The CJEU ruling on data retention: Mass surveillance is prohibited.

Steve Peers

On July 7, 2005, a relative of mine was on her way to work on a London tube train when terrorists detonated bombs on her train and three others across the city. While my relative was unharmed, dozens of people tragically lost their lives.

This event, along with the prior attacks on 9/11 and in Madrid, understandably fueled public anxiety around terrorism and spurred the EU to introduce additional anti-terrorism measures. Notably, the British Presidency of the EU Council prioritized legislation mandating the retention of extensive communications data. However, in a landmark ruling, the Court of Justice of the European Union (CJEU) has declared this legislation an overreach in response to these terrorist acts. This decision effectively outlaws mass surveillance within the EU, solidifying the CJEU’s role as the Union’s constitutional court.

Summary of the judgment

As detailed in Chris Jones’s blog post, the Directive required EU Member States to compel telecommunications providers to retain substantial amounts of data related to all forms of electronic communication used by all individuals within the EU. This data, collected for law enforcement agencies to investigate serious crime and terrorism, was to be stored for a period of 6 months to 2 years, with the Directive lacking specific regulations governing data access and use by these authorities. The CJEU found it necessary to evaluate the Directive’s validity solely in relation to Articles 7 and 8 of the Charter, concerning the rights to privacy and data protection.

Unsurprisingly, the Court readily established that the Directive did infringe upon the protection of these two rights. Consequently, their analysis centered on whether such an infringement could be justified.

Article 52 of the Charter outlines the conditions for justifying limitations on Charter rights. Any restriction must be legally established, respect the core of the right being limited, and, adhering to the principle of proportionality, only be implemented if absolutely necessary to achieve a legitimate public interest objective and safeguard the rights and freedoms of others. The Court easily determined the existence of a public interest justification (public safety) for restricting the Charter rights in question. They also determined that the ’essence’ of the rights was not compromised because the content of communications wasn’t recorded (regarding the right to privacy), and certain data processing and security protocols had to be observed (regarding the right to data protection).

Therefore, the crux of the Court’s decision rested on the proportionality of the interference with Charter rights. The Court emphasized the need for ‘strict’ judicial review of the EU legislature’s discretion in this case, taking into account factors like the legal area in question, the nature of the right being curtailed, the severity of the infringement, and the objective being pursued. The nature of the right and the severity of its infringement inherently reduced the EU legislature’s discretion; the CJEU did not explicitly consider the pursued objective.

The first element of proportionality, the appropriateness of the interference in achieving the objective, was satisfied because the data could be helpful for investigations. However, the CJEU found the Directive flawed regarding the second aspect: the measure’s necessity. Crucially, the Court ruled that the vital objective of investigating serious crime and terrorism did not inherently justify data retention, demonstrating that, for the CJEU, public safety is not paramount.

The Court further elaborated on the fundamental importance of safeguards in protecting privacy and data protection rights, drawing on the case law of the European Court of Human Rights. These safeguards become even more crucial when data undergoes automated processing, increasing the risk of unauthorized access.

Applying this reasoning, the Court presented three reasons for why the Directive’s data retention regulations weren’t strictly necessary. Firstly, the Directive’s scope was overly broad, covering all electronic communication methods, which are increasingly vital in daily life, without being sufficiently focused. As a result, it ’entails an interference with the fundamental rights of practically the entire European population’, essentially amounting to mass surveillance, though the Court doesn’t use this term directly.

Secondly, beyond a ‘general absence of limits’, the Directive failed to adequately define the parameters for law enforcement agencies accessing and using the retained data. Specifically, it broadly referred to ‘serious crime’ as defined by national law, didn’t restrict the purpose of subsequent data access, didn’t limit the number of individuals who could access the data, and didn’t mandate judicial or independent administrative oversight of data access.

Thirdly, the Directive lacked sufficient safeguards regarding: the data retention period, especially for different data categories; protecting data against unauthorized access and use (the CJEU criticizes potential limitations on security measures due to cost concerns); the absence of a mandatory data destruction policy; and the lack of a requirement to store data exclusively within the EU.

Comments

While reaching the same conclusion as the Advocate-General’s opinion, the CJEU did so through different reasoning. The Advocate-General considered the Directive invalid because it violated the ‘quality of law’ requirement for interfering with Charter rights by not establishing adequate safeguards for accessing and using data. Additionally, it was deemed disproportionate for not justifying the necessity of storage periods extending up to two years. The Court’s ruling appears to go further by rejecting mass surveillance in principle.

The opinion delved into intriguing and significant points that the Court doesn’t directly address, such as: the existence of a ‘quality of law’ prerequisite for Charter violations; whether the EU or its Member States are responsible for ensuring this requirement is met in this instance; and the complexities of the ’legal base’ issue, specifically the potential conflict of introducing law enforcement-related safeguards exceeding the legislation’s ‘internal market’ legal basis. While it can be inferred that the CJEU holds a stance on these matters - that a ‘quality of law’ rule exists, the EU is responsible for upholding it in this case, and the ’legal base’ issue shouldn’t hinder the EU from adopting regulations governing law enforcement - the Court unfortunately doesn’t explicitly articulate its reasoning. It is peculiar that, having previously deemed the Directive validly based on EU internal market powers, the CJEU now rules its interference with Charter rights justified by public safety objectives.

Examining the Court’s provided reasoning, identifying public interest justifications for the interference with rights was, as is often the case, straightforward. Consequently, the most crucial part of the reasoning lies in the analysis of the interference’s impact on the ’essence’ of the right and its proportionality. It’s noteworthy that the Court clearly distinguishes these as separate issues: even if the essence of a right is upheld, legislation can still be deemed disproportionate. This contrasts with previous case law on restricting rights, which often seemed to imply that respecting the essence of a right was sufficient.

Another significant aspect of the judgment is the development of a doctrine outlining when strict scrutiny should be applied to the EU legislature’s interference with fundamental rights. This draws on Strasbourg case law rather than the standards of national constitutional courts, which have addressed this issue in their own ways. This naturally raises questions about whether these standards should also apply to the national implementation of EU law or to Charter rights not derived from the ECHR.

Despite many data protection experts arguing for a fundamental distinction between the right to privacy and the right to data protection, the Court’s judgment only partially reflects this distinction. While it separately assesses whether Articles 7 and 8 of the Charter are infringed upon and if the essence of each right is impacted, it doesn’t differentiate between the two rights when determining the necessary intensity of judicial review and links them when evaluating the proportionality of the interference.

Consequences of the judgment

The immediate and most significant consequence is the complete invalidation of the data retention Directive. The Court didn’t provide any provision for it to remain in effect. This returns us to the pre-2005 state, where Member States have the option, not the obligation, to retain data under the e-privacy Directive, as elaborated in Chris Jones’s background post on the data retention Directive. However, any exercise of this option by Member States remains subject to the requirements outlined in this judgment, as their actions fall within the scope of the Charter, given the e-privacy Directive’s regulation of interference with telecommunications.

Is it possible for the EU to adopt a revised mandatory data retention Directive? In other words, can the existing Directive be salvaged?

Firstly, the complete invalidation of the 2006 Directive necessitates a fresh start for the EU legislature rather than simply amending the existing one. Secondly, the Court’s judgment makes it clear that some form of mandatory data retention, aimed at combating serious crime and terrorism, is acceptable under the EU Charter.

How would such a new Directive differ from the one just overturned? The Court provides unusually detailed guidance for the legislature (and, in the meantime, national legislatures) in its judgment. Firstly, any new Directive must be specifically targeted at communications with a clear link to serious crime and terrorism, effectively ruling out mass surveillance as an unjustifiable infringement on Charter rights.

Secondly, a revised Directive must include regulations defining ‘serious crime’, specifying the purpose of subsequent data access, setting limits on the number of individuals with access privileges, and mandating judicial or independent administrative oversight for data access.

Thirdly, the new Directive needs to incorporate more robust regulations concerning: the data retention period, specifically for various data categories; data protection against unauthorized access and use; a mandatory data destruction protocol; and a requirement for data to be stored exclusively within the EU. While the Court didn’t explicitly address the acceptability of processing data in third countries, it logically follows that this issue requires regulation. Extending the external processing rules from the primary EU data protection legislation to this area would likely be the most straightforward solution.

Depending on when (or if) a proposal for a new Directive emerges, it could potentially become entangled with the finalization of negotiations on the main data protection package currently being discussed by EU institutions. Alternatively, if those negotiations conclude beforehand, they will provide a framework for the new Directive’s negotiation.

Final comments

The Court’s judgment unfolds against a backdrop of ongoing revelations about mass surveillance. Its mention of data retention by third countries is a thinly veiled reference to the spying scandals originating from the United States. It also implicitly addresses the significant concerns voiced by national constitutional courts regarding this Directive, as thoroughly discussed in Chris Jones’s post on the topic.

More broadly, the CJEU has taken this opportunity to deliver a landmark judgment on human rights protection within the EU legal order. Only time will tell if the Digital Rights judgment will come to be regarded as the EU’s equivalent of iconic US Supreme Court rulings on civil rights, such as those on school desegregation (Brown) or the rights of criminal suspects (Miranda). Should the Charter contribute to developing a sense of ‘constitutional patriotism’ within the European Union, this judgment will undoubtedly be considered a cornerstone.

Barnard & Peers: chapter 9, chapter 25

Licensed under CC BY-NC-SA 4.0