Matthew White, Ph.D candidate, Sheffield Hallam University
A central question regarding internet privacy is whether governments should be allowed to store data about everyone’s online and phone activities in the name of fighting terrorism and serious crime. This issue, known as “data retention,” raises crucial questions about balancing privacy and security, both nationally and within the European Union. Initially, the EU’s electronic privacy (e-Privacy) Directive offered member states the choice to implement data retention rules, deviating from the usual rule of communication confidentiality outlined in the directive. However, in 2006, driven mainly by the UK, the EU introduced the Data Retention Directive (DRD). This directive mandated that telecommunications and internet providers store user data in case law enforcement needed it.
On April 8, 2014, the Court of Justice of the European Union (CJEU) decided in its “Digital Rights Ireland” judgment that the DRD was excessive. The Court argued that the DRD didn’t align with the rights to privacy and data protection detailed in Articles 7 and 8 of the EU Charter of Fundamental Rights. This decision left the status of national data retention laws uncertain. Could they be challenged for violating EU Charter rights due to their connection to EU law, particularly the e-Privacy Directive’s data retention option? If so, should the “Digital Rights Ireland” judgment’s standards apply to these national laws?
Instead of promptly addressing this, the UK government delayed action and then swiftly enacted the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). This act was a direct response to the “Digital Rights Ireland” ruling, aiming to grant the UK, under its own law, the authority to retain data that the CJEU had deemed unlawful under EU law.
In 2015, Tom Watson, David Davis, and others challenged a section of DRIPA 2014, arguing that its data retention powers didn’t align with the CJEU’s “Digital Rights Ireland” ruling. They contended that although the ruling focused on EU law, it should also apply to national data retention laws because such laws were linked to EU law through the e-Privacy Directive. They argued that any expansion of data retention beyond publicly available services would fall under the Data Protection Directive and, consequently, the EU Charter. The High Court (HC) sided with the challengers in the “Davis” case and ordered the contested section of DRIPA to be disapplied by March 31, 2016, unless it was revised to comply with the “Digital Rights Ireland” ruling. This decision aimed to give Parliament time to create a data retention law that aligned with the EU Charter.
The government appealed to the Court of Appeal (CoA), which disagreed with the HC’s interpretation of the “Digital Rights Ireland” ruling. The CoA didn’t believe the CJEU intended to set definitive rules for national data retention laws. However, as a precaution, the CoA consulted the CJEU, asking if the “Digital Rights Ireland” ruling meant to establish binding requirements for EU member states’ national laws and whether it aimed to broaden the scope of Articles 7 and 8 of the EU Charter beyond the existing interpretations of Article 8 of the European Convention on Human Rights.
The CoA wasn’t the only court seeking clarification on data retention. On May 4, 2015, a Swedish court asked the CJEU whether a broad obligation to retain communication data for everyone, without exception, for crime-fighting purposes aligned with the e-Privacy Directive and the EU Charter. This question’s wording implied that the obligation applied to all service providers within a state’s jurisdiction, potentially impacting a clause in the UK’s proposed Investigatory Powers Bill (IPB), which aimed to grant broad data retention powers to the government.
The question of how the CJEU’s ruling would impact specific service providers or data related to sensitive professions like journalism or law remained unclear. Additionally, there was the question of limitations on data retention, with the UK previously setting a 12-month maximum retention period in line with a recommendation from the Advocate General in the “Digital Rights Ireland” case.
The President of the CJEU decided to combine both the UK and Swedish cases. The questions about data access didn’t directly affect the IPB’s provision for issuing retention notices, as it didn’t necessarily involve every telecommunications operator. Similarly, the questions regarding the interpretation of EU Charter articles didn’t directly impact the IPB’s data retention provisions.
However, this assumed that the CJEU would rule against broad data retention for access purposes. If the CJEU ruled otherwise, a key clause in the IPB allowing broad data retention orders could remain unchanged. Notably, the HC in the “Davis” case believed that the CJEU found data retention acceptable if it served a general interest and had strong safeguards for citizens’ rights. The CoA didn’t address this point. Thus, a ruling in favor of broad data retention could potentially leave the IPB’s data retention provisions unaffected under EU law.
Regarding the correct interpretation of the “Digital Rights Ireland” ruling, the CoA argued that the Advocate General didn’t expect the DRD to provide very specific regulations. However, the CoA didn’t mention the Advocate General’s conclusion that the DRD was invalid because it lacked sufficient safeguards for data access, such as limiting access to judicial authorities or independent bodies and requiring case-by-case reviews of access requests. The Advocate General supported limiting data access to what was strictly necessary and recommended suspending the DRD until the EU addressed its shortcomings. This perspective aligned with the HC’s stance and could have implications for the IPB, which didn’t mandate judicial or independent oversight for accessing communication data, even without a direct ruling from the CJEU.
Many thanks to Steve Peers for helpful comments on an earlier draft.
Photo credit: gizmondo.com.au