Matthew White, Ph.D candidate, Sheffield Hallam University
Introduction
This post follows up on a previous one from last Christmas, which discussed data retention in the context of the proposed Regulation on Privacy and Electronic Communications (e-Privacy Regs). The European Commission released the official version of the e-Privacy Regs on January 10, 2017. Like the leaked version, the official proposal does not have specific provisions for data retention (para 1.3). The proposal allows Member States to maintain or create their own data retention laws. However, these laws must be targeted and comply with European Union (EU) law. This includes the interpretation of the e-Privacy Directive and the Charter of Fundamental Rights (CFR) by the Court of Justice of the European Union (CJEU). The proposal specifically references the Digital Rights Ireland and Tele2 Sverige AB cases regarding the CJEU’s interpretation. This post will focus on aspects of the Tele2 case, which was discussed thoroughly by Professor Lorna Woods.
So, when is the essence of the right adversely affected?
Before discussing Tele2 and Watson, it’s important to highlight the provision in the new e-Privacy Regs that allows data retention. Article 11 permits the EU and its Member States to restrict the rights outlined in Articles 5-8. These articles cover the confidentiality of communications, processing permissions, storage and erasure of electronic communications data, and the protection of end-user terminal equipment information. Article 11 clarifies that data retention obligations can fall under these restrictions if they meet specific criteria: respecting the essence of the right and being necessary, appropriate, and proportionate. In Tele2 and Watson, the CJEU stated that any limitations on rights recognized by the CFR must respect the essence of those rights [94]. The court agreed with the Advocate General (AG) that data retention significantly interferes with rights like interception, and accessing communication data might pose greater risks than accessing communication content [99]. However, the CJEU hesitated to definitively state that data retention (and access to such data) inherently harms the essence of these rights [101]. This reveals a potential inconsistency: the CJEU acknowledges that retaining and accessing communications data is at least as intrusive as accessing content, yet avoids stating that data retention inherently impacts the essence of these rights. This lack of clear reasoning for the differential treatment suggests that the CJEU itself might not fully uphold the essence of these rights in the context of data retention.
The CJEU’s answer seems only limited catch all powers
The CJEU’s judgment in Tele2 and Watson primarily focused on prohibiting general and indiscriminate data retention obligations at the EU level. However, the CJEU’s answer addressed a very broad question from Sweden: is a general obligation to retain traffic data—without any distinctions, limitations, or exceptions—for all individuals, electronic communication methods, and data for combating crime, compatible with EU law? Therefore, as long as national laws avoid capturing all data from all subscribers and users across all services in one sweep, it can be argued that they comply with EU law. Both the e-Privacy Regs and the CJEU use the term “targeted” retention [108, 113]. The CJEU illustrated this with geographically-based retention criteria. David Anderson Q.C. questions whether the CJEU’s example implies that “general and indiscriminate retention” of data from people in a specific town or area might be acceptable, while retaining data from those outside that area wouldn’t be. Given Sweden’s question and the CJEU’s response, this interpretation is possible. Essentially, the CJEU appears to allow discriminatory general and indiscriminate data retention if it respects the essence of the rights in question.
Data retention is our cake, and only we can eat it
Lastly, the CJEU held in Tele2 and Watson that national data retention laws fall within the scope of EU law [81]. While this might not raise immediate concerns about protecting fundamental rights, the CJEU’s subsequent ruling does. The CJEU stated that interpreting the e-Privacy Directive (and consequently, Member State data retention laws) “must be undertaken solely in the light of the fundamental rights guaranteed by the Charter” [128]. This suggests that the CJEU claims exclusive authority over determining how to best protect rights in the context of data retention. The following paragraph [129] indicates that the CJEU prioritizes the autonomy of EU law, even over fundamental rights. This is despite the European Convention on Human Rights (ECHR) establishing general principles of EU law, as mentioned in Article 15(1) (referring to Article 6(3) of the Treaty of the European Union (TEU), which explicitly recognizes the ECHR). Article 11 of the e-Privacy Regs mentions restrictions respecting the ‘essence of fundamental rights and freedoms.’ It remains to be seen if the CJEU would interpret this as solely referring to the CFR. Recital 27 of the e-Privacy Regs, similar to Recitals 10 and 30 of the e-Privacy Directive, mentions compliance with the ECHR, but as previously highlighted, recitals are not legally binding.
Is the CJEU assuming too much?
Another concern is that if the European Commission had included general principles of EU law in Article 11, the CJEU might have disregarded them, as it did in Tele2 and Watson. The problem with the CJEU’s approach is that it presumes its judgment offers sufficient human rights protection in this context. The ECHR has always been the minimum standard, but the CJEU appears to want the CFR to be the ceiling for human rights protection, whether it’s national or guaranteed by the ECHR. What if that ceiling is lower than the ECHR’s floor? The AG in Tele2 and Watson emphasized that the CFR should never be weaker than the ECHR [141]. However, the EU’s jurisprudence on data retention offers weaker protection than the ECHR, and the CJEU’s qualification in Tele2 and Watson doesn’t change this. Judge Pinto De Albuquerque in his concurring opinion in the European Court of Human Rights judgment in Szabo strengthens this position. He believed that mandatory third-party data retention, where governments require telecommunication and internet companies to store customer metadata for law enforcement and intelligence agencies, seems neither necessary nor proportionate [6]. While Judge Pinto De Albuquerque could be referring to third-party data retention requiring Internet Service Providers (ISPs) to intercept data from Over The Top (OTT) services, his description better suits data retention practices of service providers concerning their own users and subscribers.
Conclusions
While the CJEU has banned general, indiscriminate data retention, it doesn’t seem to have prevented targeted, indiscriminate data retention. If the European Court of Human Rights (ECtHR), adhering to its own jurisprudence and Judge Pinto De Albuquerque’s opinion, were to rule on data retention, it might find EU law in violation of the ECHR. This could force Member States into a difficult situation: comply with the ECHR and violate EU law autonomy, or comply with EU law and violate the ECHR. When EU law prevents adhering to the minimum standards of human rights protection, the ECHR should take precedence. Anything less threatens human rights, and this means that even a well-intentioned CJEU can pose a threat.
JHA4: chapter II:7
Photo credit: goldenfrog.com