Lorna Woods, Professor of Internet Law, University of Essex
Introduction
Advocate General Campos Sanchez-Bordana has presented his opinions on three cases concerning data retention: SpaceNet and Telekom Deutschland, GD v Commissioner of the Garda Síochána, and VD and SR. These opinions are the latest development in a series of legal challenges related to data retention that began with an Irish challenge to the Data Retention Directive.
The Data Retention Directive, which allowed for the retention of communications data under certain exceptions to privacy principles, was invalidated in the Digital Rights Ireland case. This decision led to further legal cases that defined the limits of data retention allowed under EU law, including notable cases like Tele2 Sverige and Watson, La Quadrature du Net and Others, and Privacy International. While the Advocate General’s recent opinions do not introduce new legal concepts, they reaffirm existing principles and distinctions established in prior rulings.
The Cases
SpaceNet and Telekom Deutschland involves German legislation that mandates internet providers to retain communications data. The German law attempted to address previous concerns raised by the Court of Justice of the European Union (CJEU) by limiting the scope of data retention, shortening retention periods, and implementing safeguards against misuse. Despite these measures, SpaceNet and Telekom Deutschland challenged the law based on prior CJEU rulings.
GD v Commissioner of the Garda Síochána stems from a murder trial where the prosecution relied on communications data obtained through legislation enabling mass data retention. The defendant challenged the evidence’s admissibility, claiming it violated EU law.
VD and SR also involve criminal prosecution using communications data obtained from telecommunications providers based on national laws implementing EU directives. These cases raised the question of whether these national laws align with the fundamental rights outlined in the EU Charter.
The Advocate General recommended that the CJEU find the national laws in all three cases incompatible with Charter rights. He emphasized that EU law prohibits national legislation forcing electronic communication providers to retain user data indiscriminately for purposes beyond safeguarding national security against a proven threat.
The Advocate General stressed the need for independent authorization for accessing legally retained data and advocated for the judgments’ immediate effect without limiting their application to future cases. He also acknowledged the differing approaches of the CJEU and the European Court of Human Rights (ECtHR) regarding data retention, stating that while the ECtHR sets a baseline, the Charter might impose stricter standards.
Comment
The legal precedents surrounding data retention are built upon distinctions between EU and national competence. Article 4(2) of the Treaty on European Union (TEU) mandates the EU to respect member states’ authority in essential areas like maintaining law and order, explicitly stating that national security is each member state’s responsibility.
Many countries justify data retention as part of counter-terrorism efforts and national security, arguing that such laws are outside EU jurisdiction. However, as demonstrated in the SpaceNet case, this argument has been consistently rejected by the CJEU. While Article 4 TEU excludes national security from EU law, its interpretation is narrow, applying primarily to intelligence activities directly related to safeguarding national security. This principle is well-established and unlikely to change.
Another critical distinction in existing case law is the difference between communication content and communications data (metadata), including traffic and location data. The CJEU has held that the mass collection of communication content is a severe infringement of privacy and cannot be justified. However, collecting communications data might be permissible under specific circumstances, as seen in cases like Tele2 Sverige and Watson, Privacy International, and La Quadrature du Net. This suggests that obtaining communications data is considered less intrusive than accessing content. However, the potential harm of creating detailed individual profiles from metadata raises concerns about this assumption’s validity. Notably, the Court has recognized that certain data types, such as identity and IP addresses used in criminal investigations, are less sensitive.
The CJEU, in the Ministerio Fiscal case, suggested that the level of intrusion might be lower depending on the type and amount of data involved. However, it remains unclear whether this distinction stems from the nature of the data itself or its limited quantity and separation from other datasets. The Court emphasized that accessing retained data revealing communication details like time, duration, recipients, or location is a serious interference with privacy, as it allows for drawing precise conclusions about individuals’ private lives. This suggests that the potential insights derived from data are more critical than the data volume. The Court has also indicated that certain data types, such as those involved in Passenger Name Record (PNR) cases, might be less sensitive. While the Advocate General reaffirmed the stance on IP addresses and identity data in the recent cases, questions about the sensitivity of smaller sets of specific data, such as location data, remain unanswered.
The ability to create detailed profiles and its impact on users has led the Court to establish stringent conditions for data collection, based on two intertwined sets of distinctions: general vs. targeted measures and national security vs. fighting crime (further divided into serious and other crimes). The Advocate General, referencing La Quadrature du Net as a summary of preceding case law, reiterated the principles established in prior cases. He emphasized that indiscriminate retention of traffic and location data is only justifiable for safeguarding national security, a more critical objective than those listed in the e-Privacy Directive. In essence, while subject to strict conditions, indiscriminate data retention might be permitted for national security threats, but only targeted retention is acceptable for combating serious crime.
This raises the question of what constitutes national security and serious crime within the framework of the e-Privacy Directive. According to Ministero Fiscal, the distinction between crime and serious crime is determined by individual member states. This could lead to manipulation or broad interpretations, as seen in the UK’s expansive definition of serious crime under the Investigatory Powers Act. The CJEU, in La Quadrature du Net, defined national security as encompassing the prevention and punishment of activities that severely destabilize a country’s fundamental constitutional, political, economic, or social structures. This definition includes activities directly threatening society, the population, or the state itself.
The Advocate General, in VD and SR, highlighted that measures safeguarding national security and combating crime cannot have the same scope, or the distinction established in La Quadrature du Net regarding indiscriminate surveillance would become meaningless, jeopardizing fundamental rights protections. This holds even for exceptionally severe crimes.
While the Court has suggested that targeted surveillance doesn’t have to be individual-specific and could focus on locations or groups, such an approach raises various social, political, and technical concerns. As pointed out by the Advocate General, the CJEU is not responsible for drafting compliant regimes; this responsibility lies with the member states.
La Quadrature du Net established conditions for national security and generalized surveillance, as well as targeted surveillance for serious crime. In Privacy International, the CJEU stated that national legislation must define objective criteria for both acquiring specific datasets from service providers and their use by authorities. Furthermore, these conditions seem to apply not only to traffic and location data but also to retaining IP addresses, subscriber information, and other measures combating serious crime. However, questions remain regarding the extent to which safeguards can compensate for weaknesses in data collection and retention systems. This issue also arises in the ECtHR’s jurisprudence, where the lines between lawfulness, safeguards, and proportionality become blurred, potentially leading to less scrutiny over data acquisition in favor of controlling data use. This approach fails to address the chilling effect of government access to and storage of personal data. The Advocate General rejects blurring the lines between safeguards over access and control over data acquisition and retention, emphasizing that data retention inherently interferes with fundamental privacy rights. He argues that access to this data is a separate infringement, regardless of its subsequent use. Therefore, safeguards protecting retained data do not justify a general data retention requirement.
Limited data retention periods serve as another potential safeguard. The German government argued in SpaceNet that shorter retention periods would limit the detail of generated profiles. This argument aligns with the approach taken by the Advocate General in HK v Prokuratuur. While the CJEU acknowledged that the retention period is a relevant factor in determining the severity of privacy intrusion, it maintained that traffic and location data are generally sensitive due to their ability to reveal private life details and should therefore only be collected in cases involving serious crime or threats to national security. The Advocate General, in SpaceNet, stated that a limited retention period cannot justify a general data retention requirement for crime investigation purposes. Additionally, the retention period must be considered in conjunction with the amount of data collected and the available data analysis techniques.
While data acquisition, storage, and access constitute distinct infringements, with real-time access potentially being more intrusive than analyzing historical data, questions about their interconnectivity arise. If data retention is justifiable only for serious crime, it stands to reason that access should also be restricted. This link was discussed in VD and SR, where the legislation allowed access to existing data without explicitly permitting its initial storage. The French government argued that market manipulation legislation implicitly permits data retention. However, the Advocate General countered that these existing records must be legally obtained and stored in accordance with the e-Privacy Directive.
This stance highlights the enduring relevance of communication confidentiality principles. Furthermore, even if such “implicit authorization” were accepted, any data retention would still be subject to the same conditions as if explicitly authorized by EU law. In essence, all EU legislation must comply with the EU Charter. The Court’s interpretation of Articles 7 and 8 regarding privacy applies beyond the e-Privacy Directive. This recognition is crucial given the increasing data acquisition by private companies and its subsequent sharing with public entities for various purposes, including public service delivery. This broader context explains why the requirement for independent body approval of data access requests, already present in the e-Privacy Directive, also arose in the context of insider dealing and market manipulation legislation. This might signal the emergence of a general approach to limiting state surveillance activities. It will be interesting to see how the Court applies concerns about profiling from these cases to other areas, such as PNR data collection. The boundary between profiling concerns in the context of national security and combating crime versus profiling for data-driven public service delivery remains unexplored.
Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: EFF-Graphics, via Wikicommons