Lorna Woods, Professor of Internet Law, University of Essex
This week’s CJEU judgment in Case C-207/16 Ministerio Fiscal is part of the jurisprudence on the ePrivacy Directive, specifically Article 15 which broadly allows Member States to permit intrusions into the confidentiality of communications for certain specified reasons. Article 15 is part of the legal framework for the mass retention of communications data from Digital Rights Ireland (Case C-293/12 and 594/12), EU:C:2014:238) (“DRI”) on and in which the Court has affirmed that retention schemes could be justified only in the case of “serious crime” (Tele2/Watson (Joined Cases C-203/15 and C-698/15), ECLI:EU:C:2016:970). This left the question of what “serious crime” might be, and whether there would be EU law standards circumscribing the scope of this term. It is this question that the reference here seeks to address, though it should be noted that the facts in issue were very different from those in the earlier cases.
The reference arose in the context of a police investigation relating to the theft of a wallet and a mobile phone. The police wished to identify the new phone number associated with the stolen phone, as well as the details of persons associated with that new number. However, Spanish law required that – to access such information – the police must be investigating a serious crime and the domestic courts here found that the facts giving rise to the investigation did not constitute a serious crime according to Spanish law. The reference to “serious crime” can be found in the Court’s case law in DRI, which – considering the right to private life and to data protection in Article 7 and 8 of the EU Charter of Fundamental Rights, set that as a minimum threshold for the retention of communications data en masse by telecommunications operators.
The national court referred a question on the meaning of Article 15(1) of the ePrivacy Directive (Directive 2002/58/EC, as amended) in the light of this jurisprudence. Article 15 allows Member States to restrict some of the rights granted by the ePrivacy Directive in the interests of, inter alia, the prevention, investigation, detection and prosecution of criminal offences. The national court asked whether the use of length of sentence available for a crime can be used to determine whether ‘it is also necessary to identify in the criminal conduct particular levels of harm to individual and/or legally protected interests’? If length of sentence period alone suffices, is there a minimum in order to comply with the requirements of DRI?
The first issue before the Court was that of its jurisdiction to hear the question. Both the Spanish and UK governments argued that the Court did not have jurisdiction because criminal law is excluded from the scope of the Data Protection Directive (Art 3(2)) and the ePrivacy Directive (Art 1(3)). The Court referred, however, to its previous judgments in this field, to hold that legislative measures derogating from the rights in the ePrivacy Directive based on Article 15 still come within its scope even if the measures pursue objectives which overlap substantially with the fields excluded from the ePrivacy Directive by Article 1(3). [para 34] It concluded, relying on Tele 2/Watson, that the scope of the ePrivacy Directive:
extends not only to a legislative measure that requires providers of electronic communications services to retain traffic and location data, but also to a legislative measure relating to the access of the national authorities to the data retained by those providers [para 35].
The Court also dismissed other submissions on admissibility made by the Spanish government, re-iterating its long-standing position that ‘where the questions put by national courts concern the interpretation of a provision of EU law, the Court is, in principle, bound to give a ruling’ [para 45].
The Court considered the two questions referred by the Spanish court together. The Court specified that the question in issue did not relate to the compliance of the communications service providers with the law but ‘whether, and to what extent, the objective pursued by the legislation .. is capable of justifying the access of the public authorities, such as the police, to the data…’ [para 49]. The Court reiterated the approach taken by its Advocate-General to hold that there would be an interference through such access, even if such interference was not serious, nor the data accessed sensitive.
The Court noted that the list of objectives for the purpose of Article 15 ePrivacy Directive is exhaustive and that the authorities’ need for access must genuinely correspond to one of those objectives. Article 15 does not, however, limit access to the fight against serious crime – it refers to criminal offences generally. The reference to “serious” comes from the Court’s case law where it was dealing with situations involving a serious interference with the right to private life.
By contract, when the interference that such access entails is not serious, that access is capable of being justified by the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally [para 57].
The Court then redefined the object of its considerations to the question of whether the interference in this case was ‘serious’. Since the data sought related only to a short period of time and could not be cross referenced with other data, precise conclusions regarding the private lives of the persons in issue could not be drawn. Therefore there was not a serious interference with the individuals’ right to private life.
This judgment could be described as tactical. The Court has re-iterated that it does have jurisdiction in these areas covered by Article 15. Although earlier jurisprudence on the ePrivacy Directive distinguished between the commercial operators’ obligation to retain data (falling within the internal market) and access by the police to those data, the Court did not limit its power of review in Tele2/Watson along those lines, and it followed that Tele2/Watson approach here. Access to the data by state authorities requires processing by the telecommunications operators (see para 37).
At the same time the Court stepped away from the difficult question, through its reformulation of what the referring court asked. In so doing, it avoided the issue not just of what “serious crime” is, but that of whether “serious crime” is an autonomous EU concept. In this the Court followed its Advocate General (Opinion 3 May 2018, ECLI:EU:C:2018:300) who went as far as to argue that “criminal law” should not be an autonomous concept of EU law. While it avoided this question, and indirectly answered the question as to whether access to communications data for anything less than serious crime is permissible under EU law, it has not helped the Spanish court which is faced with a national law that specifically refers to a threshold of seriousness. Moreover, in emphasising its proportionality argument to suggest that the access for less serious crimes could be permissible, there is a danger that this may be read as saying that national laws should so allow access – an interpretation which would oversteps the bounds of its competence just as much as defining “serious crime” would.
The judgment re-iterates that Articles 7 and 8 of the Charter are engaged whether or not the interference is deemed serious or not; equally, the ruling recognises that there may be different levels of intrusion that need greater or lesser justifications. Here the data sought was limited in type, and related to a limited period of time. The question of what is intrusive, especially in the context of the use of predictive analytics, has not yet been fully answered.
The Court’s emphasis on its previous caselaw, notably Tele2/Watson as well as DRI, may be seen as trying to build a consistent approach within this case law and also reaffirming the principles laid down in those cases. This judgment can then be seen as a re-affirmation of the approach in Tele2/Watson, which might be significant in the light of pending references seeking to ask the court to resile from its position there, notably the questions referred by the IPT in the Privacy International litigation (Case C-623/17, pending) regarding the scope of exclusive Member State competence as regards national security.
One final point is about the implications of the Court’s ruling on recent English caselaw – the Court of Appeal in Watson ( EWCA Civ 70) and the Divisional Court in Liberty ( EWHC 975 (Admin)). In Liberty, the Government argued, successfully, that a category of communications data in the Investigatory Powers Act, “entity data”, did not fall within the ePrivacy Directive and therefore the ruling in Tele2/Watson as it was neither "traffic data" or "location data" within Article 2. The Court declared the matter acte clair and refused to make a reference to the Court of Justice (Liberty, paras 154-55). Yet, the very data that the Spanish authorities were seeking in the case before the Court of Justice were those that would identify the users of a phone, not the details of those users’ communications. The Spanish Government put forward a similar argument, but the Court declared this to be “irrelevant” [para 40]. Expressly following its Advocate General, the Court held that the ePrivacy Directive “governs all processing of personal data in connection with the provision of electronic communications services” [para 41]. This holding throws some doubt on the Divisional court’s view both as to the scope of the ePrivacy Directive and certainly the fact that the interpretation of the directive is acte clair.
Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: PixelVulture