Human rights v the European Arrest Warrant? The legality of surrender detention after 90 days

Joske Graat, PhD student, Utrecht University

The Amsterdam District Court, which has the exclusive jurisdiction in the Netherlands to decide on incoming European Arrest Warrants (EAW), currently finds itself stuck between national rules and EU law obligations on detention and provisional release.  According to the Dutch Surrender Act (SA), the requested person needs to be (provisionally) released 90 days after the receipt of the EAW if the court has not delivered a decision by then. In 2015, the Court of Justice of the European Union (CJEU) decided in Lanigan (discussed here) that the Framework Decision on the European Arrest Warrant (FDEAW) does not require the release of the requested person after 90 days as national courts need to be able to ensure that the substantive conditions for surrender are at all times guaranteed. Consequently, extending the detention beyond this term is allowed in compliance with national rules. This is, however, exactly where the trouble starts in the Netherlands, since article 22(4) SA does not allow for such an extension. As a result, the strict obligation under national law to release the requested person might clash with the EU obligation to ensure the effectiveness of the surrender procedure.

We will see that the solution of the Amsterdam District Court to this problem, which is to interpret Dutch legislation in the light of the FDEAW, is itself problematic. In my opinion, the interpretation of the relevant provisions interferes with the legal certainty of the requested person and constitutes a contra legem interpretation. The legal certainty concerns have in fact resulted in a preliminary question to the CJEU, but it is questionable whether any answer would solve the problem at hand or would further complicate matters. (The CJEU has fast-tracked the case, and an Advocate-General’s opinion is due on November 6th) Hence, I would argue that it is time for the Dutch legislator to step in.

The issue of clashing national and European obligations regarding detention has become increasingly urgent as it becomes – as a result of other EU law obligations - ever more difficult to reach a decision on an EAW within 90 days. These obligations include the duty to refer preliminary questions and the obligation established in Aranyosi & Căldăraru (discussed here) to ask the issuing state for information contradicting a possible violation of article 4 Charter of Fundamental Rights of the European Union (CFR). Fulfilling these obligations often prolongs surrender proceedings and could result in the release of requested persons, even if the risk of absconding is real.  In the latter case, the order to release would violate the general obligation in Article 17 FDEAW to ensure that the substantive conditions for surrender remain guaranteed.

As I stated before, the Amsterdam District Court tried to find a way out in seeking to interpret Dutch legislation in conformity with the FDEAW. It ruled that Article 22 SA not only contains the power to extend the decision term after 90-days, but also includes the competence to suspend the 90-day term before it has lapsed. In case of the latter, the 90-day term is barred and thus the requested person might de facto be detained for more than 90 days. This possible effect of the new interpretation of Article 22 SA has been criticized in the light of the right to liberty in article 5 European Convention on Human Rights (ECHR) and 6 CFR.

A complaint was filed before the European Court of Human Rights (ECtHR), questioning whether the interpretation of Article 22 SA violates the requirement of a clear legal basis for detention in article 5(1)(f) ECHR. Remarkably, the Dutch government contended that this requirement has indeed been violated and has offered compensation for the unlawful detention. Unfortunately, though, the ECtHR therefore, struck the case, which was not decided on the merits. Meanwhile the Amsterdam District Court itself has recently requested a preliminary ruling on whether legal certainty as protected by Article 6 CFR is violated by the current interpretation of Article 22 SA.

In my opinion, this interpretation of Article 22 SA is not only an unjustified interference with the principle of legal certainty; it is also a contra legem interpretation. To start with the former. It is true that the current case law of the CJEU interprets legal certainty as a restriction to the duty of conform interpretation (sometimes called ‘indirect effect’) in a narrow manner. Legal certainty bars conform interpretation when this would result in determining or aggravating criminal liability on the basis of the FDEAW alone. In this sense, legal certainty is obviously no barrier to the current interpretation of Article 22 SA.

However, the general scope of the principle of legal certainty is not restricted to establishing or aggravating criminal liability. The principle is also part of Article 5 ECHR and 6 CFR which demand that the procedure for detention pending extradition is sufficiently accessible, precise and foreseeable to prevent arbitrary interferences with the right to liberty. Even though the broad concept of ‘the law’ in Article 5 ECHR, which includes both formal statutes and case law, allows the interpretation of a written rule in jurisprudence, the ECtHR has decided in past cases that a violation of Article 5 ECHR may occur when the national authorities do not interpret or apply the rules on extradition detention in a uniform manner. These cases concerned diverging opinions of national judicial authorities regarding the application of time limits and the use of a particular national provision as a legal basis for detention. The situation at hand is slightly different, since it concerns a difference in opinion between the court and the Dutch legislator, who stated explicitly that the requested person should be released after 90 days. However, I would argue that a similar risk of arbitrariness and threat to legal certainty exists in this situation. Can we really speak of a sufficiently foreseeable and accessible procedure for surrender detention when the judiciary and the legislator disagree on the interpretation of Article 22 SA?

In case the CJEU were to find the interpretation of Article 22 SA compatible with legal certainty, it should still be considered contra legem. This restriction to the duty of conform interpretation is often connected to the legal certainty principle but constitutes essentially a different test. In my opinion, the current interpretation of Article 22 SA contradicts the wording of the provision. The text as well as the intention of the legislator are crystal clear. Release after 90 days means release after 90 days. In addition, suspending a decision means in common parlance ‘halting or stopping’ an ongoing term which has not yet lapsed, whereas extending means ‘adding’ time to a term which has already lapsed. Hence the wording and meaning of Article 22 SA simply does not allow the interpretation as it follows from the case law of the Amsterdam District Court.

Lastly, we should also view the consequences of a rejection of the current interpretation of Article 22 SA. Is the Amsterdam District Court provided with the means to solve the remaining clash between its duties when an interpretation of the Dutch rule in conformity with the FDEAW is impossible? The answer is – at least for now - that it is not. This could change if the CJEU in the future decides that the primacy rule also applies to former third-pillar framework decisions. This question has equally been put before the CJEU by the Amsterdam District Court, but has remained yet unanswered (the case is still pending).

Application of the primacy rule would bring along its own problems however. It would resolve the clash between EU obligations and national law but might at the same time harm the legal certainty of the requested person. After all, it will depend on the concrete circumstances of each case whether the decision-term will be suspended or not and, therefore, whether Article 22 SA will be applied or not. If this effect would be corrected by a legal certainty exception to the primacy rule, legal certainty may be ensured, but the clash between EU law and national law would continue to exist.

The devilish dilemma for the Amsterdam District Court may thus not easily be solved by the CJEU. It is indeed difficult to see how any decision of the CJEU would not further complicate matters rather than solve them. Most likely the CJEU will not be able to provide the Amsterdam District Court with a way out of its impasse while at the same time protecting legal certainty. This brings another state authority in the picture: the Dutch legislator. This authority could in fact quite easily solve the problem. A simple adaption of Article 22(4) SA changing it into a discretionary competence instead of an obligation would suffice. In other words, it is time for the national legislator to come to the rescue of the Amsterdam District Court.

This blog is based on a publication in Strafblad in May 2018.

J.J.M. Graat, ‘Een dilemma voor de Overleveringskamer’, Strafblad 2018(2) 20.

Barnard & Peers: chapter 25

JHA4: chapter II:3

Photo credit: The Panopticon Chronicles

Immigration detention and the rule of law: the ECJ’s first ruling on detaining asylum-seekers in the Dublin system

Tommaso Poli, LL.M. candidate in Human Rights and Humanitarian Law at the University of Essex, School of Law.

One of the most controversial issues in immigration law is the detention of asylum-seekers. This issue was not initially addressed by the European Common Asylum System (CEAS), but is now addressed in some of the second-phase CEAS measures (the CEAS consists of the Asylum Procedures Directive, the Reception Conditions Directive, the Qualification Directive, the Dublin Regulation and the EURODAC Regulation).

In particular, the second-phase CEAS measures contain detailed rules on detaining asylum-seekers in two cases:  a) general rules in the Reception Conditions Directive, which were the subject of a first ECJ ruling in 2016 (discussed here) and a recent opinion of an Advocate-General; and b) more specific rules in the Dublin III Regulation, applying to asylum-seekers whose application is considered to be the responsibility of another Member State under those rules. Recently, the ECJ ruled for the first time on the interpretation of the latter provisions, in its judgment in the Al Chodor case.

As we will see, the Court took a strong view of the need for the rule of law to apply in detention cases. Moreover, its ruling is potentially relevant not just to Dublin cases, but also detention of asylum-seekers and irregular migrants in other contexts too.

The rules on detaining asylum-seekers in the context of the Dublin process are set out in Article 28 of the Dublin III Regulation. First of all, Article 28(1) states that asylum seekers can’t be detained purely because they are subject to the Dublin process. Then Article 28(2) sets out the sole ground for detention: when there is a ‘significant risk of absconding’. If that is the case ‘Member States may detain the person concerned in order to secure transfer procedures in accordance with’ the Dublin rules, ‘on the basis of an individual assessment and only in so far as detention is proportional and other less coercive alternative measures cannot be applied effectively’.

Next, Article 28(3) sets out detailed rules on time limits for ‘Dublin detention’; these are the subject of the pending Khir Amayry case. Finally, Article 28(4) states that the general rules on guarantees relating to procedural rights and detention conditions set out in the Reception Conditions Directive apply to asylum-seekers detained under the Dublin rules.

Al Chodor concerned the interpretation of the grounds for detention under Article 28(2): what is a ‘serious risk of absconding’?  The Dublin III Regulation offers some limited clarity, defining ‘risk of absconding’ as ‘the existence of reasons in an individual case, which are based on objective criteria defined by law, to believe that an applicant or a third country national or a stateless person who is subject to a transfer procedure may abscond.’ (Article 2(n) of the Regulation). 

Facts

The case relates to an Iraqi man and his two minor children who were travelling from Hungary in the Czech Republic, without any documentation to establish their identity, with the aim of joining family members in Germany. After stopping the Al Chodors, the Czech Foreigners Police Section (FPS) consulted the Eurodac database and found that they had made an asylum application in Hungary. As a consequence, the Al Chodors were subjected to the transfer procedure according to Article 18(1)(b) of the Dublin III Regulation. In addition, the FPS took the view that there was a ‘serious risk of absconding’, given that the Al Chodors had neither a residence permit nor accommodation in the Czech Republic, while they were waiting for their transfer to Hungary.

So, they placed the Al Chodors in detention for 30 days pending their transfer pursuant to Paragraph 129(1) of the national law on the residence of foreign nationals, read in conjunction with Article 28(2) of the Dublin III Regulation. The Al Chodors brought an action against the decision ordering their detention to the regional Court, which annulled that decision, finding that Czech legislation does not lay down objective criteria for the assessment of the risk of absconding within the meaning of Article 2(n) of the Dublin III Regulation. That Court accordingly ruled that the decision was unlawful. Following the annulment of the decision of the FPS, the Al Chodors were released from custody.

The FPS brought an appeal on a point of law before the Supreme Administrative Court against the decision of the Regional Court. According to the FPS, the inapplicability of Article 28(2) of the Dublin III Regulation cannot be justified by the mere absence in Czech legislation of objective criteria defining the risk of absconding. That provision subjects the assessment of the risk of absconding to three conditions, namely an individual assessment taking account of the circumstances of the case, the proportionality of the detention, and the impossibility of employing a less coercive measure. The FPS has submitted that it satisfied those conditions.

The Supreme Administrative Court was uncertain whether the recognition by its settled case-law of objective criteria on the basis of which the detention of persons pursuant to Paragraph 129 of the Law on the residence of foreign nationals may be carried out can meet the requirement of a definition 'by law' within the meaning of Article 2(n) of the Dublin III Regulation, in so far as that case-law confirms a consistent administrative practice of the FPS which is characterised by the absence of arbitrary elements, and by predictability and an individual assessment in each case. So the Court decided to refer to the European Court of Justice for a preliminary ruling asking whether Article 2(n) and Article 28(2) of the Dublin III Regulation, read in conjunction, must be interpreted as requiring Member States to establish, in a national law, objective criteria underlying the reasons for believing that an applicant for international protection who is subject to a transfer procedure may abscond, and whether the absence of those criteria in a national law leads to the inapplicability of Article 28(2) of that regulation.

Judgment

The Court of Justice first of all ruled that Article 2(n) of the Dublin III Regulation explicitly requires that objective criteria defining the existence of a risk of absconding be defined by the national law of each Member State (paragraph 27-28). Then, determining whether the word ‘law’ must be understood as including settled case-law, the Court reaffirmed that in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it forms part (judgment of 26 May 2016, Envirotec Denmark, paragraph 27).

So with regard to the general scheme of the rules of which Article 2(n) of Dublin III Regulation forms part, the Court, referring to recital 9 of that regulation, states that the regulation is intended to make necessary improvements, in the light of experience, not only to the effectiveness of the Dublin system but also to the protection of fundamental rights afforded to applicants under that system. This high level of protection is also clear from Articles 28 and 2(n) of that regulation, read in conjunction. As regards the objective pursued by Article 2(n) of the Dublin III Regulation, read in conjunction with Article 28(2) thereof, the Court recalls that, by authorizing the detention of an applicant in order to secure transfer procedures pursuant to that regulation where there is a significant risk of absconding, those provisions provide for a limitation on the exercise of the fundamental right to liberty enshrined in Article 6 of the Charter.

In that regard, it is clear from Article 52(1) of the Charter that any limitation on the exercise of that right must be provided for by law and must respect the essence of that right and be subject to the principle of proportionality. Furthermore, it is worth noting that in this ruling the European Court of Justice explicitly aligns its interpretation to the European Court of Human Rights (ECtHR), reaffirming that any deprivation of liberty must be lawful not only in the sense that it must have a legal basis in national law, but also that lawfulness concerns the quality of the law and implies that a national law authorizing the deprivation of liberty must be sufficiently accessible, precise and foreseeable in its application in order to avoid risk of arbitrariness (judgment of the European Court of Human Rights of 21 October 2013, Del Río Prada v Spain, paragraph 125).

The Court then concluded by stating that taking account of the purpose of the provisions concerned, and in the light of the high level of protection which follows from their context, only a provision of general application could meet the requirement of clarity, predictability, accessibility and, in particular, protection against arbitrariness. It follows that Article 2(n) and Article 28(2) of the Dublin III Regulation, read in conjunction, must be interpreted as requiring that the objective criteria underlying the reasons for believing that an applicant may abscond must be established in a binding provision of general application. In the absence of such criteria, the detention was unlawful.

Comments

First of all, the Court’s ruling is likely relevant to the interpretation of other EU measures concerning immigration detention. In the Returns Directive, which inter alia concerns the detention of irregular migrants (as distinct from asylum seekers), the ‘risk of absconding’ forms part of the ground for detention (as well as one of the grounds for refusing to allow the irregular migrant a period for voluntary departure); and it is defined exactly the same way as in the Dublin III Regulation. As for asylum seekers who are detained on grounds other than the Dublin process, a ‘risk of absconding’ is an element of one of the grounds for detention under the Reception Conditions Directive, but is not further defined. But a recent Advocate-General’s opinion notes (at para 73) that this clause aims to prevent ‘arbitrary’ detention, which was a key feature of the reasoning in the Al Chodor judgment. This surely points to a consistent interpretation of the two asylum laws. It follows that arguably the Court’s judgment should be relevant not just to Dublin cases but to any immigration detention of non-EU citizens in any Member State bound by the relevant EU legislation.

Secondly, this ruling has reiterated the principle by which although regulations generally have immediate effect in national legal systems without it being necessary for the national authorities to adopt measures of application, some of those provisions may necessitate, for their implementation, the adoption of measures of applicability by the Member States (judgment of 14 April 2011, Vlaamse Dierenartsenvereniging and Janssens, paragraphs 47 and 48).

Most significantly, the Court has reaffirmed the primacy of Human Rights law in EU asylum law implementation, highlighting that the development of the EU asylum law itself depends on its compliance with Human Rights law. In particular, the ECJ’s ruling in this case first of all reflects the ECtHR’s interpretation of the ‘arbitrariness’ of detention, which extends beyond the lack of conformity with national law. Notably, it states that a deprivation of liberty that is lawful under domestic law can still be arbitrary and thus contrary to the general principles, stated explicitly or implied, in the Convention (judgment of the European Court of Human Rights of 9 July 2009, Mooren v. Germany, paragraphs 73-77).

The Court’s ruling also reflects UN human rights norms. The Human Rights Committee’s General Comment No. 31 related to the nature of the general legal obligation imposed on State parties to the UN Covenant on Civil and Political Rights, which all EU Member States are State parties to, which reads that ‘in no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right’ (paragraph 4). Furthermore, the Human Rights Committee’s General Comment No. 35 points out that “arbitrariness is not to be equated with ‘against the law’, but must be interpreted more broadly to include elements of inappropriateness, injustice, lack of predictability and due process of law, as well as elements of reasonableness, necessity and proportionality” (paragraph 12, see also HRC, Van Alphen v. Netherlands, paragraph 5.8).

Finally, the Court’s ruling has confirmed the constitutional value of the Charter of Fundamental Rights of the European Union, which assumes a critical value in this historical period, since, as with any constitutional instrument, the more society as a whole is going through difficult times (such as the perceived ‘migration crisis’ in Europe), the more important it is to reaffirm its principles and values.

Likewise Article 52 of the EU Charter states that in no case may restrictions be applied or invoked in a manner that would impair the essence of a Charter right; in the context of detention, a fortiori it can be also affirmed that essential elements of guarantee for that right, as the requirement of lawfulness and non-arbitrariness for the right of liberty, cannot be disregarded in any circumstance. The Al Chodor ruling puts meat on the bones of that fundamental principle.

Barnard & Peers: chapter 26

JHA4: chapter I:5

Photo: Amygdaleza detention centre in Greece, credit: www.metamute.org

The data retention judgment: The CJEU prohibits mass surveillance

Steve Peers

On July 7, 2005 a relative of mine started her journey to work on a London tube train. Within half an hour, bombs on that train left by terrorists exploded, in conjunction with three other bombs across London. Dozens of people died (although my relative was not injured).

Understandably, public concern about terrorist incidents, following on from the earlier outrages of 9/11 and the Madrid bombings, led to further EU anti-terrorist legislation. In particular, the British Presidency of the EU Council made it a top priority to adopt legislation providing for retention of a large amount of communications data. But according to the Court of Justice of the European Union (CJEU), in a crucial judgment today, that legislation was essentially an over-reaction to these terrorist atrocities. The Court has effectively prohibited mass surveillance in the EU, and thus taken significant steps to entrench itself as the EU’s constitutional court.

Summary of the judgment

As discussed in detail by Chris Jones’ post on this blog, the Directive requires Member States to require telecommunications service providers to retain significant amounts of data on the use of all forms of telecommunications by all individuals within the EU, for a period of between 6 months and 2 years. This data is collected for the use of law enforcement agencies as regards investigations into serious crime or terrorism, but there are no detailed rules in the Directive governing the access to and use of the data by those authorities. The CJEU only found it necessary to address the question of the validity on the Directive in light of the Charter rights to privacy and data protection (Articles 7 and 8 of the Charter).

First of all, the Court unsurprisingly had no difficulty finding that the Directive interfered with the protection of those two rights. Its analysis focussed instead on whether such an interference could be justified.

The rules on justifying interferences with Charter rights are set out in Article 52 of the Charter. Any limitation upon Charter rights must be laid down by law, respect the essence of the right, and subject to the principle of proportionality, limit rights and freedoms only if it is necessary and genuinely meets public interest objectives and the rights and freedoms of others. The Court easily found that there was a public interest justification (public safety) for the restriction of the Charter rights at issue. It also found that the ‘essence’ of the rights was not affected, because (as regards the right to privacy) the content of communications was not recorded, and (as regards the right to data protection) certain data processing and data security rules had to be respected.

Therefore the key issues in the Court’s ruling were the proportionality of the interference with Charter rights. The Court indicated that judicial review of the EU legislature’s discretion should be ‘strict’ in this case, applying factors such as the area of law concerned, the nature of the right, the nature and seriousness of the infringement and the objective pursued. Here, it followed from the nature of the right and the nature and seriousness of the infringement that the EU legislature’s discretion was reduced; the CJEU took no account expressly of the objective being pursued.

The first aspect of proportionality (the appropriateness of the interference with the right for obtaining the objective) was fulfilled, because the data concerned might be useful to investigations. However, the CJEU found that the Directive was problematic as regards the second facet: the necessity of the measure in question. Crucially the Court ruled that the important objective of investigating serious crime and terrorism did ‘not, in itself’ justify data retention. So for the CJEU, the safety of the people is not the supreme law.

Its analysis proceeded by setting out the general importance of safeguards as regards the protection of privacy and data protection rights (building upon the case law of the European Court of Human Rights). These safeguards are even more necessary when data is processed automatically, with a risk of unlawful access.

 Applying this test, the Court gave three reasons why the rules on data retention in the Directive were not strictly necessary. First of all, the Directive had an extremely broad scope, given that it applied to all means of electronic communication, which have ‘widespread and growing importance’ in everyday life, without being sufficiently targeted. Indeed, it ‘entails an interference with the fundamental rights of practically the entire European population’. In other words (the Court does not use the term), it amounts to mass surveillance.

Secondly, besides the ‘general absence of limits’ in the Directive, it failed to limit access to the data concerned by law enforcement authorities, and the subsequent use of that data, sufficiently precisely. In particular: it referred generally to ‘serious crime’ as defined in national law; it did not restrict the purpose of subsequent access to that data; it did not limit the number of persons who could access the data; and it did not control access to the data by means of a court or other independent administrative authority.

Thirdly, the Directive did not set out sufficient safeguards, as regards: the data retention period, for instance as regards the categories of data to be retained for the whole period; the protection of the data from unlawful access and use (here the CJEU criticises the possible limits on protection measures due to reasons of cost); the absence of an obligation to destroy the data; and the omission of a requirement to retain the data within the EU only.

Comments

The CJEU reached the same conclusion as the Advocate-General’s opinion, but for different reasons. In the Advocate-General’s view, the Directive was invalid because it breached the ‘quality of law’ requirement applicable to interferences with Charter rights, having failed to establish sufficient safeguards relating to access to and use of the data. It also was disproportionate for failing to explain why storage periods of up to two years were necessary. The Court’s ruling appears to go further, by ruling out mass surveillance in principle.

The opinion discussed some interesting and important issues that the Court does not directly address, in particular: the existence of a ‘quality of law’ requirement as regards breaches of the Charter; whether the EU or the Member States have responsibility for ensuring the satisfaction of that requirement in this case; and the complications of the ‘legal base’ issue, ie the awkward point that inserting safeguards relating to law enforcement authorities might go beyond the ‘internal market’ legal base of the legislation. It might be deduced that the CJEU has a view on these issues: there is a ‘quality of law’ rule; the EU is responsible for upholding that requirement in this case; and the ‘legal base’ point is not a barrier to the EU adoption of rules regulating law enforcement authorities. But unfortunately, the Court did not expressly spell out its reasoning on these issues. It is certainly peculiar that, having ruled previously that the Directive was validly based on EU internal market powers, the CJEU rules here that its interference with Charter rights is justified by the objective of public safety.

As for the reasoning which the Court did provide, as usual it was easy to find public interest objectives for the interference with rights. The most important part of the reasoning is therefore the analysis of the interference with the ‘essence’ of the right, and of proportionality. It is very significant that the Court makes clear that these are two different issues: even if the essence of a right is respected, legislation can be disproportionate. Earlier case law on restriction of rights often seemed to suggest that respecting the essence of rights was sufficient.

Another important aspect of the judgment is the development of a doctrine indicating when strict scrutiny of the EU legislature’s interference with fundamental rights should apply. This is based upon Strasbourg case law, not the standards of national constitutional courts, which have of course addressed this issue in their own way. Obvious questions arise as to whether the same standards should apply to national implementation of EU law, or to Charter rights not based upon the ECHR.

While many data protection specialists argue that there is a fundamental distinction between the right to privacy and the right to data protection, the Court’s judgment only reflects that distinction to a limited degree. It assesses separately whether there is an interference with Articles 7 and 8 of the Charter, and whether the essence of each right has been affected. However, it made no distinction between the rights when assessing the required intensity of judicial review, and linked the two rights together when assessing the proportionality of the interference with them.

Consequences of the judgment

First and foremost, the data retention Directive is entirely invalid. The Court did not in any way rule that it could continue in force. So the immediate consequence is that we return to the status quo before 2005. This means that Member States have an option, not an obligation, to retain data pursuant to the e-privacy Directive (see further Chris Jones’ post on the background to the data retention Directive). However, Member States’ exercise of this option will still be subject to the requirements set out in this judgment, since their actions will fall within the scope of the Charter, given that the e-privacy Directive regulates the issue of interference with telecommunications.

Would it be possible for the EU to adopt a new Directive on mandatory data retention? In other words, can the Directive in some way be ‘fixed’?

First of all, since the 2006 Directive is entirely invalid, the EU legislature has to start from scratch, rather than amend it. Secondly, it is clear from the Court’s judgment that some form of mandatory data retention in order to combat serious crime and terrorism is acceptable from the perspective of the EU Charter.

How would such a new Directive differ from the measure the Court has just struck down? The Court sets out unusually detailed guidelines for the legislature (and, in the meantime, for national legislature) in its judgment. First of all, any new Directive would have to be in some sense targeted upon communication which has a particular link with serious crime and terrorism. Very simply, mass surveillance is an unjustifiable infringement of Charter rights.

Secondly, a new Directive would have to contain rules on: the definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; and control of access to the data by means of a court or other independent administrative authority.

Thirdly, the new Directive would have to include stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use. It would also have to contain rules on the absence of an obligation to destroy the data, and require that data be retained within the EU only. The Court did not rule on whether subsequent processing of the data in third States would be acceptable, but logically there must be some rules on this issue too. Probably it would be simplest to extend the external processing rules in the main EU data protection legislation to this issue.

Depending on the timing of a proposal for a new Directive (assuming that there is one), it might possibly get mixed up with the conclusion of negotiations over main the main data protection package being negotiated by the EU institutions. Alternatively, if those negotiations have concluded, they will establish a template that the negotiation of the new Directive can take account of.

Final comments

The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance. Its reference to the retention of data by third States is a thinly-disguised allusion to the spying scandals emanating from the United States. It also responds, sotto voce, to the very great concerns of national constitutional courts about this Directive, discussed in detail in Chris Jones’ post on this issue.

More broadly, the CJEU has seized the chance to give an ‘iconic’ judgment on the protection of human rights in the EU legal order. Time will deal whether the Digital Rights judgment is seen as the EU’s equivalent of classic civil rights judgments of the US Supreme Court, on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). If the Charter ultimately contributes to the development of a ‘constitutional patriotism’ in the European Union, this judgment will be one of its foundations.

Barnard & Peers: chapter 9, chapter 25

National legal challenges to the Data Retention Directive

Chris Jones, Researcher for Statewatch

This post, which examines the numerous legal challenges against the EU's Data Retention Directive at both national and EU level (not including today's judgment), is the third post in a series examining the EU's mandatory data retention legislation, which was struck down today by the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).

 EU Court of Justice legal basis challenge

The first legal challenge to the Data Retention Directive came when Ireland, supported by Slovakia, asked the EU Court of Justice to annul the Directive on the grounds that it had the wrong legal basis. They argued that the correct legal basis for data retention resided “in the provisions of the EU Treaty concerning police and judicial cooperation in criminal matters,” rather than those on the internal market. The ECJ dismissed the case in February 2009, stating that: “Directive 2006/24… regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities… “It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of the service provides in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty".

Bulgaria

The first ruling on national laws transposing the Directive came from Bulgaria in proceedings launched by the NGO Access to Information Program. In December 2008 the country’s Supreme Administrative Court annulled an article of the transposing legislation permitting the Ministry of Interior “passive access through a computer terminal” to retained data, as well as providing access without judicial permission to “security services and other law enforcement bodies”. The court found that: “[T]he provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution. No mechanism was established for the respect of the constitutionally granted right of protection against unlawful interference in one’s private or family affairs and against encroachments on one’s honour, dignity and reputation.” The court also found the legislation failed to make reference to other relevant laws – the Penal Procedure Code, the Special Surveillance Means Act and the Personal Data Protection Act – “which specify conditions under which access to personal data shall be granted.”

Hungary

In June 2008 the Hungarian Civil Liberties Union (HCLU or TASZ, Társaság a Szabadságjogkért) requested “the ex-post examination” by the Hungarian Constitutional Court of the amendment of Act C of 2003 on electronic communications, “for unconstitutionality and the annulment of the data retention provisions.” According to the HCLU, Act C “already comprised numerous restrictive data retention provisions prior to the directive. The only changes brought in by the amendments were the retention of Internet communications data and the elimination of the lax – but at least pre-defined – legal purposes of the data processing”. The HCLU argued that “the amendments completely disregarded the provisions of the directive [stating] that data should be ‘available for the purpose of investigation, detection and prosecution of serious crimes’.” Despite being filed in 2008, the case is yet to be heard. According to Fanny Hidvégi of the HCLU, this is because as of 1 January 2012 new restrictions were placed on submitting cases to the Constitutional Court, and “every pending case submitted by a person or institution which no longer has the right to do so were automatically terminated”. The HCLU has begun a new and lengthy procedure that requires the exhaustion of all other remedies before the Constitutional Court can examine the Hungarian data retention measures.

Romania

In October 2009, the Romanian Constitutional Court found that proposed national legislation implementing the Data Retention Directive violated Romanian constitutional provisions protecting freedom of movement; the right to intimate, private and family life; secrecy of correspondence; and freedom of expression. The court found that the government’s attempt to justify the mandatory retention of telecommunications data by invoking undefined “threats to national security” was unlawful. The Court also referred to the 1978 ECHR ruling in Klass v Germany, which stated that “taking surveillance measures without adequate and sufficient safeguards can lead to ‘destroying democracy on the ground of defending it’.”

 In October 2011 the European Commission asked the Romanian government to bring forward new laws transposing the Directive, issuing a “reasoned opinion” under Article 258 of the TFEU, which carries the threat of full infringement proceedings at the European Court of Justice if the request is not met. A new law was duly drafted, but was rejected by the Romanian Senate. The law was heavily criticised in the media prior to the vote and the country’s Data Protection Authority had refused to endorse it, claiming that articles relating to the security services were “still vague”. Civil society organisations also opposed it and even the government refused to sponsor it, leaving the Minister of Communications and Information Society to propose it in his role as MP rather than minister. Strong support from the Minister of European Affairs fuelled criticism that it was motivated solely by the need to escape sanction by the European Court of Justice.

Ultimately the Senate vote was not decisive and the law continued its journey to the Chamber of Deputies, where at the end of May 2012 it was adopted with 197 votes for and 18 against, with many abstentions amongst the 332 deputies. There was no substantive discussion of fundamental rights issues in the Chamber of Deputies or the main two committees that debated the law and critics have argued that the provisions on access to retained data are even more problematic than the original statute. On 21 February 2013 the European Commission withdrew the infringement procedure that it had opened in 2011.

Cyprus

In February 2011 the Supreme Court of Cyprus ruled that aspects of the national transposing legislation breached the Cypriot constitution and case law on surveillance. The case was brought by individuals whose telecommunications data had been disclosed to the police in accordance with District Court orders. They argued that the laws underlying the orders were based (Articles 4 and 5 of Law 183(I) 2007, that sought to harmonise Cypriot law with the Directive), and therefore the District Court orders themselves violated their rights to privacy and confidentiality of communications. The Supreme Court found that petitioners had indeed been subject to a violation of their rights and annulled provisions it said went beyond the requirements of the Data Retention Directive. However, the legality of the Directive itself was not called into question.

Germany

Legislation transposing the Data Retention Directive into the Telecommunication Act and Code of Criminal Procedure was passed by the Bundestag on 9 November 2007 and entered into force on 1 January 2008. The day before, 31 December 2007, 35,000 German citizens (represented by the NGO AK Vorrat) filed a complaint against the legislation at the Federal Constitutional Court. On 2 March 2010 the Court ruled that the transposing provisions were a disproportionate interference with Article 10 (confidentiality of communications) of the Basic Law (Grundgesetz), and contravened legal standards on purpose limitation, data security, transparency and legal remedies.

However, the Court made no ruling on the actual Directive, stating that data retention is in principle proportionate to the aim of investigating serious crime and preventing imminent threats against life, body, freedom of persons, and the existence and security of the Federal Republic or one of its states. The Court found that the new domestic law failed to comply with legal standards on purpose limitation (restrictions on use of the retained data), data security, transparency and legal remedies.

In January 2011 the Ministry of Justice (MoJ) presented a paper proposing an alternative to data retention – a “quick freeze” system of limited data preservation for criminal investigations. The police and/or public prosecutors would issue a “quick freeze” order seeking access to metadata already held by telecommunications providers, for example for billing purposes. To actually access the “frozen”’ data would require the approval of a judge. In addition, the MoJ proposed an obligation for ISPs to store internet traffic data for seven days, allowing criminal investigators to identify persons behind (already known) IP addresses in particular in cases of child pornography. Criminal investigators would request the traffic and communications data via service providers without having direct access to these traffic data. This paper reflected proposals made in June 2010 by the Federal Commissioner for Data Protection, as well as the suggestions of more pragmatic privacy advocates.

More radical activists claim that any mandatory storage of communications data should be prohibited. The Interior Ministry rejected these proposals and insisted on full implementation of the Directive, arguing that the Constitutional Court had already shown that it is possible to implement the Directive and ensure individual privacy through high data security standards, including encryption and the “four eyes principle” (approval by at least two people) as prerequisite for accessing data and log files; strict purpose limitation; and the protection of professions whose confidentiality must be ensured.

The MoJ produced a “quick freeze” bill in April 2012 but continued opposition from the Interior Ministry meant that it was never tabled in Parliament. The Interior Ministry was unhappy with the length of the proposed freezing periods, demanding three months instead of the one month suggested by the Ministry of Justice. Moreover, the Interior Ministry wanted to include crimes such as fraud and hacking. The controversy continues and no new legislation has yet been introduced.

By this time the European Commission had initiated infringement proceedings and took its case to the European Court of Justice in July 2012. The Commission is seeking to impose a daily fine of €315,000.

Czech Republic

On 13 March 2011 the Czech Republic's Constitutional Court declared national legislation implementing the Directive unconstitutional. It found that the retention period exceeded the requirements of the Directive, and that use of the data was not restricted to cases of serious crime and terrorism. “The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested.” As in Germany, the Court stated that it could not review the Directive itself, but noted there was nothing in principle preventing implementation in conformity with constitutional law.

A second Constitutional Court decision in December 2011 examined the procedures put in place for obtaining access to retained data and found the “procedure in question to be too vague, in breach of [the] proportionality rule (its second step) and thus unconstitutional due to interference with right to privacy and informational self-determination.” In the meantime the Czech government revised the implementing legislation with modifications that took account of the judgment.The NGO Iuridicum Remedium has lodged fresh proceedings against the revised legislation on the grounds that regulation remains inadequate and that the new decree could provide for the “monitoring of contents of Internet communications”.

Slovakia

In August 2012 a group of Slovakian MPs, supported by the European Information Society Institute, lodged a legal complaint against the legislation implementing the Data Directive. The complaint asks the Slovak Constitutional Court to examine whether the laws implementing the Directive and dealing with access by the authorities to retained data are compatible with constitutional provisions on proportionality, the rights to privacy and data protection, and the provision granting freedom of speech. It also argues that the measures infringe provisions guaranteeing privacy, data protection and freedom of expression in Slovakian human rights law, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. The complaint has not yet been resolved.

Sweden

The European Commission has engaged in a lengthy battle to try to bring Sweden’s domestic legislation into line with the Directive. After the country missed the initial September 2007 deadline, the Commission brought infringement proceedings, with the European Court of Justice finding Sweden guilty of failing to fulfil its obligations in February 2010. A proposal for transposing legislation was put forward in December 2010 and adopted in March 2012. The new law should have taken effect in May 2012 but despite an overwhelming vote in favour of the new measures in the Swedish parliament (233 MPs voted in favour with 41 against and 19 abstaining), the Left Party and the Greens invoked a constitutional provision allowing the entry into force of new measures to be delayed by a motion of one sixth of the parliament's members.

In May 2013, the European Court of Justice ordered Sweden to pay a €3 million fine for its delay in implementing the legislation. The Court rejected Swedish pleas regarding the domestic controversy over the implementation of the law: “As the Court has repeatedly emphasised, a Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under European Union law... The same is true of a decision, such as the one made by the Swedish Parliament, to which paragraph 8 of this judgment makes reference, to postpone for a year the adoption of the draft bill intended to transpose that directive.”

The Court of Justice of the European Union (CJEU)

The most serious challenge to the implementation of the Data Retention Directive has come from joined cases brought by the NGO Digital Rights and the plaintiffs in a case referred from the Austrian Constitutional Court. The Advocate General's opinion on the case, published in December 2013 following a hearing in July, proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). The case focuses on the compatibility of the Directive with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Union Charter of Fundamental Rights. At the hearing the representatives of those who brought the cases argued that the Directive is fundamentally incompatible with the Charter and that there is still no evidence to demonstrate that its necessity or proportionality.

On behalf of Austrian privacy group AK Vorrat, Edward Scheucher argued that: “[T]he cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result [than] at the time when the German [Constitutional] Court took its decision [to annul certain provisions of German transposing legislation]. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the Data Retention Directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11,139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court."

In response to requests for evidence demonstrating the necessity of the Directive, the Austrian and Irish governments presented new statistics on the use of retained data at the hearing. Also arguing in favour of the Directive were representatives of Italy, Spain and the UK, as well as the Commission, the Council and the Parliament. However, the Directive’s advocates still “had to acknowledge a lack of statistical evidence”, with the UK admitting that “there was no ‘scientific data’ to underpin the need” for data retention. Judge Thomas von Danwitz, the Court’s main rapporteur for the hearing, asked for information that had led to the adoption of the Directive in 2006, given that “the Commission in 2008 claimed not to have enough information for a sound review”. The Council’s lawyers, meanwhile, “implored the Court not to take away instruments from law enforcement”.

 Ultimately, Advocate-General Cruz Villalón concluded that the Court answer the cases in the following way: “(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directivecontains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use. “(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.”

Today's Grand Chamber judgment, which is analysed in Steve Peers' separate post, ultimately agreed with this recommendation. The EU has finally been forced to redraft its mandatory data retention rules.

 Barnard & Peers: chapter 9, chapter 25

Content and implementation of the Data Retention Directive

By Chris Jones, Statewatch researcher

This is the second in a series of posts examining the EU's Data Retention Directive, which is the subject of today's judgment of the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).

The post begins with an article-by-article examination of the Directive and subsequently examines the troubled national transposition and review process overseen by the European Commission. The first post examined the background to the Directive, and a subsequent, final post will look at national court cases challenging the implementation of the Directive.

The Directive, clause-by-clause

Article 1 sets out the subject matter and scope of the Directive, which covers all legal entities and: “[A]ims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.”

Article 1(1) of the Directive states that serious crime is “as defined by each Member State in its national law”. Article 1(2) states that the Directive does not apply to the retention of the content of communications. However, it has long been argued that “retaining [internet] traffic data makes it possible to reveal… what websites people have visited”, indicating that certain content data can be retained under the Directive. The EU’s Article 29 Working Party on data protection issued an Opinion in 2008 making clear that the Directive is “not applicable to search engine providers”, as “search queries themselves would be considered content rather than traffic data and the Directive would therefore not justify their retention.”

Article 2 contains definitions. Article 3 outlines the obligation for telecoms providers to retain data, through derogation from a number of Articles (5, 6 and 9) of the e-Privacy Directive. Article 5 of that Directive obliges Member States to: “[E]nsure the confidentially of communications and the related traffic data by means of a public communications network and publicly available electronic communications services” through the prohibition, except when legally authorised, of “listening, tapping, storage or other kinds of interception or surveillance.” Article 6 of the e-Privacy Directive prohibits the retention by telecommunications providers of “traffic data relating to subscribers and users” except if necessary for billing or marketing and with the users' consent. Article 9 states that location data relating to users or subscribers “may only be processed when they are made anonymous, or with the consent of the users of subscribers to the extent and for the duration necessary for the provision of a value added service.”

Article 4 of the Data Retention Directive covers access by Member States’ competent authorities to retained data, which should only occur “in specific cases and in accordance with national law”. The phrase “competent authorities” is undefined in the Directive. Member States decide which of their agencies and institutions can request and access retained data. Member States also define the procedures authorities should follow to get access to retained data. This has led to wide divergence between Member States in which authorities can access retained data, and how they do so. The Directive also fails to stipulate that national law should include judicial scrutiny of requests for retained data, allowing Member States to establish self-regulatory systems that dispense with traditional surveillance “warrants”.

Article 5 lists in detail the data that must be retained by service providers:

The source of a communication;
The destination of a communication;
The date, time and duration of a communication;
The type of a communication;
Users’ communication equipment or what purports to be their equipment; and
The location of mobile communication equipment.

Article 6 covers periods of retention (“not less than six months and not more than two years from the date of the communication”). Article 7 outlines measures for the protection and security of retained data, compliance with which is to be supervised by “one or more public authorities” in accordance with Article 9.

Article 8 states that the storage of retained data must allow for its transmission to competent authorities, when requested, “without undue delay”. Article 10 obliges Member States to provide annual statistics to the Commission. Article 11 makes an amendment to Article 15 of the e-Privacy Directive, paragraph 1 of which permits Member States to enact their own data retention measures if they consider them: “[A] necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.”

The Data Retention Directive supplemented this by stating that: “Paragraph 1 shall not apply to data specifically required by [the Data Retention Directive] to be retained for the purposes referred to in Article 1(1) of that Directive.” This legislative overlap has been problematic and the European Commission, which is reviewing the Data Retention and e-Privacy Directives in parallel, has suggested that: “Any revision of the Data Retention Directive should ensure that retained data will be used exclusively for the purposes foreseen in this Directive, and not for other purposes as currently allowed by the e-Privacy Directive.”

Article 12 permits Member States to extend retention for “a limited period” if they face “particular circumstances”, subject to the post-facto approval of the Commission. Article 13 obliges Member States to ensure that provisions of EU data protection law dealing with judicial remedies, liabilities and sanctions apply to Member States' transposing measures. It also requires the punishment by “penalties, including administrative or criminal penalties, that are effective, proportionate and dissuasive,” of any illegal access to or transfer of retained data.

Article 14 obliged the Commission to undertake “an evaluation of the application of this Directive and its impact on economic operators and consumers” and present it to the European Parliament and the Council (see further below). Article 14 also obliged the Commission to determine at this time “whether it is necessary to amend the provisions of this Directive”, a decision that the Commission has deferred, leaving no precise timetable for a new proposal. 

Articles 15-17 require Member States to transpose the Directive into national law by 15 September 2007. Article 15(3) allows Member States to “postpone application of this Directive to the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail” for up to three years. Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Slovenia, Sweden and the UK all took up this option. The national legislation through which Member States transposed the Directive is listed in the EUR-Lex register.

Transposition and review

Nearly seven years after the deadline for implementation, the Directive has still not been implemented by all the states it covers and genuine “harmonisation” appears a remote prospect. Even with the extra room for manoeuvre on internet data retention, six Member States still found themselves subjected to infringement proceedings brought by the Commission after failing to implement national legislation on time.

The Commission brought proceedings against Austria, the Netherlands and Sweden in May 2009, Greece and Ireland in November 2009, and Germany in May 2012. Austria, Greece, the Netherlands, Ireland and Sweden subsequently adopted legislation; Germany has failed to do so and an infringement action is pending at the European Court of Justice. In Norway (obliged to implement the Directive through membership of the European Economic Area) legislation is yet to be agreed by parliament, and there is an on-going campaign by civil society organisations against it. The Commission recently demanded that Belgium “change its data retention laws to comply with the provisions of the European legislation”, and a draft bill aimed at ensuring full implementation was introduced into the Belgian Parliament in July 2013.

The Commission's evaluation of the Directive, due in September 2010, was eventually published in April 2011. It concluded that: “[D]ata retention is a valuable tool for criminal justice systems and for law enforcement in the EU. The contribution of the Directive to the harmonisation of data retention has been limited, in terms of, for example, purpose limitation and retention periods, and also in the area of reimbursement of costs incurred by operators, which is outside its scope.”

Retention period and scope

That the Directive failed to harmonise retention periods is hardly surprising – it allowed Member States to choose from anywhere between 6 and 24 months. The failure of the Directive to define “serious crime” also led to wide divergences across Member States: “Ten Member States (Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania, Luxembourg, Hungary, Netherlands, Finland) have defined ‘serious crime’, with reference to a minimum prison sentence, to the possibility of a custodial sentence being imposed, or to a list of criminal offences defined elsewhere in national legislation. Eight Member States (Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia, Slovenia) require data to be retained not only for investigation, detection and prosecution in relation to serious crime, but also in relation to all criminal offences and for crime prevention, or on general grounds of national or state and/or public security. The legislation of four Member States (Cyprus, Malta, Portugal, UK) refers to ‘serious crime’ or ‘serious offence’ without defining it.”

Most Member States also “allow the access and use of retained data for purposes going beyond those covered by the Directive, including preventing and combating crime generally and the risk of life and limb”.

Access to retained data

The authorities permitted to access retained data differ significantly from state to state. Every Member State allows police access and all except the UK and Ireland give access to prosecutors. 14 states provide access to security and intelligence agencies (only 12 are easily identifiable in the report – Bulgaria, Estonia, Spain, Latvia, Lithuania, Luxembourg, Hungary, Malta, Poland, Portugal, Slovenia and the UK). Six (Finland, Hungary, Ireland, Poland, Spain, UK) give access to tax and/or customs authorities; and four to border police (Estonia, Finland, Poland, Portugal). The UK allows other public authorities access to data retained if “authorised for specific purposes under secondary legislation.”

The type of authorisation required for access is also uneven: “Eleven Member States require judicial authorisation for each request for access to retained data. In three Member States judicial authorisation is required in most cases,” but the information provided in the report is not specific enough to allow identification of these states. A senior authority, but not a judge, must give authorisation in four other Member States (five Member States' information – Cyprus, France, Hungary, Italy, Poland – appears to fit this description). In two Member States, “the only condition appears to be that the request is made in writing,” although the information provided indicates that three states have such systems: Ireland, Malta and Slovakia.

Legitimacy and effectiveness

The Commission has acknowledged that many groups and individuals consider mandatory data retention “in principle… unjustified and unnecessary”. Nevertheless, EU Home Affairs Commissioner Cecilia Malmström has stated that “data retention is here to stay”. This has not allayed concerns about either the legitimacy or effectiveness of the Directive. In May 2011 the European Data Protection Supervisor issued a formal Opinion on the Commission’s evaluation report. Amongst other things, he said, the Commission needed to “invest in collecting further practical evidence from the Member States in order to demonstrate the necessity of data retention as a measure under EU law”, and that all those Member States in favour of data retention should prove “quantitative and qualitative evidence” demonstrating its necessity.

In December 2011 the European Commission wrote to the EU Council’s Working Party on Data Protection and Information Exchange (DAPIX) to inform Member States’ representatives of the results of the consultation that informed its April 2012 evaluation report. The Commission argued that it was necessary to “explain better the value of data retention” due to “a continued perception that there is little evidence at an EU and national level on the value of data retention in terms of public security and criminal justice”: “We have received strong views from law enforcement and the judiciary from all Member States that communications data are crucial for criminal investigations and trials, and that it was essential to guarantee that these data would be available if needed for at least 6 months or at least… 1 year. We have also received strong qualitative evidence of the value of historic communications data in specific cases of terrorism, serious crime and crimes using the internet or by telephone – but only from 11 out of 27 Member States.” Furthermore, “[t]he statistics required under Article 10 do not, as it is currently interpreted, enable evaluation of necessity and effectiveness”. Therefore, the Commission concluded, “all Member States – not just a minority – need to provide convincing evidence of the value of data retention of security and criminal justice”.

Member States’ delegations in DAPIX had already discussed the need for further evidence of the “necessity” of mandatory data retention at a meeting in May 2011. They concluded that retention: “[C]ould not be argued on the basis of statistical data… the gravity of the offences investigated thanks to traffic data, rather than the mere number of cases in which traffic data were used should receive due attention. Quantitative analysis should be complemented with qualitative assessment."

In March 2013 the Commission published a report that attempted to draw together “[e]vidence which has been supplied by Member States and Europol in order to demonstrate the value to criminal investigation and prosecution of communications data retained under Directive 2006/24/EC.” The report contains an overview of the ways in which communications data are used in criminal investigations and judicial proceedings; the sorts of cases in which retained data are important; the “consequences of absence of data retention”; and a section on statistics and quantitative data. This notes that 23 Member States have provided “some statistics since 2008”, but that they “interpret in different ways terms from the DRD such as ‘case’ and ‘request’, and statistics vary in format which limits their comparability”. However, what the statistics do show is massive variation in the extent that Member States are using their data retention powers, with total annual requests ranging from 23 (Portugal) to 777,040 (UK).

In November 2012 – six years after the adoption of the Directive – the Commission adopted and disseminated “more comprehensive guidance on provision of statistics under Article 10”. Such problems meant that the majority of the Commission's March 2013 report (20 of 30 pages) was given over to anecdotal evidence, including 91 reported cases from across Europe in which retained data assisted in finding the perpetrators of a variety of serious crime.

Alternative approaches

“Data preservation” regimes offer an alternative to data retention, by limiting retention of data to specific authorised investigations. In November 2012 the European Commission published a report it had commissioned on “current approaches to data preservation in EU Member States and third countries”. Data preservation was defined as the “expedited preservation of stored data or ‘quick freeze’” in: “[S]ituations where a person or organisation (which may be a communications service provider or any physical or legal person who has the possession or control of the specified computer data) is required by a state authority to preserve specified data from loss or modification for a specific period of time”.

The report explained that data preservation is already mandated by the Council of Europe Convention on Cybercrime (the Budapest Convention), which entered into force on 1 July 2004 and is open for worldwide signature. All EU Member States have signed the Convention although Greece, Ireland, Luxembourg, Poland and Sweden still need to ratify it (as of 7 April 2014). Under the Convention data may be preserved “for the purpose of specific criminal investigations or proceedings”.

The Convention, unlike the Data Retention Directive, explicitly permits the storage of communication content. While the German Ministry of Justice believes that data preservation is fundamentally an alternative to mandatory retention, the report concludes that: “[D]ata retention and data preservation are complementary rather than alternative instruments… data retention plays a role in ensuring that data is kept and that this is sometimes a prerequisite for data preservation, as data may have already been deleted before a data preservation order is issued.”

Revision of the Directive

Article 14 requires the European Commission to determine, on the basis of its review, whether it is necessary to amend the provisions of the Data Retention Directive. In August 2012 the Commission announced that it was postponing the revision of the Data Retention Directive with “no precise timetable” for a new proposal. The Commission spokesperson cited the need to review the “e-Privacy” Directive to “ensure that retained data will be used exclusively for the purposes foreseen in this Directive, and not for other purposes as currently allowed by the e-Privacy Directive.”

Before the revision of either of these two Directives takes place, the Commission wants to see its draft data protection package agreed by the Council and the Parliament. At present the two institutions disagree significantly on the proposal, with further disagreement amongst the Member States in the Council. However, more fundamental to the future of the Directive may be today's judgment of the European Court of Justice.


Barnard & Peers: chapter 9, chapter 25