By Steve Peers
After the Court of Justice of the European Union (CJEU) invalidated the EU’s data retention Directive, a crucial question emerged: do those same rules affect national data retention laws? This post will explain why that’s the case.
We begin with Article 51 of the EU’s Charter of Fundamental Rights. It states that the Charter applies to EU institutions and bodies, but to Member States ‘only’ when ‘implementing’ EU law. But what does that mean?
Narrowly interpreted, Member States stopped ‘implementing’ EU law on data retention when the Directive was annulled. After all, no EU law on data retention remained. However, one could argue that Member States are still ‘implementing’ EU law if their national laws were initially meant to fulfill an EU obligation. This is a novel argument because the CJEU rarely annuls EU laws on substance. Even when it does, the Court typically invalidates only a small part of the law (for example, the Test-Achats judgment).
However, this is just one argument for the EU Charter’s continued relevance to national data retention law. The central argument relies on well-established CJEU case law concerning EU human rights protection when Member States deviate from EU law.
EU human rights rules and national deviations from EU law
Back in 1991, the CJEU ruled in the ERT case that when Member States deviate from EU internal market rules, they remain subject to EU human rights obligations (then only the EU’s ‘general principles of law’, since the Charter didn’t yet exist). The Familiapress judgment confirmed this, regarding exceptions to internal market rules based on the CJEU’s ‘rule of reason’ case law, rather than explicit exceptions in the Treaties.
Does the Charter follow the same approach? While many assumed the word ‘implementing’ in Article 51 implied a narrower interpretation than previous case law, the CJEU stated in its Fransson judgment that its previous case law on the scope of general principles applied equally to the Charter. Although Fransson didn’t concern deviations from EU law, the CJEU should soon rule on this point in the Pfleger case (judgment due April 30th), where the Advocate-General’s opinion assumes as much. Pending potential confirmation in that judgment, it should be assumed for now that the Charter does apply to national deviations from EU law, as the CJEU made no distinction in Fransson regarding which aspects of its prior case law still applied.
Even if the Charter doesn’t apply to national deviations from EU law, the general principles still do, having a continued existence independent of the Charter under Article 6(3) TEU.
Applying the case law
Two further questions arise. First, do EU human rights rules apply if Member States deviate not from EU internal market rules in the Treaty, but from other EU laws? In principle, they should, given that the Treaties list other EU objectives besides the internal market. Why should EU human rights rules only apply to national deviations from EU rules in one specific area of EU law, and not to deviations from EU rules in other areas?
Regardless, the CJEU has effectively confirmed that Member States are bound by the Charter and general principles even when the law doesn’t concern the internal market. In EP v Council and the subsequent case of Chakroun, the CJEU ruled that national deviations from the EU’s family reunion Directive must comply with human rights obligations. It made no distinction between national deviations from EU internal market rules in the Treaty and those from other EU rules set out in EU legislation.
Second, is there an EU law rule that Member States are deviating from by continuing to apply national data retention laws? There is: Article 15(1) of the EU’s e-privacy Directive allows Member States to restrict the rights in that Directive relating to confidentiality of communications, location and other traffic data, and caller identification:
‘when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.’
The CJEU has repeatedly ruled on the Charter’s application to cases where copyright holders invoked this clause to justify planned restrictions on Internet use (see the Telekabel Wien judgment). There’s no reason why the CJEU wouldn’t apply the clause to data retention on crime-fighting grounds, given that Article 15(1)’s second sentence explicitly mentions data retention and the first sentence explicitly mentions criminal law.
Finally, while some data retention might fall outside the e-privacy Directive, which generally applies to telecommunications service providers (not, for instance, social networks or search engines), those forms would fall under the similar Article 13 of the main Data Protection Directive. This is because they would clearly involve processing personal data within the scope of that Directive. Neither the ‘household exception’ to that Directive nor the exception for processing in criminal law would apply – because the data retention would be happening within a commercial activity (like the judgment on the legal basis of the data retention Directive by analogy).
[Update: see discussion of the later Pfleger judgment here. Two cases on national data retention laws were later referred to the CJEU; see discussion of them here.]
Barnard & Peers: chapter 6, chapter 9