Steve Peers

This post discusses the EU’s data retention Directive and the Advocate-General’s opinion on its validity, particularly in light of the “Day We Fight Back” against mass surveillance.

Overall context

These cases, brought before the Court of Justice of the EU (CJEU) by Irish and Austrian courts, present a significant opportunity for the court to issue a landmark judgment on the EU Charter of Fundamental Rights, unlike the 2011 Test-Achats judgment, which lacked a thorough examination of key issues.

The CJEU is entering this case aware of several factors: constitutional concerns about the Directive from German and Romanian courts, skepticism about mass surveillance from the European Court of Human Rights, and widespread public anxiety in the EU surrounding mass surveillance, particularly given recent revelations about surveillance by US security agencies.

The Directive mandates that EU member states require telecom and internet providers to retain records of all phone calls, internet activity, and mobile phone location data for a minimum of six months, with no firm upper limit. This data can then be accessed by law enforcement for investigations related to serious crime. While a nominal two-year upper limit exists, member states can retain existing longer retention periods or petition the Commission for authority to establish new ones. Additional EU laws allow member states to require telecom providers to retain such data for other reasons and remain unaffected. Essentially, member states retain broad discretion in data retention practices for security purposes.

The Directive does not establish safeguards for the use of the retained data. This limitation stems from its legal basis in the “internal market,” restricting its scope to regulating the telecom industry and excluding law enforcement’s use of the data.

While acknowledging potential benefits of mass surveillance in prosecuting crime and preventing terrorism, this does not automatically justify it. Democracies must balance liberty and security. The European Court of Human Rights has long held that targeted surveillance is permissible only with precise laws and comprehensive safeguards for individuals. This standard should undoubtedly apply even more rigorously to mass surveillance laws like this Directive, if such surveillance can ever be justified.

The Advocate-General’s opinion

The Advocate-General’s opinion correctly identifies the data retention Directive as interfering with the rights to privacy and data protection (Articles 7 and 8 of the Charter). The central question becomes whether this interference is justifiable. While a public interest is evident, the Advocate-General scrutinizes the remaining aspects of this test, ultimately concluding that the Directive fails to meet the “prescribed by law” standard established by the European Court of Human Rights. The Directive lacks sufficient precision in defining the limitation on Charter rights and fails to establish guarantees for data use.

This raises a question about the EU-Member State relationship. Since Directives are implemented through national law, one might argue that it falls to individual Member States to provide specific details regarding the interference with Charter rights during transposition. The CJEU could clarify what these rules should address, as it has in cases involving interference with privacy rights justified by intellectual property protection.

The Advocate-General rightly dismisses this possibility. The data retention Directive compels Member States to interfere with Charter rights, unlike the legislation in the aforementioned cases, which merely permits such interference. This distinction places a significant, if not entire, responsibility on the EU to satisfy the “quality of law” test. This aligns with the European Court of Human Rights’ stance in Bosphorus Airways v Ireland and the draft EU accession agreement for the ECHR, both of which differentiate between instances where the EU compels action from Member States and those where it merely permits it.

However, the nature of EU law presents another layer of complexity. Prior to the Treaty of Lisbon, the legal order of the Union was divided into three “pillars.” Police cooperation fell under the third pillar (policing and criminal law), while the internal market was part of the first pillar (Community law). Consequently, a Directive based on the internal market, such as this one, couldn’t address police cooperation matters, leading the CJEU to reject the Irish government’s challenge to the Directive in 2009.

To address this, the Advocate-General proposes that the EU should have, at a minimum, established informal guarantees. This solution is inadequate, as non-binding guarantees would not meet the “quality of law” requirement. Alternatively, the EU could have adopted a third-pillar “Framework Decision” outlining such guarantees before the Treaty of Lisbon, and currently, it can establish them through a Directive.

The Advocate-General also determines the Directive to be disproportionate, lacking a compelling reason for the potentially indefinite data retention period. However, Member States’ ability to retain existing national laws permitting longer data retention periods is enshrined within the Treaty’s internal market rules. To override these provisions, the Court of Justice would need to prioritize the Charter over other primary EU law, including the Treaty.

Conclusions

These cases provide the CJEU with a chance to elaborate on the rules governing interference with Charter rights, particularly the “quality of law” test, which the CJEU has yet to invoke. The court must also grapple with the challenges stemming from the previous pillar structure of EU law and the specific provisions within the Treaties’ internal market rules. However, given the context of these cases, the established jurisprudence of the European Court of Human Rights, and the Advocate-General’s strong opinion, it would be astonishing if the CJEU did not invalidate the Directive or, at the very least, establish clear rules for Member States to follow in its application.

[update: the CJEU gave its ruling in April 2014. For discussion of the judgment see here.]

Barnard & Peers: chapter 9