed automatically, with a risk of unlawful access.

 Applying this test, the Court gave three reasons why the rules on data retention in the Directive were not strictly necessary. First of all, the Directive had an extremely broad scope, given that it applied to all means of electronic communication, which have ‘widespread and growing importance’ in everyday life, without being sufficiently targeted. Indeed, it ‘entails an interference with the fundamental rights of practically the entire European population’. In other words (the Court does not use the term), it amounts to mass surveillance.

Secondly, besides the ‘general absence of limits’ in the Directive, it failed to limit access to the data concerned by law enforcement authorities, and the subsequent use of that data, sufficiently precisely. In particular: it referred generally to ‘serious crime’ as defined in national law; it did not restrict the purpose of subsequent access to that data; it did not limit the number of persons who could access the data; and it did not control access to the data by means of a court or other independent administrative authority.

Thirdly, the Directive did not set out sufficient safeguards, as regards: the data retention period, for instance as regards the categories of data to be retained for the whole period; the protection of the data from unlawful access and use (here the CJEU criticises the possible limits on protection measures due to reasons of cost); the absence of an obligation to destroy the data; and the omission of a requirement to retain the data within the EU only.

Comments

The CJEU reached the same conclusion as the Advocate-General’s opinion, but for different reasons. In the Advocate-General’s view, the Directive was invalid because it breached the ‘quality of law’ requirement applicable to interferences with Charter rights, having failed to establish sufficient safeguards relating to access to and use of the data. It also was disproportionate for failing to explain why storage periods of up to two years were necessary. The Court’s ruling appears to go further, by ruling out mass surveillance in principle.

The opinion discussed some interesting and important issues that the Court does not directly address, in particular: the existence of a ‘quality of law’ requirement as regards breaches of the Charter; whether the EU or the Member States have responsibility for ensuring the satisfaction of that requirement in this case; and the complications of the ‘legal base’ issue, ie the awkward point that inserting safeguards relating to law enforcement authorities might go beyond the ‘internal market’ legal base of the legislation. It might be deduced that the CJEU has a view on these issues: there is a ‘quality of law’ rule; the EU is responsible for upholding that requirement in this case; and the ‘legal base’ point is not a barrier to the EU adoption of rules regulating law enforcement authorities. But unfortunately, the Court did not expressly spell out its reasoning on these issues. It is certainly peculiar that, having ruled previously that the Directive was validly based on EU internal market powers, the CJEU rules here that its interference with Charter rights is justified by the objective of public safety.

As for the reasoning which the Court did provide, as usual it was easy to find public interest objectives for the interference with rights. The most important part of the reasoning is therefore the analysis of the interference with the ‘essence’ of the right, and of proportionality. It is very significant that the Court makes clear that these are two different issues: even if the essence of a right is respected, legislation can be disproportionate. Earlier case law on restriction of rights often seemed to suggest that respecting the essence of rights was sufficient.

Another important aspect of the judgment is the development of a doctrine indicating when strict scrutiny of the EU legislature’s interference with fundamental rights should apply. This is based upon Strasbourg case law, not the standards of national constitutional courts, which have of course addressed this issue in their own way. Obvious questions arise as to whether the same standards should apply to national implementation of EU law, or to Charter rights not based upon the ECHR.

While many data protection specialists argue that there is a fundamental distinction between the right to privacy and the right to data protection, the Court’s judgment only reflects that distinction to a limited degree. It assesses separately whether there is an interference with Articles 7 and 8 of the Charter, and whether the essence of each right has been affected. However, it made no distinction between the rights when assessing the required intensity of judicial review, and linked the two rights together when assessing the proportionality of the interference with them.

Consequences of the judgment

First and foremost, the data retention Directive is entirely invalid. The Court did not in any way rule that it could continue in force. So the immediate consequence is that we return to the status quo before 2005. This means that Member States have an option, not an obligation, to retain data pursuant to the e-privacy Directive (see further Chris Jones’ post on the background to the data retention Directive). However, Member States’ exercise of this option will still be subject to the requirements set out in this judgment, since their actions will fall within the scope of the Charter, given that the e-privacy Directive regulates the issue of interference with telecommunications.

Would it be possible for the EU to adopt a new Directive on mandatory data retention? In other words, can the Directive in some way be ‘fixed’?

First of all, since the 2006 Directive is entirely invalid, the EU legislature has to start from scratch, rather than amend it. Secondly, it is clear from the Court’s judgment that some form of mandatory data retention in order to combat serious crime and terrorism is acceptable from the perspective of the EU Charter.

How would such a new Directive differ from the measure the Court has just struck down? The Court sets out unusually detailed guidelines for the legislature (and, in the meantime, for national legislature) in its judgment. First of all, any new Directive would have to be in some sense targeted upon communication which has a particular link with serious crime and terrorism. Very simply, mass surveillance is an unjustifiable infringement of Charter rights.

Secondly, a new Directive would have to contain rules on: the definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; and control of access to the data by means of a court or other independent administrative authority.

Thirdly, the new Directive would have to include stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use. It would also have to contain rules on the absence of an obligation to destroy the data, and require that data be retained within the EU only. The Court did not rule on whether subsequent processing of the data in third States would be acceptable, but logically there must be some rules on this issue too. Probably it would be simplest to extend the external processing rules in the main EU data protection legislation to this issue.

Depending on the timing of a proposal for a new Directive (assuming that there is one), it might possibly get mixed up with the conclusion of negotiations over main the main data protection package being negotiated by the EU institutions. Alternatively, if those negotiations have concluded, they will establish a template that the negotiation of the new Directive can take account of.

Final comments

The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance. Its reference to the retention of data by third States is a thinly-disguised allusion to the spying scandals emanating from the United States. It also responds, sotto voce, to the very great concerns of national constitutional courts about this Directive, discussed in detail in Chris Jones’ post on this issue.

More broadly, the CJEU has seized the chance to give an ‘iconic’ judgment on the protection of human rights in the EU legal order. Time will deal whether the Digital Rights judgment is seen as the EU’s equivalent of classic civil rights judgments of the US Supreme Court, on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). If the Charter ultimately contributes to the development of a ‘constitutional patriotism’ in the European Union, this judgment will be one of its foundations.

Barnard & Peers: chapter 9, chapter 25

National legal challenges to the Data Retention Directive

Chris Jones, Researcher for Statewatch

This post, which examines the numerous legal challenges against the EU's Data Retention Directive at both national and EU level (not including today's judgment), is the third post in a series examining the EU's mandatory data retention legislation, which was struck down today by the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).

 EU Court of Justice legal basis challenge

The first legal challenge to the Data Retention Directive came when Ireland, supported by Slovakia, asked the EU Court of Justice to annul the Directive on the grounds that it had the wrong legal basis. They argued that the correct legal basis for data retention resided “in the provisions of the EU Treaty concerning police and judicial cooperation in criminal matters,” rather than those on the internal market. The ECJ dismissed the case in February 2009, stating that: “Directive 2006/24… regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities… “It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of the service provides in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty".

Bulgaria

The first ruling on national laws transposing the Directive came from Bulgaria in proceedings launched by the NGO Access to Information Program. In December 2008 the country’s Supreme Administrative Court annulled an article of the transposing legislation permitting the Ministry of Interior “passive access through a computer terminal” to retained data, as well as providing access without judicial permission to “security services and other law enforcement bodies”. The court found that: “[T]he provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution. No mechanism was established for the respect of the constitutionally granted right of protection against unlawful interference in one’s private or family affairs and against encroachments on one’s honour, dignity and reputation.” The court also found the legislation failed to make reference to other relevant laws – the Penal Procedure Code, the Special Surveillance Means Act and the Personal Data Protection Act – “which specify conditions under which access to personal data shall be granted.”

Hungary

In June 2008 the Hungarian Civil Liberties Union (HCLU or TASZ, Társaság a Szabadságjogkért) requested “the ex-post examination” by the Hungarian Constitutional Court of the amendment of Act C of 2003 on electronic communications, “for unconstitutionality and the annulment of the data retention provisions.” According to the HCLU, Act C “already comprised numerous restrictive data retention provisions prior to the directive. The only changes brought in by the amendments were the retention of Internet communications data and the elimination of the lax – but at least pre-defined – legal purposes of the data processing”. The HCLU argued that “the amendments completely disregarded the provisions of the directive [stating] that data should be ‘available for the purpose of investigation, detection and prosecution of serious crimes’.” Despite being filed in 2008, the case is yet to be heard. According to Fanny Hidvégi of the HCLU, this is because as of 1 January 2012 new restrictions were placed on submitting cases to the Constitutional Court, and “every pending case submitted by a person or institution which no longer has the right to do so were automatically terminated”. The HCLU has begun a new and lengthy procedure that requires the exhaustion of all other remedies before the Constitutional Court can examine the Hungarian data retention measures.

Romania

In October 2009, the Romanian Constitutional Court found that proposed national legislation implementing the Data Retention Directive violated Romanian constitutional provisions protecting freedom of movement; the right to intimate, private and family life; secrecy of correspondence; and freedom of expression. The court found that the government’s attempt to justify the mandatory retention of telecommunications data by invoking undefined “threats to national security” was unlawful. The Court also referred to the 1978 ECHR ruling in Klass v Germany, which stated that “taking surveillance measures without adequate and sufficient safeguards can lead to ‘destroying democracy on the ground of defending it’.”

 In October 2011 the European Commission asked the Romanian government to bring forward new laws transposing the Directive, issuing a “reasoned opinion” under Article 258 of the TFEU, which carries the threat of full infringement proceedings at the European Court of Justice if the request is not met. A new law was duly drafted, but was rejected by the Romanian Senate. The law was heavily criticised in the media prior to the vote and the country’s Data Protection Authority had refused to endorse it, claiming that articles relating to the security services were “still vague”. Civil society organisations also opposed it and even the government refused to sponsor it, leaving the Minister of Communications and Information Society to propose it in his role as MP rather than minister. Strong support from the Minister of European Affairs fuelled criticism that it was motivated solely by the need to escape sanction by the European Court of Justice.

Ultimately the Senate vote was not decisive and the law continued its journey to the Chamber of Deputies, where at the end of May 2012 it was adopted with 197 votes for and 18 against, with many abstentions amongst the 332 deputies. There was no substantive discussion of fundamental rights issues in the Chamber of Deputies or the main two committees that debated the law and critics have argued that the provisions on access to retained data are even more problematic than the original statute. On 21 February 2013 the European Commission withdrew the infringement procedure that it had opened in 2011.

Cyprus

In February 2011 the Supreme Court of Cyprus ruled that aspects of the national transposing legislation breached the Cypriot constitution and case law on surveillance. The case was brought by individuals whose telecommunications data had been disclosed to the police in accordance with District Court orders. They argued that the laws underlying the orders were based (Articles 4 and 5 of Law 183(I) 2007, that sought to harmonise Cypriot law with the Directive), and therefore the District Court orders themselves violated their rights to privacy and confidentiality of communications. The Supreme Court found that petitioners had indeed been subject to a violation of their rights and annulled provisions it said went beyond the requirements of the Data Retention Directive. However, the legality of the Directive itself was not called into question.

Germany

Legislation transposing the Data Retention Directive into the Telecommunication Act and Code of Criminal Procedure was passed by the Bundestag on 9 November 2007 and entered into force on 1 January 2008. The day before, 31 December 2007, 35,000 German citizens (represented by the NGO AK Vorrat) filed a complaint against the legislation at the Federal Constitutional Court. On 2 March 2010 the Court ruled that the transposing provisions were a disproportionate interference with Article 10 (confidentiality of communications) of the Basic Law (Grundgesetz), and contravened legal standards on purpose limitation, data security, transparency and legal remedies.

However, the Court made no ruling on the actual Directive, stating that data retention is in principle proportionate to the aim of investigating serious crime and preventing imminent threats against life, body, freedom of persons, and the existence and security of the Federal Republic or one of its states. The Court found that the new domestic law failed to comply with legal standards on purpose limitation (restrictions on use of the retained data), data security, transparency and legal remedies.

In January 2011 the Ministry of Justice (MoJ) presented a paper proposing an alternative to data retention – a “quick freeze” system of limited data preservation for criminal investigations. The police and/or public prosecutors would issue a “quick freeze” order seeking access to metadata already held by telecommunications providers, for example for billing purposes. To actually access the “frozen”’ data would require the approval of a judge. In addition, the MoJ proposed an obligation for ISPs to store internet traffic data for seven days, allowing criminal investigators to identify persons behind (already known) IP addresses in particular in cases of child pornography. Criminal investigators would request the traffic and communications data via service providers without having direct access to these traffic data. This paper reflected proposals made in June 2010 by the Federal Commissioner for Data Protection, as well as the suggestions of more pragmatic privacy advocates.

More radical activists claim that any mandatory storage of communications data should be prohibited. The Interior Ministry rejected these proposals and insisted on full implementation of the Directive, arguing that the Constitutional Court had already shown that it is possible to implement the Directive and ensure individual privacy through high data security standards, including encryption and the “four eyes principle” (approval by at least two people) as prerequisite for accessing data and log files; strict purpose limitation; and the protection of professions whose confidentiality must be ensured.

The MoJ produced a “quick freeze” bill in April 2012 but continued opposition from the Interior Ministry meant that it was never tabled in Parliament. The Interior Ministry was unhappy with the length of the proposed freezing periods, demanding three months instead of the one month suggested by the Ministry of Justice. Moreover, the Interior Ministry wanted to include crimes such as fraud and hacking. The controversy continues and no new legislation has yet been introduced.

By this time the European Commission had initiated infringement proceedings and took its case to the European Court of Justice in July 2012. The Commission is seeking to impose a daily fine of €315,000.

Czech Republic

On 13 March 2011 the Czech Republic's Constitutional Court declared national legislation implementing the Directive unconstitutional. It found that the retention period exceeded the requirements of the Directive, and that use of the data was not restricted to cases of serious crime and terrorism. “The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested.” As in Germany, the Court stated that it could not review the Directive itself, but noted there was nothing in principle preventing implementation in conformity with constitutional law.

A second Constitutional Court decision in December 2011 examined the procedures put in place for obtaining access to retained data and found the “procedure in question to be too vague, in breach of [the] proportionality rule (its second step) and thus unconstitutional due to interference with right to privacy and informational self-determination.” In the meantime the Czech government revised the implementing legislation with modifications that took account of the judgment.The NGO Iuridicum Remedium has lodged fresh proceedings against the revised legislation on the grounds that regulation remains inadequate and that the new decree could provide for the “monitoring of contents of Internet communications”.

Slovakia

In August 2012 a group of Slovakian MPs, supported by the European Information Society Institute, lodged a legal complaint against the legislation implementing the Data Directive. The complaint asks the Slovak Constitutional Court to examine whether the laws implementing the Directive and dealing with access by the authorities to retained data are compatible with constitutional provisions on proportionality, the rights to privacy and data protection, and the provision granting freedom of speech. It also argues that the measures infringe provisions guaranteeing privacy, data protection and freedom of expression in Slovakian human rights law, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. The complaint has not yet been resolved.

Sweden

The European Commission has engaged in a lengthy battle to try to bring Sweden’s domestic legislation into line with the Directive. After the country missed the initial September 2007 deadline, the Commission brought infringement proceedings, with the European Court of Justice finding Sweden guilty of failing to fulfil its obligations in February 2010. A proposal for transposing legislation was put forward in December 2010 and adopted in March 2012. The new law should have taken effect in May 2012 but despite an overwhelming vote in favour of the new measures in the Swedish parliament (233 MPs voted in favour with 41 against and 19 abstaining), the Left Party and the Greens invoked a constitutional provision allowing the entry into force of new measures to be delayed by a motion of one sixth of the parliament's members.

In May 2013, the European Court of Justice ordered Sweden to pay a €3 million fine for its delay in implementing the legislation. The Court rejected Swedish pleas regarding the domestic controversy over the implementation of the law: “As the Court has repeatedly emphasised, a Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under European Union law... The same is true of a decision, such as the one made by the Swedish Parliament, to which paragraph 8 of this judgment makes reference, to postpone for a year the adoption of the draft bill intended to transpose that directive.”

The Court of Justice of the European Union (CJEU)

The most serious challenge to the implementation of the Data Retention Directive has come from joined cases brought by the NGO Digital Rights and the plaintiffs in a case referred from the Austrian Constitutional Court. The Advocate General's opinion on the case, published in December 2013 following a hearing in July, proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). The case focuses on the compatibility of the Directive with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Union Charter of Fundamental Rights. At the hearing the representatives of those who brought the cases argued that the Directive is fundamentally incompatible with the Charter and that there is still no evidence to demonstrate that its necessity or proportionality.

On behalf of Austrian privacy group AK Vorrat, Edward Scheucher argued that: “[T]he cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result [than] at the time when the German [Constitutional] Court took its decision [to annul certain provisions of German transposing legislation]. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the Data Retention Directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11,139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court."

In response to requests for evidence demonstrating the necessity of the Directive, the Austrian and Irish governments presented new statistics on the use of retained data at the hearing. Also arguing in favour of the Directive were representatives of Italy, Spain and the UK, as well as the Commission, the Council and the Parliament. However, the Directive’s advocates still “had to acknowledge a lack of statistical evidence”, with the UK admitting that “there was no ‘scientific data’ to underpin the need” for data retention. Judge Thomas von Danwitz, the Court’s main rapporteur for the hearing, asked for information that had led to the adoption of the Directive in 2006, given that “the Commission in 2008 claimed not to have enough information for a sound review”. The Council’s lawyers, meanwhile, “implored the Court not to take away instruments from law enforcement”.

 Ultimately, Advocate-General Cruz Villalón concluded that the Court answer the cases in the following way: “(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directivecontains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use. “(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.”

Today's Grand Chamber judgment, which is analysed in Steve Peers' separate post, ultimately agreed with this recommendation. The EU has finally been forced to redraft its mandatory data retention rules.

 Barnard & Peers: chapter 9, chapter 25