Lorna Woods, Professor of Internet Law, University of Essex
Advocate General Campos Sanchez-Bordana has handed down his opinions in three more cases (SpaceNet and Telekom Deutschland (Joined Cases C-793/19 and C-794/19), GD v Commissioner of the Garda Síochána (Case C-140/20) and VD and SR (Joined Cases C-339/20 and C-397/20)) which concern the retention of communications data, and constitute the latest instalment of a saga that started – ineffectually as far as rights-based arguments are concerned – in the unsuccessful Irish challenge to the Treaty base chosen for the Data Retention Directive (Directive 2006/24/EC) (Ireland v European Parliament and Council (Case C-301/06)).
The Data Retention Directive, which provided for communications data retention, effectively within the scope of the exceptions found in Article 15 of the e-Privacy Directive (Directive 2002/58/EC) to the principle of communications confidentiality, was struck down in Digital Rights Ireland (Joined Cases C-293/12 and C-594/12) (discussed here). Building on the principles there, a series of cases developed the constraints on what was permitted by Article 15 e-Privacy Directive, notably: Tele2 Sverige and Watson (Joined cases C-203/15 and C-698/15) (discussed here and here), La Quadrature du Net and Others (Joined cases C-511/18, C-512/18 and C-520/18) and Privacy International (Case C-623/17) (discussed here). Points of detail have been added in Ministerio Fiscal (Case C-207/16) (discussed here) and HK v Prokuratuur (Case C-746/18). The principles underpin the data transfer cases: Schrems I and Schrems II. As well as recommending that the Court continue with its approach, maintaining the gap between it and the European Court of Human Rights, the Opinion of the Advocate General indicated a certain irritation with the national courts unwilling to apply clear principles and necessitating more Grand Chamber rulings on this topic. In other words, not much is new here, but rather a re-iteration of the principles and distinctions on which this juriprudence has been built.
SpaceNet and Telekom Deutschland concern the German legislation requiring internet service providers to retain communications data. Reflecting to some degree the concerns highlighted in the CJEU’s previous jurisprudence, the German law had excluded the communications data of certain help lines from the regime, the data collected was retained for a comparatively short period, and there were safeguards against misuse of the retained data. SpaceNet and Telekom Deutschland had each challenged this law on the basis of the CJEU’s jurisprudence.
GD v Commissioner of the Garda Síochána arises from a murder case, the prosecution of which was based on communications data retained and accessed via legislation that provided for mass retention of data. The defendant challenged the admissibility of this data arguing it was contrary to EU law requirements.
Joined cases VD and SR also concern criminal prosecution for financial offences, based on communications data. This time the data retention was based on national law implementing Directive 2003/6/EC, as well as Regulation 596/2014, rather than concerning the e-Privacy Directive. These rules allowed access to existing communications data held by telecommunications operators. The reference raised the question of these rules’ compliance with the fundamental rights of Article 7 and 8 EU Charter, as interpreted by the case law on the e-Privacy Directive.
In each case, the Advocate General suggested that the Court hold that the national laws were incompatible with Charter rights, re-iterating that the relevant provisions
‘must be interpreted as precluding national legislation which obliges providers of publicly available electronic communications services to retain traffic and location data of end users of those services on a precautionary, general and indiscriminate basis for purposes other than that of safeguarding national security in the face of a serious threat that is shown to be genuine and present or foreseeable’ (Spacenet, para 84)
In all three opinions, he re-stated the conditions found in La Quadrature du Net, para 128. This principle was specifically applied to investigations into insider dealing or market abuse (ie not national security) in VD and SR (para 97). In GD it added that access to such data legitimately retained must be subject to prior independent authorisation, and that the temporal effect of the ruling could not be limited (so that the ruling had prospective effect only) (GD, para 82 – see to similar effect VD and SR, para 97). The Advocate General also noted that there was a distinction between the approach of the CJEU and the European Court of Human Rights, but that the jurisprudence of that Court provided a base level and the requirements of the Charter could be higher than those of the Convention.
The jurisprudence has built on a series of, generally binary, distinctions, the most basic of which is that between EU and national competence, given that Article 4(2) TEU requires the EU to respect Member States’ essential state functions, including maintaining law and order. It specifically states:
“national security remains the sole responsibility of each Member State”.
Many Member States use data retention and the analysis of data as part of their fight against terrorism and in support of national security. On this basis it has been argued that national laws providing for such schemes fall outside the competence of the EU, and in SpaceNet a number of governments intervened to make the same argument again. This argument in the words of the Advocate General has been “emphatically rejected” (SpaceNet, para 32), citing La Quadrature du Net, though this position is more clearly seen in Privacy International and had already been established in Tele2 Sverige and Watson (and could be seen as implicit in the distinctions employed in Ireland v European Parliament and Council). While Article 4 TEU does exclude national security from the scope of EU law, it is to be narrowly understood - applicable to the activities of intelligence agencies for the purposes of safeguarding national security. This seems to be a well-established principle and unlikely to be disturbed now, no matter the representations of the Member States.
Another longstanding distinction made in the case law is between content of communications and communications data (meta data), including traffic data (which seemingly also includes the subscriber name and the IMEI address of the mobile device according to Ministerio Fiscal, paras 40-42) and location data. Mass acquisition of the content of communications goes to the essence of the right and cannot be justified. The Court has accepted that the acquisition of communications data in principle could be justified, as can be seen in Tele2 Sverge and Watson, Privacy International and La Quadrature du Net, suggesting that the intrusion cause by mass acquisition of communications data is less intrusive than knowledge of content. Whether – given the harm attributed to this collection: the possibility of creating detailed profiles on individuals – this is wholly true is debatable. Note, however, that the Court has accepted that some sorts of data may be seen as less sensitive – notably identity and IP addresses in the context of criminal investigations.
The Court suggested in Ministerio Fiscal that the intrusion was less (perhaps to enable itself to justify taking a different approach from Tele2 Sverige and Watson), though it was unclear as to whether this was to do with the type of data in issue or because of the limited amount of data involved (and its severability from other data). In its ruling, the Court confirmed that access to retained data which reveals the date, time, duration and recipients of the communications, or the locations where the communications took place, must be regarded as a serious interference since that data allows precise conclusions to be drawn about the private lives of the persons concerned (para 60), suggesting it is what you can do with the data that is important rather than the amount of data. The Court has suggested in other contexts that certain types of data are less important: see the data involved in PNR cases (Opinion 1/15, especially para 151, discussed here). In the current opinions, the Advocate General reiterated the position in La Quadrature du Net as regards IP addresses and identity (Spacenet, paras 81-82; VD and SR, para 80) but did not elaborate further. The question about small sets of eg location data remains open.
This possibility of profiling and its impact on users has led the Court to develop stringent conditions for the collection of data which are based on two interlinking sets of distinctions: that between general and targeted measures, and between national security and the fight against crime (with a sub-division between serious and other sorts of crime). For all three cases, the Advocate General re-iterated the general principles established by the case law to date- though it is worth noting that he relied for preference on La Quadrature du Net (as a judgment which synthesised or summarised preceding case law), rather than other landmark cases – notably Tele2 Sverige and Watson – perhaps because (in the eyes of some) La Quadrature du Net allowed some State measures that would not seem on first glance to fall within Tele 2 Sverige and Watson – and which the Advocate General described as “supplementary qualifications” (GD, para 4). So, “general and indiscriminate retention of traffic and location data can be justified only by the objective of safeguarding national security”, which is distinct and more serious or important than the other objectives listed in Article 15 e-Privacy Directive (GD, para 36, Spacenet, para 37, VD and SR, para 75, each citing La Quadrature du Net). In sum, provided all the other conditions are satisfied, national security threats justify indiscriminate data retention, whereas serious crimes only suffice to legitimise targeted data retention.
Of course, this begs the question of what falls within national security for the purposes of Article 15 and what constitutes serious crime. According to Ministero Fiscal, the boundary between crime and serious crime falls to be determined by the Member States. While respecting national procedural autonomy, this might be open to manipulation or interpreted broadly (as the special, expansive definition of serious crime in the Investigatory Powers Act – when the UK was still a member of the EU – suggests). The Court in La Quadrature du Net suggested that national security
“encompasses the prevention and punishment of activities capable of seriously destabilizing the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself” (para 135).
In VD and SR the Advocate General emphasised that the two types of measures – those aimed at safeguarding national security and those which are aimed at combatting crime – cannot have the same scope as otherwise the distinctions in La Quadrature du Net (with regard to the possibility of indiscriminate surveillance) would have no purpose and the fundamental rights protections would likely be undermined – and this is true no matter how serious the crime (VD and SR, paras 83-86).
As regards targeting, the Court has suggested that this need not be at the level of the individual but could relate to localities or to groups – suggestions which may raise all manner of social, political as well as technical questions (and see here, Interpol’s distinctions). As the Advocate General pointed out, it is not the responsibility of the CJEU to draft compliant regimes; this is the responsibility of the Member States.
La Quadrature du Net imposed conditions on national security and generalised surveillance, as well as on targeted surveillance for serious crime. In Privacy International, the CJEU restated its position that national legislation must develop objective criteria for both the acquisition of a particular dataset from a service provider and its actual use by the relevant authorities (see paras 78-81). Moreover, it seems that these conditions apply not just to traffic and location data, but also provisions regarding the preventive retention of IP addresses, subscriber information and other measures aimed at combatting serious crime. But, there are questions about the extent to which various sorts of safeguards may compensate for other weaknesses in the system (and this same question can be seen in respect of the European Court of Human Right’s jurisprudence where it blends lawfulness with safeguards and safeguards with proportionality, effectively reducing the scrutiny over acquisition in favour of control over use – an approach which does not deal with the chilling effect of Government access to and storage of data). The Advocate General here rejects this blurring of safeguards over access with control over acquisition and retention:
“for the Court, ‘the retention of traffic and location data constitutes, in itself … an interference with the fundamental rights to respect for private life and the protection of personal data’. In this regard ‘access to such data is a separate interference’ with those fundamental fights, irrespective of the subsequent use made of it.
For the present purposes it is therefore irrelevant that the data protection arrangements for retained data provided for in the German legislation (a) provide effective safeguards to protect those data; (b) place rigorous and effective limits on access conditions, restricting the circle of people who can access the data; and (c) allow the retained data to be used solely for the purposes of investigating serious offences and preventing specific risks to life or a person’s freedom or to the security of the state.
The truly decisive element is that, … , the retention obligation at issue is not in itself subject to any specific conditions.” (paras 74-76)
Limited retention periods constitute another such safeguard; as the German Government argued in Spacenet, it means that less detailed profiles might be drawn – and in this seems similar to the approach of the Advocate General in HK v Prokuratuur (para 82). While the Court agreed that the period of data retention was a relevant factor in determining the severity of the intrusion, however, it took the view that traffic and location data are generally sensitive because they allow for far-reaching conclusions about private life and that therefore should only be permitted in relation to serious crime (and presumably the protection of national security). The Advocate General noted in Spacenet that a limited retention period cannot justify a general retention requirement (in relation to crime) (para 66). Moreover, the time period must be considered alongside the quantity of data retained and the techniques available for analysis (Spacenet, para 70).
While acquisition, storage and access of data constitute different infringements (and real-time access may give rise to different levels of intrusion from analysis of historic data), there are questions about the links between them. If retention may be justified only for serious crime, presumably access is likewise limited (the Court did not discuss this point in Ministerio Fiscal). This link was discussed in VD and SR. The legislation permitted access to existing records, but did not provide a basis for storage in the first instance. While the French Government argued that the market manipulation legislation implicitly allowed for data retention, the Advocate General argued that these existing records “can only be ‘lawfully existing records’, that is to say those compiled in accordance with Directive 2002/58” (VD and SR, para 62, emphasis in original).
This makes clear that matters pertaining to communications confidentiality are not easily to be displaced. In any event, even if such ‘implicit authorisation’ were to be accepted, “such retention would be subject to the same conditions as would necessarily apply if it were based on any other EU legislative provision”. That is, all EU legislation must comply with the requirements of the EU Charter and the Court’s interpretation of the requirements of Article 7 and 8, arising in the context of the e-Privacy Directive, do not apply to Article 7 and 8 only in the context of that directive but more generally. This recognition is important given the increasing acquisition of data by the private sector and its sharing with the public sector with the aim of delivery of public services of all kinds. For this reason, the requirement of approval of access requests by an independent body (seen also in GD in the context of the e-Privacy Directive) also arose in relation to the insider dealing and market manipulation legislation (para 95). We might see in this the beginnings of a general approach to constraining state surveillance activities; it will be interesting to see the extent to which the Court pulls through concerns about profiling from this group of cases through to, for example, PNR. There is a new reference pending challenging the broad nature of PNR data collected in Directive 2016/681/EU (Ligue des droits humans (Case C-817/19) – the hearing for this case is discussed here). The next question is where the boundary is between concerns about profiling in the context of national security and combatting crime, and profiling to support data-driven public service delivery more generally. This distinction does not yet seem to have been considered.
Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: EFF-Graphics, via Wikicommons