Data Retention: AG opinions on the latest CJEU cases on national laws

 

Lorna Woods, Professor of Internet Law, University of Essex

 

Introduction

 

Advocate General Campos Sanchez-Bordana has handed down his opinions in three more cases (SpaceNet and Telekom Deutschland (Joined Cases C-793/19 and C-794/19), GD v Commissioner of the Garda Síochána (Case C-140/20) and VD and SR (Joined Cases C-339/20 and C-397/20)) which concern the retention of communications data, and constitute the latest instalment of a saga that started – ineffectually as far as rights-based arguments are concerned – in the unsuccessful Irish challenge to the Treaty base chosen for the Data Retention Directive (Directive 2006/24/EC) (Ireland v European Parliament and Council (Case C-301/06)). 

 

The Data Retention Directive, which provided for communications data retention, effectively within the scope of the exceptions found in Article 15 of the e-Privacy Directive (Directive 2002/58/EC) to the principle of communications confidentiality, was struck down in Digital Rights Ireland (Joined Cases C-293/12 and C-594/12) (discussed here).  Building on the principles there, a series of cases developed the constraints on what was permitted by Article 15 e-Privacy Directive, notably: Tele2 Sverige and Watson (Joined cases C-203/15 and C-698/15) (discussed here and here), La Quadrature du Net and Others (Joined cases C-511/18, C-512/18 and C-520/18) and Privacy International (Case C-623/17) (discussed here). Points of detail have been added in Ministerio Fiscal (Case C-207/16) (discussed here) and HK v Prokuratuur (Case C-746/18).  The principles underpin the data transfer cases: Schrems I and Schrems II. As well as recommending that the Court continue with its approach, maintaining the gap between it and the European Court of Human Rights, the Opinion of the Advocate General indicated a certain irritation with the national courts unwilling to apply clear principles and necessitating more Grand Chamber rulings on this topic.  In other words, not much is new here, but rather a re-iteration of the principles and distinctions on which this juriprudence has been built.

 

The Cases

 

SpaceNet and Telekom Deutschland concern the German legislation requiring internet service providers to retain communications data. Reflecting to some degree the concerns highlighted in the CJEU’s previous jurisprudence, the German law had excluded the communications data of certain help lines from the regime, the data collected was retained for a comparatively short period, and there were safeguards against misuse of the retained data. SpaceNet and Telekom Deutschland had each challenged this law on the basis of the CJEU’s jurisprudence.

 

GD v Commissioner of the Garda Síochána arises from a murder case, the prosecution of which was based on communications data retained and accessed via legislation that provided for mass retention of data. The defendant challenged the admissibility of this data arguing it was contrary to EU law requirements.

 

Joined cases VD and SR also concern criminal prosecution for financial offences, based on communications data. This time the data retention was based on national law implementing Directive 2003/6/EC, as well as Regulation 596/2014, rather than concerning the e-Privacy Directive. These rules allowed access to existing communications data held by telecommunications operators. The reference raised the question of these rules’ compliance with the fundamental rights of Article 7 and 8 EU Charter, as interpreted by the case law on the e-Privacy Directive.

 

In each case, the Advocate General suggested that the Court hold that the national laws were incompatible with Charter rights, re-iterating that the relevant provisions

‘must be interpreted as precluding national legislation which obliges providers of publicly available electronic communications services to retain traffic and location data of end users of those services on a precautionary, general and indiscriminate basis for purposes other than that of safeguarding national security in the face of a serious threat that is shown to be genuine and present or foreseeable’ (Spacenet, para 84)

 

In all three opinions, he re-stated the conditions found in La Quadrature du Net, para 128. This principle was specifically applied to investigations into insider dealing or market abuse (ie not national security) in VD and SR (para 97). In GD it added that access to such data legitimately retained must be subject to prior independent authorisation, and that the temporal effect of the ruling could not be limited (so that the ruling had prospective effect only) (GD, para 82 – see to similar effect VD and SR, para 97). The Advocate General also noted that there was a distinction between the approach of the CJEU and the European Court of Human Rights, but that the jurisprudence of that Court provided a base level and the requirements of the Charter could be higher than those of the Convention.

 

Comment

 

The jurisprudence has built on a series of, generally binary, distinctions, the most basic of which is that between EU and national competence, given that Article 4(2) TEU requires the EU to respect Member States’ essential state functions, including maintaining law and order. It specifically states:

 

“national security remains the sole responsibility of each Member State”.

 

Many Member States use data retention and the analysis of data as part of their fight against terrorism and in support of national security. On this basis it has been argued that national laws providing for such schemes fall outside the competence of the EU, and in SpaceNet a number of governments intervened to make the same argument again.  This argument in the words of the Advocate General has been “emphatically rejected” (SpaceNet, para 32), citing La Quadrature du Net, though this position is more clearly seen in Privacy International and had already been established in Tele2 Sverige and Watson (and could be seen as implicit in the distinctions employed in Ireland v European Parliament and Council). While Article 4 TEU does exclude national security from the scope of EU law, it is to be narrowly understood - applicable to the activities of intelligence agencies for the purposes of safeguarding national security. This seems to be a well-established principle and unlikely to be disturbed now, no matter the representations of the Member States.

 

Another longstanding distinction made in the case law is between content of communications and communications data (meta data), including traffic data (which seemingly also includes the subscriber name and the IMEI address of the mobile device according to Ministerio Fiscal, paras 40-42) and location data.  Mass acquisition of the content of communications goes to the essence of the right and cannot be justified. The Court has accepted that the acquisition of communications data in principle could be justified, as can be seen in Tele2 Sverge and Watson, Privacy International and La Quadrature du Net, suggesting that the intrusion cause by mass acquisition of communications data is less intrusive than knowledge of content. Whether – given the harm attributed to this collection: the possibility of creating detailed profiles on individuals – this is wholly true is debatable.  Note, however, that the Court has accepted that some sorts of data may be seen as less sensitive – notably identity and IP addresses in the context of criminal investigations.

 

The Court suggested in Ministerio Fiscal that the intrusion was less (perhaps to enable itself to justify taking a different approach from Tele2 Sverige and Watson), though it was unclear as to whether this was to do with the type of data in issue or because of the limited amount of data involved (and its severability from other data). In its ruling, the Court confirmed that access to retained data which reveals the date, time, duration and recipients of the communications, or the locations where the communications took place, must be regarded as a serious interference since that data allows precise conclusions to be drawn about the private lives of the persons concerned (para 60), suggesting it is what you can do with the data that is important rather than the amount of data.  The Court has suggested in other contexts that certain types of data are less important: see the data involved in PNR cases (Opinion 1/15, especially para 151, discussed here). In the current opinions, the Advocate General reiterated the position in La Quadrature du Net as regards IP addresses and identity (Spacenet, paras 81-82; VD and SR, para 80) but did not elaborate further.  The question about small sets of eg location data remains open. 

 

This possibility of profiling and its impact on users has led the Court to develop stringent conditions for the collection of data which are based on two interlinking sets of distinctions: that between general and targeted measures, and between national security and the fight against crime (with a sub-division between serious and other sorts of crime).  For all three cases, the Advocate General re-iterated the general principles established by the case law to date- though it is worth noting that he relied for preference on La Quadrature du Net (as a judgment which synthesised or summarised preceding case law), rather than other landmark cases – notably Tele2 Sverige and Watson – perhaps because (in the eyes of some) La Quadrature du Net allowed some State measures that would not seem on first glance to fall within Tele 2 Sverige and Watson – and which the Advocate General described as “supplementary qualifications” (GD, para 4). So, “general and indiscriminate retention of traffic and location data can be justified only by the objective of safeguarding national security”, which is distinct and more serious or important than the other objectives listed in Article 15 e-Privacy Directive (GD, para 36, Spacenet, para 37, VD and SR, para 75, each citing La Quadrature du Net). In sum, provided all the other conditions are satisfied, national security threats justify indiscriminate data retention, whereas serious crimes only suffice to legitimise targeted data retention.

 

Of course, this begs the question of what falls within national security for the purposes of Article 15 and what constitutes serious crime. According to Ministero Fiscal, the boundary between crime and serious crime falls to be determined by the Member States. While respecting national procedural autonomy, this might be open to manipulation or interpreted broadly (as the special, expansive definition of serious crime in the Investigatory Powers Act – when the UK was still a member of the EU – suggests). The Court in La Quadrature du Net suggested that national security

 

“encompasses the prevention and  punishment of activities capable of seriously destabilizing the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself” (para 135). 

 

In VD and SR the Advocate General emphasised that the two types of measures – those aimed at safeguarding national security and those which are aimed at combatting crime – cannot have the same scope as otherwise the distinctions in La Quadrature du Net (with regard to the possibility of indiscriminate surveillance) would have no purpose and the fundamental rights protections would likely be undermined – and this is true no matter how serious the crime (VD and SR, paras 83-86).

 

As regards targeting, the Court has suggested that this need not be at the level of the individual but could relate to localities or to groups – suggestions which may raise all manner of social, political as well as technical questions (and see here, Interpol’s distinctions). As the Advocate General pointed out, it is not the responsibility of the CJEU to draft compliant regimes; this is the responsibility of the Member States.

 

La Quadrature du Net imposed conditions on national security and generalised surveillance, as well as on targeted surveillance for serious crime. In Privacy International, the CJEU restated its position that national legislation must develop objective criteria for both the acquisition of a particular dataset from a service provider and its actual use by the relevant authorities (see paras 78-81). Moreover, it seems that these conditions apply not just to traffic and location data, but also provisions regarding the preventive retention of IP addresses, subscriber information and other measures aimed at combatting serious crime. But, there are questions about the extent to which various sorts of safeguards may compensate for other weaknesses in the system (and this same question can be seen in respect of the European Court of Human Right’s jurisprudence where it blends lawfulness with safeguards and safeguards with proportionality, effectively reducing the scrutiny over acquisition in favour of control over use – an approach which does not deal with the chilling effect of Government access to and storage of data). The Advocate General here rejects this blurring of safeguards over access with control over acquisition and retention:

 

“for the Court, ‘the retention of traffic and location data constitutes, in itself … an interference with the fundamental rights to respect for private life and the protection of personal data’. In this regard ‘access to such data is a separate interference’ with those fundamental fights, irrespective of the subsequent use made of it.

 

For the present purposes it is therefore irrelevant that the data protection arrangements for retained data provided for in the German legislation (a) provide effective safeguards to protect those data; (b) place rigorous and effective limits on access conditions, restricting the circle of people who can access the data; and (c) allow the retained data to be used solely for the purposes of investigating serious offences and preventing specific risks to life or a person’s freedom or to the security of the state.

 

The truly decisive element is that, … , the retention obligation at issue is not in itself subject to any specific conditions.” (paras 74-76)

 

Limited retention periods constitute another such safeguard; as the German Government argued in Spacenet, it means that less detailed profiles might be drawn – and in this seems similar to the approach of the Advocate General in HK v Prokuratuur (para 82). While the Court agreed that the period of data retention was a relevant factor in determining the severity of the intrusion, however, it took the view that traffic and location data are generally sensitive because they allow for far-reaching conclusions about private life and that therefore should only be permitted in relation to serious crime (and presumably the protection of national security).  The Advocate General noted in Spacenet that a limited retention period cannot justify a general retention requirement (in relation to crime) (para 66). Moreover, the time period must be considered alongside the quantity of data retained and the techniques available for analysis (Spacenet, para 70).

 

While acquisition, storage and access of data constitute different infringements (and real-time access may give rise to different levels of intrusion from analysis of historic data), there are questions about the links between them. If retention may be justified only for serious crime, presumably access is likewise limited (the Court did not discuss this point in Ministerio Fiscal). This link was discussed in VD and SR. The legislation permitted access to existing records, but did not provide a basis for storage in the first instance. While the French Government argued that the market manipulation legislation implicitly allowed for data retention, the Advocate General argued that these existing records “can only be ‘lawfully existing records’, that is to say those compiled in accordance with Directive 2002/58” (VD and SR, para 62, emphasis in original).

This makes clear that matters pertaining to communications confidentiality are not easily to be displaced. In any event, even if such ‘implicit authorisation’ were to be accepted, “such retention would be subject to the same conditions as would necessarily apply if it were based on any other EU legislative provision”. That is, all EU legislation must comply with the requirements of the EU Charter and the Court’s interpretation of the requirements of Article 7 and 8, arising in the context of the e-Privacy Directive, do not apply to Article 7 and 8 only in the context of that directive but more generally. This recognition is important given the increasing acquisition of data by the private sector and its sharing with the public sector with the aim of delivery of public services of all kinds. For this reason, the requirement of approval of access requests by an independent body (seen also in GD in the context of the e-Privacy Directive) also arose in relation to the insider dealing and market manipulation legislation (para 95).  We might see in this the beginnings of a general approach to constraining state surveillance activities; it will be interesting to see the extent to which the Court pulls through concerns about profiling from this group of cases through to, for example, PNR.  There is a new reference pending challenging the broad nature of PNR data collected in Directive 2016/681/EU (Ligue des droits humans (Case C-817/19) – the hearing for this case is discussed here). The next question is where the boundary is between concerns about profiling in the context of national security and combatting crime, and profiling to support data-driven public service delivery more generally. This distinction does not yet seem to have been considered.

 

Barnard & Peers: chapter 9

JHA4: chapter II:7

Photo credit: EFF-Graphics, via Wikicommons

The CJEU rules on consent to cookies under data protection law

Lorna Woods, Professor of Internet Law, University of Essex

Last week’s CJEU ruling in Planet49 is an important Grand Chamber decision concerning the use of cookies and the meaning of consent under the e-Privacy Directive in the light of the Data Protection Directive but also the General Data Protection Regulation (Regulation 2016/679)(GDPR). The judgment is therefore relevant for understanding the cookie obligations in the new regime as well as the old.

Judgment

The case concerned an online lottery. To participate, users had to enter their name and address and were shown two checkboxes in relation to consent for data processing before they could participate in the lottery.  The first consent pertained to users being contacted by third parties for promotional offers. The second consent pertained to cookies being dropped on users’ browsers in connection with participation in the online lottery. While Planet49 sought consent for the third-party promotional offers through the use of an unticked box, box for the use of cookies was pre-ticked.  Two questions were referred: whether the use of pre-ticked boxes gave consent; and what information needed to be supplied to provide clear and comprehensive information to the user.

The e-Privacy Directive provides that users must consent to the use of cookies, and the meaning of consent has the same meaning as in the Data Protection Directive (Recital 17 and Article 2f e-Privacy Directive) and now the GDPR.  The Data Protection Directive required an ‘indication’ of the user’s consent which, as the Advocate General pointed out ([AG60], cited by the Court [para 52]) requires the user to do something active to signal consent rather than remain passive. Further, only active behaviour can satisfy the requirement that consent must be unambiguous [para 54].

The Court also referred to the ‘legislative origins’ of the cookie provision (Article 5(3) e-Privacy Directive), noting that before the provision’s amendment in 2009, the provision gave the user the right to refuse cookies [para 56]. The Court concluded that consent was not valid if pre-ticked boxes were used.  If that was the case under the Data Protection Directive, it remained so under the GDPR, given that its definition of consent is more stringent than that under the Data Protection Directive.  The Court noted that:

according to recital 32 [GDPR], giving consent could include ticking a box when visiting an internet website. On the other hand, that recital expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent [para 62].

The Court noted that the referring court did not asked the question as to whether making consent to such processing a precondition for participation in the lottery satisfied the requirement for consent to be ‘freely given’ and therefore the ECJ did not answer that question.

Given that the e-Privacy Directive is not just about personal data, the referring court asked if the meaning of consent was the same should data other than personal data be in issue. While it was accepted that the data in issue constituted personal data, in line with the approach of the Advocate General and relying on Recital 24 of the e-Privacy Directive, the Court commented:

that Article 5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data [para 68].

In response to the questions of the referring court as to the nature of the information the use must be given as to the duration of the use of cookies and whether or not third parties may have access to those cookies, the Court referred to the general obligation that the use be given ‘clear and comprehensive information’ [para 73].  The Data Protection Directive and now the GDPR list certain information that must be given; this does not include duration. The Court noted that these lists were not exhaustive and that a long duration of operation for cookies would mean that a lot of data would be collected. In support of the argument that information on duration should be given the Court noted that the GDPR requires the controller to provide information about how long personal data will be stored.

Comment

The ruling will have significant implications for those who obtain data relying on cookies, as the Court has confirmed that ‘active consent’ is required. While this is clear on the face of the GDPR it was less so under the Data Protection Directive. Given that the Data Protection Directive has already been repealed and the GDPR is now in force the consequences – save for those already legally embroiled on this point – might be thought to be limited.  Nonetheless, this is a clear affirmation of the fact that the GDPR definition of consent applies in the e-Privacy Directive.

Given that the Court interpreted the meaning of consent through the lens of the GDPR as well as the Data Protection Directive, it is also the first ruling on consent under the GDPR.  Further, the ruling might be seen as part of a more general push-back against ‘surveillance capitalism’ techniques constituted by a number of investigations currently ongoing in various Member States (and note the recent guidance from the ICO on use of cookies). 

As an aside, it is also worth noting the broader scope of the e-Privacy Directive: it is not limited to personal data but the ‘private sphere of individuals’, that private sphere encompassing users’ ‘terminal equipment’. This means that national rules should not be less strict if no personal data is in issue.  The Court reminds us also that the protection in the e-Privacy Directive is not limited to to cookies but to ‘hidden identifiers and other similar devices’ [para 70].  Presumably then these techniques also require active consent.  Of course, this ruling relates to the e-Privacy Directive; it remains to be seen what the position will be should the proposed ePrivacy Regulation ever be agreed. 

The final point to note is the issue surrounding ‘freely given’. The German court did not raise the question of whether requiring consent as a pre-condition for accessing the service would be permissible and the Court did not answer it of its own volition. This presumably will come before the Court another day.

Photo credit: pcmag

Mobile phone theft and EU eprivacy law: the CJEU clarifies police powers

Lorna Woods, Professor of Internet Law, University of Essex

Introduction

This week’s CJEU judgment in Case C-207/16 Ministerio Fiscal is part of the jurisprudence on the ePrivacy Directive, specifically Article 15 which broadly allows Member States to permit intrusions into the confidentiality of communications for certain specified reasons.  Article 15 is part of the legal framework for the mass retention of communications data from Digital Rights Ireland (Case C-293/12 and 594/12), EU:C:2014:238) (“DRI”) on and in which the Court has affirmed that retention schemes could be justified only in the case of “serious crime” (Tele2/Watson (Joined Cases C-203/15 and C-698/15), ECLI:EU:C:2016:970).  This left the question of what “serious crime” might be, and whether there would be EU law standards circumscribing the scope of this term. It is this question that the reference here seeks to address, though it should be noted that the facts in issue were very different from those in the earlier cases.

Facts

The reference arose in the context of a police investigation relating to the theft of a wallet and a mobile phone.  The police wished to identify the new phone number associated with the stolen phone, as well as the details of persons associated with that new number.  However, Spanish law required that – to access such information – the police must be investigating a serious crime and the domestic courts here found that the facts giving rise to the investigation did not constitute a serious crime according to Spanish law. The reference to “serious crime” can be found in the Court’s case law in DRI, which – considering the right to private life and to data protection in Article 7 and 8 of the EU Charter of Fundamental Rights, set that as a minimum threshold for the retention of communications data en masse by telecommunications operators.

The national court referred a question on the meaning of Article 15(1) of the ePrivacy Directive (Directive 2002/58/EC, as amended) in the light of this jurisprudence.  Article 15 allows Member States to restrict some of the rights granted by the ePrivacy Directive in the interests of, inter alia, the prevention, investigation, detection and prosecution of criminal offences.  The national court asked whether the use of length of sentence available for a crime can be used to determine whether ‘it is also necessary to identify in the criminal conduct particular levels of harm to individual and/or legally protected interests’?  If length of sentence period alone suffices, is there a minimum in order to comply with the requirements of DRI?

Judgment

The first issue before the Court was that of its jurisdiction to hear the question. Both the Spanish and UK governments argued that the Court did not have jurisdiction because criminal law is excluded from the scope of the Data Protection Directive (Art 3(2)) and the ePrivacy Directive (Art 1(3)).  The Court referred, however, to its previous judgments in this field, to hold that legislative measures derogating from the rights in the ePrivacy Directive based on Article 15 still come within its scope even if the measures pursue objectives which overlap substantially with the fields excluded from the ePrivacy Directive by Article 1(3). [para 34]  It concluded, relying on Tele 2/Watson, that the scope of the ePrivacy Directive:

extends not only to a legislative measure that requires providers of electronic communications services to retain traffic and location data, but also to a legislative measure relating to the access of the national authorities to the data retained by those providers [para 35].

The Court also dismissed other submissions on admissibility made by the Spanish government, re-iterating its long-standing position that ‘where the questions put by national courts concern the interpretation of a provision of EU law, the Court is, in principle, bound to give a ruling’ [para 45].

The Court considered the two questions referred by the Spanish court together. The Court specified that the question in issue did not relate to the compliance of the communications service providers with the law but ‘whether, and to what extent, the objective pursued by the legislation .. is capable of justifying the access of the public authorities, such as the police, to the data…’ [para 49]. The Court reiterated the approach taken by its Advocate-General to hold that there would be an interference through such access, even if such interference was not serious, nor the data accessed sensitive.

The Court noted that the list of objectives for the purpose of Article 15 ePrivacy Directive is exhaustive and that the authorities’ need for access must genuinely correspond to one of those objectives.  Article 15 does not, however, limit access to the fight against serious crime – it refers to criminal offences generally. The reference to “serious” comes from the Court’s case law where it was dealing with situations involving a serious interference with the right to private life.

By contract, when the interference that such access entails is not serious, that access is capable of being justified by the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally [para 57].

The Court then redefined the object of its considerations to the question of whether the interference in this case was ‘serious’.  Since the data sought related only to a short period of time and could not be cross referenced with other data, precise conclusions regarding the private lives of the persons in issue could not be drawn. Therefore there was not a serious interference with the individuals’ right to private life.

Comment

This judgment could be described as tactical.  The Court has re-iterated that it does have jurisdiction in these areas covered by Article 15. Although earlier jurisprudence on the ePrivacy Directive distinguished between the commercial operators’ obligation to retain data (falling within the internal market) and access by the police to those data, the Court did not limit its power of review in Tele2/Watson along those lines, and it followed that Tele2/Watson approach here.  Access to the data by state authorities requires processing by the telecommunications operators (see para 37). 

At the same time the Court stepped away from the difficult question, through its reformulation of what the referring court asked.  In so doing, it avoided the issue not just of what “serious crime” is, but that of whether “serious crime” is an autonomous EU concept.  In this the Court followed its Advocate General (Opinion 3 May 2018, ECLI:EU:C:2018:300) who went as far as to argue that “criminal law” should not be an autonomous concept of EU law.  While it avoided this question, and indirectly answered the question as to whether access to communications data for anything less than serious crime is permissible under EU law, it has not helped the Spanish court which is faced with a national law that specifically refers to a threshold of seriousness. Moreover, in emphasising its proportionality argument to suggest that the access for less serious crimes could be permissible, there is a danger that this may be read as saying that national laws should so allow access – an interpretation which would oversteps the bounds of its competence just as much as defining “serious crime” would.

The judgment re-iterates that Articles 7 and 8 of the Charter are engaged whether or not the interference is deemed serious or not; equally, the ruling recognises that there may be different levels of intrusion that need greater or lesser justifications.  Here the data sought was limited in type, and related to a limited period of time. The question of what is intrusive, especially in the context of the use of predictive analytics, has not yet been fully answered. 

The Court’s emphasis on its previous caselaw, notably Tele2/Watson as well as DRI, may be seen as trying to build a consistent approach within this case law and also reaffirming the principles laid down in those cases.  This judgment can then be seen as a re-affirmation of the approach in Tele2/Watson, which might be significant in the light of pending references seeking to ask the court to resile from its position there, notably the questions referred by the IPT in the Privacy International litigation (Case C-623/17, pending) regarding the scope of exclusive Member State competence as regards national security.

One final point is about the implications of the Court’s ruling on recent English caselaw – the Court of Appeal in Watson ([2018] EWCA Civ 70) and the Divisional Court in Liberty ([2018] EWHC 975 (Admin)).  In Liberty, the Government argued, successfully, that a category of communications data in the Investigatory Powers Act, “entity data”, did not fall within the ePrivacy Directive and therefore the ruling in Tele2/Watson as it was neither "traffic data" or "location data" within Article 2.  The Court declared the matter acte clair and refused to make a reference to the Court of Justice (Liberty, paras 154-55).  Yet, the very data that the Spanish authorities were seeking in the case before the Court of Justice were those that would identify the users of a phone, not the details of those users’ communications. The Spanish Government put forward a similar argument, but the Court declared this to be “irrelevant” [para 40]. Expressly following its Advocate General, the Court held that the ePrivacy Directive “governs all processing of personal data in connection with the provision of electronic communications services” [para 41].  This holding throws some doubt on the Divisional court’s view both as to the scope of the ePrivacy Directive and certainly the fact that the interpretation of the directive is acte clair.

Barnard & Peers: chapter 9

JHA4: chapter II:7

Photo credit: PixelVulture

Data Retention incompatible with EU law: Victory? Victory you say?

*Photo credit: https://www.beencrypted.com/  

Matthew White, PhD candidate Sheffield Hallam University

Introduction

On 27 April 2018, the High Court in Liberty v Secretary of State for the Home Department and Others [2018] EWHC 975 (Admin) ruled that Part 4 (retention of communications data) of the Investigatory Powers Act 2016 (IPA 2016) was incompatible with the European Union’s (EU) Charter of Fundamental Rights (CFR). They did so in holding that access to retained communications data was not limited to the purpose of serious crime, and it was not subject to prior review by a court or an independent administrative body. Liberty regarded this ruling as a landmark victory for privacy rights. This blog post questions this assertion by critically analysing the High Court’s judgment with regards to the specific aspect of data retention.

Ignore the European Convention on Human Rights at your peril:

In the second paragraph of the High Court’s judgment, it was acknowledged that the judicial review proceedings concerned not only the CFR but the European Convention on Human Rights (ECHR). The High Court, however, proceeded to only consider the former. This omission will become more important throughout this post.

Does not concern the content of communications?

The High Court acknowledged that retention notices under s.87(1) of the IPA 2016 affects a wide range of private information to do with communications, but not their content e.g. emails and texts [3]. Emails and texts are of course, but one example of content, however, some argue that communications data are equally (Elisabet Fura and Mark Klamberg, ‘The Chilling Effect of Counter-Terrorism Measures: A Comparative Analysis of Electronic Surveillance Laws in Europe and the USA’ (2012) Wolf Legal Publishers, Oisterwijk 463, 467) or more revealing (Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’ (2004) Communications of the ACM 47:3 77, 82). This is precisely why the UN Office of the High Commissioner for Human Rights (OHCHR) felt such distinction is no longer tenable (para 19). It was even demonstrated by iiNet that content is embedded in communications data in sites like Twitter and Facebook.

Moreover, the High Court considered s.87(1) of the IPA 2016 in isolation to, for example, s.87(4)(d) which prevents retention notices from requiring telecommunications operators to retain data which is not used by them for any lawful purpose. Lawful purpose is not defined in the IPA 2016, but s.46(4)(a) of the IPA 2016 allows (by regulation, s.46(1) and (2)) any business to conduct interception if it constitutes a legitimate practice reasonably required for the purpose, in connection with the carrying on of any relevant activities for the purpose of record keeping. Section 46(2)(b) includes communications relating to business activities, and this could allow interception for ‘business purposes.’ This would square with the Home Office’s position in 2009 where they noted that deep packet inspection (DPI) ‘is a term used to describe the technical process whereby many communications service providers currently identify and obtain communications data from their networks for their business purposes’ (p15). DPI enables Internet Service Providers (ISPs) to access information addressed to the recipient of the communication only, this requires the interception of communications data and content (para 32). This could legitimise practices such as those that occurred in the Phrom scandal where BT, TalkTalk and Virgin Media made a deal with Phorm to covertly intercept traffic of their customers. Whether it does or does not permit Phorm-like activities, is not the pressing issue at hand, it’s the allowance of intercepted data to be retained (para 125, p1104) which would constitute a lawful purpose under s.87(4)(d) of the IPA 2016. This highlights that the High Court’s focus on s.87(1) blinds them to the realities of communications data being just as, if not more serious than content, and in any event, content could be retained.

Appropriate remedy and the potential chaos that could ensue?

The High Court highlighted the dispute between the Defendants and the Claimants as to the appropriate remedy, where the former felt no more declaratory relief was necessary [32] because it was already conceded that elements of Part 4 were inconsistent with EU law [31], [38]. There was also a dispute as to the period of suspension should the High Court disapply Part 4 [32]. Despite this acknowledgment of the Defendants, they were of the position that Part 4 should continue as it currently is until it is amended by Parliament [40-1]. The Claimants advocated for a suspended disapplication, this for the High Court:

[W]as a realistic and fair acknowledgement that, in this context, it cannot reasonably be expected that there should, immediately, be no legislation at all in place allowing retention of data that is needed to apprehend criminals or prevent terrorist attacks [42].

The High Court noted that whatever remedy it granted, it should not have the effect of ‘immediately disapplying Part 4 of the 2016 Act, with the resultant chaos and damage to the public interest which that would undoubtedly cause in this country’ [46]. The use of ‘chaos’ was in reference to the Defendants who argued that disapplication was a recipe for chaos [75].

A reason why the High Court preferred not to disapply Part 4 immediately was because there would be no data retention laws in place to aid in the fight against crime and terrorism. This is not actually true, the Budapest or Cybercrime Convention has had legal force in the UK since 1 September 2011. This mainly concerns crimes committed via computer networks, but Article 14(2)(c) allows the UK to adopt measures to collect evidence in electronic form of a criminal offence. This does not appear to limit offences to those described in Articles 2-11. Moreover, Article 16 provides for data preservation, which is the alternative to data retention. This is not the only option available to the UK as discussed below. The High Court’s position is essentially a strawman because immediate disapplication was not argued, and in any event, would not be true if Part 4 were to be disapplied.  

The High Court refers to ‘chaos’ and ‘damage’ to the public interest without explaining why and in what ways this would be possible by disapplying Part 4. The language used by the High Court needs to be critically analysed. Prior to the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014), communications data retention had been voluntary under s.102(1) of the Anti-terrorism, Crime and Security Act 2001 (ACTSA 2001), though the Data Retention (EC Directive) Regulations 2007 and 2009 required data retention to a lesser extent. Previous attempts at mandatory data retention, notably the draft Communications Data Bill (dCDB) in 2013 was halted by the then Coalition partners to the Conservatives, the Liberal Democrats. There was no chaos, or damage to the public interest prior to DRIPA 2014, when data retention was voluntary nor when the dCDB was rejected. When the High Court in Davis and Others v Secretary of State for the Home Department and Others [2015] EWHC 2092 (Admin) dispplied s.1 of DRIPA 2014, albeit delayed for eight months [122], they felt it appropriate to give Parliament enough time to scrutinise and pass new laws[121], and not because of the chaos and damage that would ensue due to immediate disapplication.   

The High Court’s position seemingly acts upon the assumption that if data retention obligations are immediately disapplied, there would be no communications data to be accessed. This is simply not the case when one considers one of the biggest telecommunications operators in the world, Google, who store ‘your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.’ The legal basis of this is questionable, but the fact remains, such communications data could still be accessed under s.61 of the IPA 2016 where a designated senior officer of a relevant public authority could obtain communications data, whether it exists at the time or not, meaning they could require a telecommunications operator to retain communications data on an forward looking basis (para 177). This authorisation process is however, subject to change, requiring authorisation by the Investigatory Powers Commissioner, but the fact remains, the power is unchanged. Moreover, Part 6, Chapter 2 of the IPA 2016 allows for the bulk collection of communications data by intelligence services.

The High Court referred to the Government swiftly enacting DRIPA 2014 [12]. What they did not mention was that following Digital Rights Ireland and the Court of Justice of the European Union’s (CJEU) invalidation of the Data Retention Directive (DRD), the Government did nothing for three months. The High Court in Davis and Others noted there was not a clear legal basis for the 2009 Regulations and thus some telecommunications operators were considering deleting retained communications data [45-6]. For three months, the Government must have known this was a possibility, but did nothing, then rushed DRIPA 2014 through Parliament with indecent haste in three days (Niklas Vainio and Samuli Miettinen, ‘Telecommunications data retention after Digital Rights Ireland: legislative and judicial reactions in the Member States’ (2015) International Journal of Law and Information Technology 23:3 290, 304).

Finally, the High Court refers to the ‘public interest’ without mentioning what aspects they mean. Is it the public interest in fighting serious crime and stopping terrorism? Even if this is what the High Court meant, they did so without acknowledging that privacy in and of itself is a public interest. This is specifically mentioned in s.2(2)(d) of the IPA 2016. Regan regards privacy as having public value because it is necessary to the proper functioning of a democratic political system (Priscilla M. Regan, ‘Legislating Privacy, Technology, Social Values and Public Policy’ (The University of North Carolina Press 1995). The then Labour Government even acknowledged that ‘that the protection of privacy is in itself a public service.’ Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967), 24). Moreover, privacy underpins freedom of expression, religion, thought and conscious and assembly/association. Furthermore, privacy is not just an individual right nor does data retention just affects individuals. In Riddick v Board Mills Ltd [1977] QB 881, Lord Denning succinctly put it that:

The memorandum was obtained by compulsion. Compulsion is an invasion of the private right to keep one’s documents to oneself. The public interest in privacy and confidence demands that this compulsion should not be pressed further than the course of justice requires [p896].   

This acknowledges the public interest privacy serves, and to assume this only applies to the objectives such as fighting serious crime and terrorism is to underestimate the fundamental nature and importance of privacy.

Not general and indiscriminate data retention?

The High Court when considering whether Part 4 of the IPA 2016 permitted general and indiscriminate data retention referred to the Court of Appeal’s refusal in to apply Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 [22-6]. The Court of Appeal’s reasoning remains unconvincing and their semantic reasoning indicates what they would have held. The Claimants before the High Court argued that Part 4 permitted general and indiscriminate data retention, and thus should be referred to the CJEU, however the Defendants argued that reading the IPA 2016 as a whole, this is not the case [120].

The High Court towed the same line as the Court of Appeal in Tom Watson and Others where they noted that the CJEU were specifically referring to Swedish law [121]. The High Court then summarises their view of the CJEU’s ruling noting that Member States:

[M]ay adopt legislation which permits decisions to be taken for the targeted retention of data which is (a) sufficiently connected with the objective being pursued, (b) is strictly necessary and (c) proportionate [124].

The High Court were of the opinion that CJEU’s judgment did not require more detailed factors which may be relevant as to the application of those tests [124]. For the High Court, it would be impracticable and unnecessary to set out in detail in legislation the range of factors to be applied with matters such as national security, public safety and serious crime [124]. It must be noted that the issue of national security is a matter that will be dealt with by the CJEU based upon the Investigatory Powers Tribunal’s preliminary reference (analysis here).

Public safety, however, is not an objective that CJEU’s considers to be capable of justifying data retention, only serious crime [102], so it is unclear why the High Court even mentions this. The CJEU does refer to serious threats to public security, but this is in regards to the links between the measure and objective evidence [111]. The High Court also does not explain why it would be impracticable and unnecessary to set out in detail the range of factors to be applied, when the CJEU themselves observed that national law must be clear and precise [109]. Not only does this raise issues with the EU law, because the Part 4 does not provide clear and precise rules (Jennifer Cobbe, ‘Casting the dragnet- communications data retention under the Investigatory Powers Act’ (2018) Public Law 10, 19), but also with the ECHR. The ECtHR have ruled that it is essential to have clear, binding [60] and detailed rules, especially as the technology available for use is continually becoming more sophisticated [229]. The reason for the ECtHR’s position is explained in Szabo and Vissy v Hungary [2016] ECHR 579:

Given the technological advances since the Klass and Others case, the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely [53].

What the High Court regards as unnecessary and impracticable are actually requirements of both European Courts, with the ECtHR taking that step furthering in explaining why.

The High Court then notes that the combination of the scope and application of data retention measures and the minimum safeguards are designed to achieve effective protection against the risk of misuse of personal data [125]. Granted, the High Court are repeating points made by the CJEU [109], this approach overlooks what the ECtHR have held:

The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8…The subsequent use of the stored information has no bearing on that finding [67].

The misuse of personal data is secondary to it actually being retained (and generated, see s.87(9)(b) of the IPA 2016). The High Court then distinguishes Swedish law from the IPA 2016 in that it does not require a blanket requirement requiring the general retention of communications data, because it relies upon the discretion of the Secretary of State [127]. This has already been argued to be a semantic argument ‘of distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing.’ The High Court also relies on the description that the Secretary of State will only exercise this power if it is considered necessary and proportionate, which for them, is in line with EU law [128]. But this position betrays their previous reasoning on DRIPA 2014, which had the same requirements of necessity and proportionality [47], with both parties and the High Court accepting this permitted a ‘general retention regime [65].’ A reason for this position was because the contents of a retention notice cannot be verified due to disclosure not being permitted, unless the Secretary of State permits it (see s.95(2)-(4) of the IPA 2016).

The High Court then argues that it would be difficult to conceive how the tests of necessity and proportionality could require the retention of all communications data due to the wording of ‘all data’ in the IPA 2016 [129]. This reasoning is problematic, because it relies upon the ‘surely the UK would not?’ position. As Lord Kerr observed in Beghal v Director of Public Prosecutions [2015] UKSC 49 that ‘is the potential reach of the power rather than its actual use by which its legality must be judged [102].’ This is precisely why Cobbe argues:

Retention notices may be tailored to an extent, including by requiring that only data which meets a certain description or is from a certain time period is retained. But s.87 does allow for ISPs to be required to retain "all data" indiscriminately, without differentiation, limitation, or exception, and without clear safeguards for data subject to professional confidentiality (Jennifer Cobbe, see above, 19).

As others and myself have argued, s.87(2)(a) and (b) theoretically allows for the possibility ‘all operators in the UK to be required to retain all data of users and subscribers’ (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy, and Practice 2:1, 26) and should be treated as a blanket and indiscriminate power (Matthew White, see above, 25; Jennifer Cobbe, see above, 18; ; Andrew D. Murray, ‘Data transfers between the EU and UK post Brexit?’ (2017) International Data Privacy Law 7:3 149, 161).

In Liberty v UK [2008] ECHR 568 the then UK Government accepted that s.3(2) of the Interception of Communications Act 1985 allowed:

[I]n principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had such a communication intercepted [64].

For the ECtHR, such a power was virtually unfettered [64], and violated Article 8 for not being in accordance with the law [70]. Furthermore, the High Court’s reasoning acts on the assumption that the only way Part 4 could be unlawful is if it did permit or made it possible for the retention of all communications data. This is simply not true as seen in the case of Liberty above, where this did not even concern communications within the UK, moreover in S and Marper [2008] ECHR 1581 the GC ‘ruled that general data retention, even on a specific group of individuals (suspects and convicts) violated Article 8.’

The High Court then also incorrectly claims that s.87(2)(b) of the IPA 2016 relates to a ‘description of data’ and not just to ‘all data’ [129] when the actual words are ‘any description of data’ which simply means any and/or all data could be retained. The High Court makes the same mistake with regards to telecommunications operators in that a retention notice may relate to a particular operator or to a description of operators [129] when, again the operative word in s.87(2)(a) is any description of operators. The suggestion here is that if a retention notice is issued on one telecommunications operator (because s.87(2) ‘list[s] the elements which may be used when delineating the content and scope of a retention notice so as to satisfy the necessity and proportionality tests in any particular case [129]’, this would be alright. If one uses BT as an example, with over nine million broadband subscribers, would a retention notice on BT to retain all this communications data sit well with the High Court? After all, BT is but one telecommunications operator, has a large subscriber base, but crucially not all of them, and the subscriber’s communications data does not amount to all the communications data that could be retained in the UK. In fairness, this is as much of the CJEU’s problem as it is the High Court’s, as this is where S and Marper makes a crucial distinction, that being, data retention measures that are general and indiscriminate within a group can still be unlawful.

The High Court then refers to the 12-month retention limit [130], but this only serves to highlight the constant interference with fundamental rights as retention notices will be renewed on a yearly basis. The High Court also refers to matters to which the Secretary of State must have regard to in s.88(1) of the IPA 2016 such as the benefits of the notice, number of users affected, costs etc and must also take reasonable steps to consult the relevant telecommunications operator (see s.88(2)). Regarding the former, the Secretary of State could still issue the intended retention notice irrespective of what has been regarded, and with the latter, there is no obligation to actually consult a telecommunications operator.    

The High Court then refers to the Judicial Commissioner’s (JC) role in the approval of retention notices based on the Secretary of State’s conclusions [133]. This is problematic because there ‘is no obligation on the Secretary of State to make a full and frank disclosure and therefore, the JC and IPC could be misled (accidently or deliberately) (30)’ and could ‘be given a summary a summary of a summary of a summary of a summary of the original intelligence case (30-1).’ The GC have noted that it is essential that the supervisory body has ‘access to all relevant documents, including closed materials and that all those involved in interception activities have a duty to disclose to it any material it required [281].’ This is currently not possible under the IPA 2016. The High Court then refers to the JC’s applying principles of judicial review to authorisations [133]. The question as to whether the Wednesbury principles would apply has been subject to debate (29), but the Investigatory Powers Commissioner (IPC) themselves have noted that when human rights issues arise, the necessity and proportionality tests of the ECHR and EU law will be applied instead of Wednesbury (para 17, 19). However, this statement is only advisory and admits it is not binding (para 1), thus is not a real safeguard.

The High Court then refers to the JC’s general duties under s.2 of the IPA 2016 [133]. The first of which concerns the JC having regard to whether there are less intrusive measures to achieve the objective. There is, data preservation, but this isn’t in the IPA 2016 (unless one considers s.61 to be form of data preservation). The second concerns the level of protection to sensitive information, which is much narrower than sensitive personal data in data projection instruments as it only includes legally privileged material, journalistic sources, communications with Members of Parliament etc. The JC’s cannot have regard to sensitive information because as the Bar Council and Law Society have highlighted that the problem bulk communications data retention is that it does not prevent legally privileged data from entering the ‘pool’ in the first place (para 32). With regards to journalistic sources, United Nations Educational, Scientific and Cultural Organization (UNESCO) noted that even when journalists encrypt the content, they may neglect to encrypt the communications data which means they still leave behind a digital trail when they communicate with their sources, making them identifiable (26).

The High Court then refers to the fact that a telecommunications operator can refer a retention notice back to the Secretary of State, which again would require approval by the IPC [134]. And if the IPC approves a notice on BT to retain all the communications data of their subscribers, then what? The High Court summarises Part 4 by noting that they ‘do not think it could possibly be said that the legislation requires, or even permits, a’ general retention regime [135]. However, it was never the argument that the IPA 2016 requires a general retention regime, but that it permits the Secretary of State and JC to require a general retention regime. As the ECtHR have maintained ‘it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power [230].’ The question is not ‘will they’ but ‘can they.’

The High Court continues that Part 4 and s.2 requires a range of factors to be taken into account before a retention notice is issued [135]. Although it was already argued that ‘catch all’ power is not necessary for Part 4 to be deemed unlawful, it is useful to play Devil’s Advocate. Can the Secretary of State issue a retention notice on all telecommunications operators to retain all communications data if they deem it necessary and proportionate? Can a JC approve this? Can this still be the case if the telecommunications operator refers this back to the Secretary of State subject to approval by the IPC? If the answer is yes, then this highlights that all the factors that the High Court refers to does not change the operation of the power itself. If the answer is no, then the High Court is ignoring the glaringly obvious implications of a power that can be applied to all or any telecommunications operator to retain any or all communications data.

The High Court then puts its previous judgment to one side (where they agreed DRIPA 2014 permitted a general retention regime) by arguing that:

Even if that assumption were to be applied in this case, it is plain from the analysis set out above, that the 2016 Act does not permit the general and indiscriminate retention of communications data. In any event, we would add that the issue of whether a UK enactment is inconsistent with EU legislation is not to be determined by evidence from either party as to how the domestic scheme is operated in practice or might be operated. Instead, the issue is an objective question of law which turns on the proper interpretation of the two pieces of legislation [136]. 

Essentially, the High Court are saying, even if the previous judgment was correct, IPA 2016 is somehow different, despite the wording of the power in DRIPA 2014 being identical. In amazing fashion, the High Court decided that it does not really matter how the law is or might be operated, but relies upon the notion of an ‘objection question of law’ and how it is interpreted. And this is why ignoring the ECHR, if it was not made clear above is problematic because the ECtHR have consistently held that:

[T]hat the mere existence of laws and practices which permitted and established a system for effecting secret surveillance of communications entailed a threat of surveillance for all those to whom the legislation might be applied. This threat necessarily affected freedom of communication between users of the telecommunications services and thereby amounted in itself to an interference with the exercise of the applicants’ rights under Article 8, irrespective of any measures actually taken against them [168].

The High Court’s position is in contrast to the position of the ECtHR in that secret surveillance can be judged in abstracto or where an individual can claim to actually be subject of a surveillance measure. All that is required is that one is able to show that they are ‘potentially at risk of being subjected to such measures [171].’ Whether retention notices apply to all telecommunications operators to retain all communications data, or to one telecommunications operator to retain all (or even some) communications data, this allows for the ‘automatic storage for six months of clearly irrelevant data’ and ‘ cannot be considered justified under Article 8 [255].’ Even six months is unacceptable to the ECtHR (which raises serious questions as to the 12-month retention limit), this position is strengthened by Advocate General Øe, who noted that:

The disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime [252].

Conclusion

This blog post has highlighted many flaws in the approach of the High Court with regards data retention. Part 4 of the IPA 2016 is neither consistent with the ECHR or EU law. The High Court have fallen into the same trap as the Court of Appeal did earlier this year when distinguishing a catch all power, and a power that can catch all. This post only partially deals with the judgment as the aspects of entity data and serious crime deserve posts of their own. What is just as disappointing as this judgment is the claim that it was a landmark victory, when in actual fact, the rulings against the Defendants were concessions they already made, leaving the crucial aspect of Part 4 unscathed. A wise little green man might say ‘Victory? Victory you say? Master Liberty, not victory. The shroud of data retention persists. Continue the mass surveillance will.’