CJEU indicates bulk data collection only compatible with EU law if strict conditions followed

Harry Bresslaw

National legislation authorising bulk data collection will only be compatible with EU law if a series of strict conditions are met, according to the advice of an Advocate General at the Court of Justice of the EU.

In an Opinion on joined cases Tele2 Sverige AB v Post-och telestyrelsen (C-203/15) and Secretary of State for Home Department v Tom Watson and Others (C-698/15) published on 19 July 2016, Advocate General Saugmandsgaard Øe acknowledges that “the fight against serious crime is an objective in the general interest capable of justifying a general data retention obligation”. It is argued, however, that general data retention obligations are a “serious interference” with certain rights under the EU Charter of Fundamental Rights (the Charter) and that only the fight against “serious crime” could justify such interference. The intrusion caused by combatting “ordinary offences” and “the smooth conduct of proceedings other than criminal proceedings” would not outweigh the rights conferred to individuals by the Charter.

This non-binding recommendation arose in the context of challenges to Swedish and UK legislation in light of the decision in Digital Rights Ireland and Others (C-293/12 and C-594/12) (Digital Rights Ireland). It may now have an impact on EU Member States proposing to introduce further powers to access metadata retained by providers of electronic communications services. This includes the UK’s draft Investigatory Powers Bill (widely dubbed the “Snooper’s Charter” by its opponents and the media).

Digital Rights Ireland and the Invalidity of Data Protection Directive

In Digital Rights Ireland, the CJEU held on 8 April 2014 that Directive 2006/24/EC (the Data Retention Directive) was invalid. The CJEU concluded that the EU legislature had exceeded the limits imposed by compliance with the principle of proportionality in light of Articles 7 (respect for private and family life), 8 (protection of personal data) and 52(1) (the principle of proportionality) under the Charter.

The CJEU’s Digital Rights Ireland judgment criticised the Data Retention Directive for the absence of an objective criterion, or substantive and procedural conditions, by which to determine the limits of the access to, and use of, the metadata by competent national authorities. Specifically, the Data Retention Directive failed to:

  • expressly provide that access and use of the data must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or conducting criminal prosecutions thereto;
  • provide an objective criterion by which the number of persons authorised to access and use the data is limited to what is strictly necessary in light of the objective pursued; or
  • make access to such data by national authorities dependent on the prior review by a court or independent administrative body.

Consequences of Digital Rights Ireland

Following the decision in Digital Rights Ireland, both the Swedish and UK governments were the subject of legal challenges in relation to the validity of legislation on data retention and access. The relevant courts in each of these cases then referred queries to the CJEU, which prompted the Advocate General’s recent Opinion.

Tele2 Sverige AB v Post-och telestyrelsen (C-203/15)

The day following the Digital Rights Ireland judgment, Swedish telecoms operator Tele2 notified the Swedish telecoms regulator (the PTS) of its decision to cease retaining communications data which it had been required to retain under the amendments made to Law 2003:389 on electronic communications (the LEK). The LEK and its accompanying Regulation 2003:396 on electronic communications transposed the now-invalid Data Retention Directive into Swedish law. Tele2 concluded that the obligation imposed by the LEK to retain metadata of all users in bulk was similarly invalid.

Following an order by the PTS to continue to retain communications data, Tele2 challenged the decision in the Swedish Courts. The Swedish Administrative Court of Appeal then referred a query as to whether a general obligation to retain communications data was compatible with EU law, in light of Articles 7, 8 and 52(1) of the Charter, as well as provisions of Directive 2002/58/EC (Directive on privacy and electronic communications).

Secretary of State for Home Department v Tom Watson and Others (C-698/15

In the UK, certain Members of Parliament (with the support of a number of privacy groups) applied for the judicial review of the lawfulness of the data protection regime in section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA). This regime had:

  • empowered the Home Secretary to require public telecommunication operators to retain all communications data (although not the content of such communications) for up to 12 months; and
  • contemplated the terms on which such retained data might be accessed.

In its judgment of 17 July 2015, the English Courts held that the regime in question was inconsistent with EU law. DRIPA, it concluded, did not satisfy the requirements laid down in Digital Rights Ireland, which the court perceived as applying to national legislation of Member States governing access to retained data.

The decision was appealed, and the Court of Appeal expressed its provisional view that the judgment of the CJEU in Digital Rights Ireland did not set out mandatory requirements of EU law that must apply to Member States’ national legislation (including DRIPA) governing access to retained data in order to comply with Articles 7 and 8 of the Charter. Instead, it asserted that Digital Rights Ireland merely identified protections absent from the Data Retention Directive. The Court of Appeal nonetheless sought clarification from the CJEU on this point.

AG Saugmandsgaard Øe’s Opinion

The Advocate General concluded that a general data retention obligation imposed by a Member State on electronic service providers may be compatible with the fundamental rights enshrined in EU law. It is imperative, however, that this is strictly circumscribed by a series of safeguards.

To justify the interference with fundamental rights enshrined in the Charter caused by the potential ability of a government to access data retained under a general data retention obligation, the Opinion sets out conditions that the obligation must be satisfy. It will then be for the national courts to decide if these conditions have been satisfied in the context of the case before them. These conditions are:

  • the obligation must be provided for in legislative or regulatory measures, which must be binding on the national authorities with the power of data access. These measures must have:
    •  the characteristics of accessibility and foreseeability (i.e. formulated with sufficient precision to enable an individual to regulate his conduct); and
    • adequate protection against arbitrary interference (i.e. the measures must define with sufficient clarity and scope the manner and exercise of the power conferred on the competent authorities);
  •  the obligation must respect the essence of the rights enshrined in Articles 7 and 8 of the Charter. The Opinion notes that this will not be an issue where (i) the knowledge of the content of communication is not permitted and (ii) national regimes put in place safeguards to effectively protect personal data from unlawful access and use;
  • the obligation must be strictly necessary in the fight against serious crime (as opposed to ordinary offences or other administrative purposes), i.e. no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with the fundamental rights;
  • the obligation is accompanied by all the safeguards described by the CJEU in paragraphs 60 to 68 of its judgment in Digital Rights Ireland concerning access to the retained data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary; and
  • the obligation is proportionate – i.e. the referring courts must determine the advantages and risks of general data retention obligations, and potential access and use by governments, being:
    • the advantages associated with giving the authorities whose task it is to fight serious crime a certain ability to look at data which pre-dates the criminal conduct; and
    • the serious risks which arise from the power to catalogue the private lives of individuals and to catalogue a population in its entirety (with particular emphasis on the potential threat to democratic accountability).

Looking forward

The Opinion has been welcomed in the UK by critics of the draft Investigatory Powers Bill, which is currently under review and is intended to create a new statutory basis for the retention and acquisition of communications data, extending the powers of the government beyond those introduced by DRIPA. On the other hand, proponents of the Bill in the UK may take heart from the possibilities that Brexit may afford in allowing the UK’s retention regime to go further than the CJEU may permit.
While the Opinion is not legally binding, it seems likely that it will be followed by the court when it delivers its final judgment on the Swedish and UK cases later this year. Should the judgment follow the Advocate General’s recommendation, all EU Member States considering the introduction or extension of general data retention obligations that permit access to, and use of, retained data will need to be mindful of these strict conditions to ensure compatibility with fundamental EU rights.

Comments published on Digital Hub do not necessarily reflect the views of Allen & Overy.

Read comments below or add a comment

Leave a comment

Your email address will not be published. Required fields are marked *