Tuesday 11 February 2014

The EU’s Data Retention Directive: Fighting Back against mass surveillance in the EU’s Court of Justice

Steve Peers

I’m writing this post on ‘The Day We Fight Back’ against mass surveillance. So it seems a suitable day to comment (a bit belatedly) on the Advocate-General’s opinion from last December on the validity of the EU’s data retention Directive (Directive 2006/24; Cases C-293/12 Digital Rights and C-594/12 Seitlinger).

Overall context

These cases, referred from the Irish and Austrian courts, present the Court of Justice of the EU (CJEU) with its best chance yet to deliver an iconic judgment relating to the EU’s Charter of Fundamental Rights. The Test-Achats judgment of 2011, concerning the invalidity of EU rules permitting insurance discrimination between men and women, just didn’t amount to such a judgment, resulting as it did in higher car insurance rates for women drivers without much analysis of the key issues by the CJEU.

This time around, the CJEU is aware that: the constitutional courts of Germany and Romania have criticised the Directive on fundamental rights grounds; the European Court of Human Rights is dubious about mass surveillance (cf the S and Marper judgment); and there is considerable public concern across the EU about mass surveillance, in particular in the current context of revelations about spying by American security agencies.

As for the Directive itself, it requires Member States to compel telecom and Internet access providers to keep records of all phone calls, Internet use and mobile phone location data for at least six months, with no real fixed upper limit, so the police can access those records for the purposes of investigations into serious crime. (There is a nominal two-year upper limit for keeping this data, but Member States can keep in place any higher limits that they already applied, or ask the Commission for the power to set new higher limits in place if they didn’t already apply them). Other EU laws giving Member States an option to require that telecom providers keep such data for other reasons were unaffected. Overall, as I pointed out at the time, ‘Member States could insist on (or at least request) the retention of any type of data for any type of security purpose for any period at all’.

Furthermore, the Directive set no safeguards as regards the use of that data which industry was required to retain. This was because the Directive had to limit itself to regulation of the telecoms industry, due to its ‘internal market’ legal base (upheld by the CJEU in Case C-301/06 Ireland v EP and Council), so it couldn’t regulate what police forces did with the data when they got it.

While it is possible that this mass surveillance may assist in the prosecution of crime or the prevention of terrorism, that does not automatically excuse it. No doubt there is less crime in totalitarian states, but democratic states need to strike a balance between liberty and security. According to the long-standing case law of the European Court of Human Rights, targeted surveillance is only acceptable if the law in question is very precise and sets out detailed safeguards for the persons concerned. This must surely apply a fortiori to laws such as this Directive, which provide for mass surveillance – if indeed such surveillance can ever be justified at all.

The Advocate-General’s opinion

The opinion takes as its starting point (correctly) that the data retention Directive interferes with the rights to privacy and data protection (Articles 7 and 8 of the Charter). So the focus of the case is whether such interference can be justified. Article 52(1) of the Charter allows restriction of Charter rights where those restrictions are provided for by law, respect the essence of the rights, and are proportionate to protecting a public interest recognised by EU law or the rights of others. Here there is clearly a public interest, so the Advocate-General examines the other facets of the test.

He concludes that the EU Directive is not ‘prescribed by law’, within the meaning of that phrase set out in the jurisprudence of the European Court of Human Rights. The crucial problem here is the quality of the law set out in the Directive. In particular, it is not sufficiently precise as regards the limitation on Charter rights, and it does not set out guarantees for use of the data.

This raises an issue specific to the nature of the relationship between the EU and its Member States. Since Directives must be applied by Member States in their national law, it could potentially be left to the Member States to provide for such precise details concerning the interference with Charter rights when they transpose the Directive. It would be possible for the CJEU to clarify further what such rules must address, as it has in a line of case law concerning interference with privacy rights justified by the protection of intellectual property (ie downloads of music, et al, in breach of copyright).

The Advocate-General rejects that possibility here – and quite rightly. The difference is that the data retention Directive requires the Member States to interfere with Charter rights, whereas the legislation at issue in the other cases merely permits them to do so. In such a case the EU must surely bear a significant part of the responsibility – if not the whole responsibility – for satisfying the ‘quality of law’ test. This would be consistent with the case law of the European Court of Human Rights in the Bosphorus Airways v Ireland case, and the draft EU accession agreement for the ECHR, which both distinguish between cases where the EU requires its Member States to act, and where it simply permits them to do so.

Yet on this point, there is another complication arising from the nature of EU law. Before the entry into force of the Treaty of Lisbon, the legal order of the Union was divided into three so-called ‘pillars’. While the internal market was part of the first pillar (Community law), police cooperation was part of the third pillar (policing and criminal law). So a Directive based on the internal market could not address issues relating to police cooperation, and this Directive does not. That was precisely why the CJEU rejected the Irish government’s challenge to the Directive in 2009.

To address this problem, the Advocate-General suggests that the EU should at least have agreed some guarantees informally. But this would not be good enough, as non-binding guarantees would not satisfy the ‘quality of law’ test. The EU could, however, have adopted a third pillar ‘Framework Decision’ setting out such guarantees before the Treaty of Lisbon; and now it can set them out in the form of a Directive.

Finally, the Advocate-General concludes that the Directive is also disproportionate, since there is not a good enough reason for the possibly unlimited period of retaining personal data. Yet it must be pointed out that Member States’ power to retain existing national laws allowing for longer periods of data retention is built into the internal market rules of the Treaty. To disable the application of those provisions, the Court of Justice would have to rule that the Charter took priority over the Treaty (ie, other EU primary law).

These cases give the opportunity to the CJEU to add a lot of flesh to the bones of the rules concerning interference with Charter rights – in particular the application of the ‘quality of law’ test, which the CJEU has not referred to at all before. The difficulties created by the previous division of EU law into pillars, and the particular rules set out in the internal market provisions of the Treaties, must also be addressed. Yet in light of the overall context of these cases, the established jurisprudence of the European Court of Human Rights, and the strong opinion of the Advocate-General, it would simply be shocking if the Court of Justice did not either rule the Directive invalid, or at the very least lay down detailed rules which Member States have to follow when applying it.

[update: the CJEU gave its ruling in April 2014. For discussion of the judgment see here.]

Barnard & Peers: chapter 9

No comments:

Post a Comment