Lorna Woods, Professor of Internet Law, University of Essex

Introduction

A recent court decision examined the legality of national data retention laws from a human rights standpoint. These laws remained in effect even after the Data Retention Directive was struck down in the Digital Rights Ireland case due to its disproportionate impact on Articles 7 and 8 of the EU Charter of Fundamental Rights (EUCFR). This judgment clarifies the interpretation of Articles 7 and 8 within EU law, particularly in the context of the Privacy and Electronic Communications Directive, and may impact the UK’s relationship with the EU post-Brexit.

Background and Facts

The Privacy and Electronic Communications Directive mandates that national laws ensure the confidentiality of communications, including data about them. However, Article 15 allows member states to implement measures for public interest objectives like fighting terrorism and crime, which can include requiring communication providers to retain data. This led to the Data Retention Directive, which aimed to standardize the diverse approaches of member states. After this directive was invalidated, Article 15 remained the guiding principle for exceptions to communications confidentiality, leaving uncertainty regarding permissible data retention practices.

The cases in this judgment stem from two national systems. The first, involving Tele2, arose when they planned to cease data retention practices mandated by Swedish law (implementing the now-invalid Data Retention Directive) following the Digital Rights Ireland ruling. The second case challenged the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA), enacted to provide legal grounds for data retention after the UK’s implementation of the Data Retention Directive became invalid. Both cases questioned the impact of the Digital Rights Ireland ruling on national laws and the limitations imposed by Articles 7 and 8 EUCFR.

The Advocate General, in a previous opinion, suggested that while mass data retention might be acceptable with adequate safeguards, both cases lacked these necessary protections, particularly those identified in Digital Rights Ireland.

Judgment

Scope of EU Law

A key question is whether data retention and subsequent access by authorities fall under EU law. While the Privacy and Electronic Communications Directive regulates communication providers, Article 1(3) excludes “activities of the State” such as public security and defense. Although Article 15(1) allows state actions that might infringe upon the principle of confidentiality outlined in Article 5(1), the court clarifies that this does not place these actions outside the directive’s scope, as this would render Article 15(1) meaningless.

While some argue for a distinction between data retention by providers (falling under the directive) and data access by authorities (outside its scope), the court disagrees. It asserts that both aspects fall under the directive, as Article 5(1) guarantees confidentiality from both private and state actors. Furthermore, the court considers compelling communication providers to grant authorities access as an act of processing, regulated by the directive, particularly since the sole purpose of retention is to facilitate such access.

Interpretation of Article 15(1)

The court emphasizes that the Privacy and Electronic Communications Directive aims to ensure a high level of data protection and privacy. While Article 15(1) allows for exceptions to the principle of confidentiality established in Article 5(1), these exceptions must be interpreted narrowly to avoid undermining the rule.

Consequently, the court holds that member states can only adopt measures for the purposes explicitly stated in Article 15(1), and these measures must comply with the EUCFR, including Articles 7, 8, and 11 (freedom of expression). Emphasizing the need for necessity and proportionality, the court highlights the specific requirements within Article 15 and Recital 11 of the directive, which demands “strictly proportionate” measures.

In analyzing the Tele2 case, the court underscores the potential for communication data to reveal private lives and considers the resulting interference with Articles 7, 8, and 11 to be significant. While combatting crime is a legitimate objective, the court limits this to “serious crime.” Even combating terrorism cannot justify indiscriminate mass data retention. The court stresses the lack of differentiation or limitation based on specific objectives within the examined regime. However, it confirms that targeted data retention as a preventive measure against serious crime is permissible under certain conditions:

• Data retention must be limited to what is strictly necessary, considering the types of data, communication methods, individuals involved, and retention period.

• Clear and precise rules must govern the scope and application of data retention, ensuring minimum safeguards to protect against misuse.

• Retention must be justified by objective criteria establishing a connection between the data and the objective, with conditions potentially varying based on the nature of crime prevention measures.

The court emphasizes the need for objective evidence indicating that the collected data is likely to reveal links to serious criminal activity and contribute to combating such activity or preventing serious threats to public security. Geographic factors indicating a high risk of serious crime within specific areas can constitute such evidence.

Conversely, the court deems national legislation mandating the general and indiscriminate retention of all traffic and location data for all users and communication methods as incompatible with Article 15(1) and the EUCFR.

Acceptability of legislation where (1) the measure is not limited to serious crime; (2) where there is no prior review; and (3) where there is no requirement that the data stays in the EU.

This section addresses aspects of both the Watson and Tele2 cases.

The court reiterates that only measures addressing serious crime are justifiable. Regarding data access, it emphasizes that national law must establish clear and legally binding conditions ensuring that access is strictly necessary and based on objective criteria.

Citing the European Court of Human Rights (ECtHR) judgment in Zakharov, the court states that access for crime-fighting purposes should generally be limited to individuals suspected of involvement in serious crime. However, in cases involving terrorism, access to data from individuals not directly suspected may be justified if objective evidence suggests it could contribute to combating such activities.

Except in emergencies, prior review by an independent body based on a reasoned request from investigators is mandatory. Individuals affected should be notified unless doing so jeopardizes the investigation. This allows them to exercise their right to a remedy as stipulated in Article 15(2) and Article 22 of the Data Protection Directive.

While Article 15(1) allows derogation from certain provisions, it does not apply to security obligations outlined in Article 4(1) and 4(1a). Given the sensitivity of the data, the court emphasizes the need for high-level security measures from providers. It also states that national legislation must ensure data is stored within the EU and permanently deleted after the retention period, drawing parallels with the Digital Rights Ireland ruling.

Furthermore, the court stresses the importance of independent oversight to ensure compliance with the regulatory framework. This echoes the Digital Rights Ireland and Schrems cases, highlighting its significance for individuals seeking redress for data protection violations.

Summarizing its position, the court declares national legislation governing the protection and security of traffic and location data incompatible with Article 15 and the EUCFR if it meets these criteria:

• The objective of data access for fighting crime is not limited to serious crime.

• Data access is not subject to prior review by a court or independent authority.

• There is no requirement for data to be retained within the EU.

Relationship between the EUCFR, EU law and the ECHR

Although declaring a question regarding the impact of the ECtHR on the EUCFR inadmissible, the court clarifies that the ECHR is not part of EU law, highlighting the EUCFR’s scope as the central issue. It emphasizes that Article 52(3) does not prevent EU law from offering more extensive protection than the ECHR. Notably, Article 8 EUCFR, pertaining to data protection, has no direct equivalent in the ECHR, creating a divergence between the two frameworks.

Comment

The judgment aligns with recent case law trends. Several points warrant attention.

First, the court’s approach to the scope of EU law significantly impacts claims based on the EUCFR. By asserting that both data retention and access fall under the directive’s scope, the court avoids the Advocate General’s proposed distinction and potentially broadens the reach of EU law.

Importantly, while the court’s reasoning focuses on the Privacy and Electronic Communications Directive, its interpretation of the EUCFR’s requirements may apply more broadly, potentially impacting other forms of mass surveillance like PNR data.

While recognizing Articles 7 and 8 EUCFR as distinct and acknowledging Article 11’s relevance, the court doesn’t analyze their impact separately in the context of data retention. This leaves the scope of these rights, particularly Article 11, open to interpretation.

The court doesn’t deem data retention inherently impermissible, outlining situations where it’s acceptable. However, it challenges the compatibility of mass data retention with Articles 7 and 8 EUCFR, even for combating terrorism, arguably taking a stricter stance than the Advocate General. The court emphasizes that differentiation based on objective evidence, distinguishing between individuals, offenses, and threats, is crucial for demonstrating proportionality and necessity.

While not explicitly endorsing the safeguards outlined in Digital Rights Ireland as mandatory, the court repeatedly cites it favorably, highlighting the need for prior approval, data security and control, restrictions on data transfers outside the EU, and the right to a remedy. Implementing these aspects might prove challenging for the UK’s current framework regarding communications data.

The court refrains from specifying acceptable retention periods, though it references Zakharov alongside its Advocate General. Compared to the Advocate General’s analysis, the court’s reasoning regarding necessity and proportionality is less detailed and structured. It doesn’t directly address the Advocate General’s points about lawfulness and reliance on codes, although it acknowledges that conditions for data access should be legally binding.

Lastly, despite emphasizing the ECHR’s separation from EU law, the court cites two recent ECtHR cases. This suggests an attempt to highlight consistency between the two courts on surveillance matters. This is significant for the UK post-Brexit, as the ECHR may become the primary legal avenue for UK citizens challenging state intrusion into privacy if the EUCFR no longer applies. This judgment, and the UK’s response, could influence future arguments regarding the adequacy of UK data protection laws compared to EU standards.

Barnard & Peers: chapter 9

Photo credit: www.cio.com.au