Here’s our quick overview of what the CJEU has told the UK and Sweden they must do to fix requirements for data retention.
The full judgment can be read here.
Generalised Data Retention
The CJEU has repeated arguments, made previously in the Digital Rights Ireland case, to rule that generalised data retention is disproportionate and unlawful.
The UK case did not ask about general data retention. In the original sentence that triggered this CJEU case, the UK High Court argued that general retention was acceptable as long as the safeguards were strong:
“70. In oral argument Ms Rose modified her stance on point (i). She accepted that the CJEU cannot have meant that CSPs can only lawfully be required to retain the communications data of “suspects or persons whose data would contribute to the prevention, detection or prosecution of serious criminal offences”. Such a restriction would be wholly impracticable. Rather the Court must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the Charter.” (from the High Court judgment)
Unfortunately for the UK government, ORG and PI were there to argue the opposite, alongside the joined Swedish case brought by Tele2 Sverige AB, a telecoms company challenging the compatibility of generalised data retention orders in that country.
The CJEU has made it clear that generalised data retention is not acceptable:
103 Further, while the effectiveness of the fight against serious crime, in particular organised crime and terrorism, may depend to a great extent on the use of modern investigation techniques, such an objective of general interest, however fundamental it may be, cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 51).
Retention must be restricted somehow to a section of the public more likely to be of use to investigations, possibly by geography:
111 As regard the setting of limits on such a measure with respect to the public and the situations that may potentially be affected, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.
Summed up in the ruling:
1. Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.
This will come as a shocker to the UK government, which could be forgiven for safely assuming that at least the basic principles of retention would be accepted by the CJEU, given the opinion of the Advocate General and the views of UK courts.
The UK has pioneered population level data retention and drove the adoption of the original EU Data Retention Directive after the London bombings in 2005. It will now be forced to rethink its approach.
Access only allowed for serious crime:
The Court accepts that some data retention can be necessary and acceptable, as it had previously said in the Digital Rights Ireland case, but only for very limited purposes defined in the e-privacy directive. Within this narrower retention regime, access should be even more restricted.
The CJEU fully supports the ruling by the UK High Court, which triggered the case, that only serious crime is an acceptable purpose for accessing retained data.
The case hinges on the interpretation of Article 15 of the EU e-privacy Directive 2002/58, which sets out limitations to the confidentiality of communications. The UK government had argued that the purposes for which retention was acceptable were not restricted by those included in this article, but instead should cover the broader set of purposes in Article 13 of the Data Protection Directive 95/46 (now replaced by the GDPR):
(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;
(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);
(g) the protection of the data subject or of the rights and freedoms of others.
The CJEU rejected this point saying that the list in Art 15 is a narrow closed list of the allowed purposes that allow for data to be retained:
90 It must, in that regard, be observed that the first sentence of Article 15(1) of Directive 2002/58 provides that the objectives pursued by the legislative measures that it covers, which derogate from the principle of confidentiality of communications and related traffic data, must be ‘to safeguard national security — that is, State security — defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system’, or one of the other objectives specified in Article 13(1) of Directive 95/46, to which the first sentence of Article 15(1) of Directive 2002/58 refers (see, to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraph 53). That list of objectives is exhaustive, as is apparent from the second sentence of Article 15(1) of Directive 2002/58, which states that the legislative measures must be justified on ‘the grounds laid down’ in the first sentence of Article 15(1) of that directive. Accordingly, the Member States cannot adopt such measures for purposes other than those listed in that latter provision.
Furthermore, the CJEU says that even in the area of fighting crime, laws should be proportionate and access must be narrowed:
115 As regards objectives that are capable of justifying national legislation that derogates from the principle of confidentiality of electronic communications, it must be borne in mind that, since, as stated in paragraphs 90 and 102 of this judgment, the list of objectives set out in the first sentence of Article 15(1) of Directive 2002/58 is exhaustive, access to the retained data must correspond, genuinely and strictly, to one of those objectives. Further, since the objective pursued by that legislation must be proportionate to the seriousness of the interference in fundamental rights that that access entails, it follows that, in the area of prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting serious crime is capable of justifying such access to the retained data.
The new leaked e-privacy Regulation maintains a similar list in its Article 11(1) so this ruling should stand:
Union or Member State law may restrict by way of a législative measure the scope of the obligations and rights provided for in Articles 5, 6, 7, and 8 of this Régulation when such a restriction respects the essence of the fundamental rights and is a necessary, appropriate and proportionate measure in a démocratie society to safeguard national security (i.e. State security), defence, public security, and the prévention, investigation, détection- or prosecution of criminal offences or the exécution of criminal penalties, or of unauthorised use of electronic communications systems. Any législative measure refeiïed to in paragraph l shall be in accordance with the Charter of Fundamental Rights of the European Union, in particular with Articles 7, 8, 10 and 52 thereof.
The IPA contains a much broader set of purposes for access to communications data by some 48 public authorities that include NHS trusts and the Gambling Commission. It is very hard to see how this can be squared with the ruling.
Prior review and authorisation by a court or independent administrative body
The CJEU has also fully endorsed the UK High Court ruling that required independent authorisation for access to retained data:
120 In order to ensure, in practice, that those conditions are fully respected, it is essential that access of the competent national authorities to retained data should, as a general rule, except in cases of validly established urgency, be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.
This is a blow to the UK legal system, where authorisation is performed by a 'Designated Senior Officer', who is part of the same organisation that requests the data.
Other issues raised in the judgment:
The CJEU judgment also raises a few other issues that were not explicitly raised by the UK Court of Appeal. However, they will be very important for any future legislation in this area.
Freedom of expression
The Court reiterates the points previously made in the Digital Rights Ireland case that data retention engages not just privacy but also freedom of expression, “one of the essential foundations of a pluralist, democratic society”.
93 Accordingly, the importance both of the right to privacy, guaranteed in Article 7 of the Charter, and of the right to protection of personal data, guaranteed in Article 8 of the Charter, as derived from the Court’s case-law (see, to that effect, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 39 and the case-law cited), must be taken into consideration in interpreting Article 15(1) of Directive 2002/58. The same is true of the right to freedom of expression in the light of the particular importance accorded to that freedom in any democratic society. That fundamental right, guaranteed in Article 11 of the Charter, constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which, under Article 2 TEU, the Union is founded.
This is important because it could make it harder to justify the blanket retention of Internet Connection Records, which could be deemed a 'reading list'. Measures that made ordinary citizens refrain from accessing materials or expressing opinions online this could well impinge the “essence of the right”. This would move the argument away from safeguards on access to the records towards the broader direct impact of the measures, in a way that an analysis purely focused on individual privacy may not.
Open Rights Group and other human rights groups have long argued that people whose data is accessed should be notified, once this will not impact on investigations. Our calls have always been rejected on the grounds that investigations can go cold and be revived later on, and this would give too much information to suspects.
The CJEU has, almost unprompted, taken the opportunity to remind national courts that this is indeed a basic component of the legal framework around surveillance:
121 Likewise, the competent national authorities to whom access to the retained data has been granted must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities. That notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy, expressly provided for in Article 15(2) of Directive 2002/58, read together with Article 22 of Directive 95/46, where their rights have been infringed.
This would shake the secretive UK surveillance regime to its core, almost more than introducing independent authorisation, as it might be feasible to maintain the current black box model with the use of secret court orders or extending the role - and resources - of the Judicial Commissioners in the IPA. Having to notify discarded suspects would be a crack through which light may reach the darker corners of the current regime.
Given that there are over half a million requests a year for communications data, notification was perceived as introducing a huge administrative burden. It would also give visibility and raise social awareness of the extent of surveillance.
Only suspects' data can be accessed
In addition to rejecting generalised retention and narrowing down access to serious crime with independent authorisation, the CJEU has further established that as a rule only the data of people suspected of direct involvement in those crimes can be accessed. Accessing other people’s data must be an exception and also based on specific evidence of how this may help investigations.
119 Accordingly, and since general access to all retained data, regardless of whether there is any link, at least indirect, with the intended purpose, cannot be regarded as limited to what is strictly necessary, the national legislation concerned must be based on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data of subscribers or registered users. In that regard, access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime (see, by analogy, ECtHR, 4 December 2015, Zakharov v. Russia, CE:ECHR:2015:1204JUD004714306, § 260). However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contributionto combating such activities.
The IPA contains powers for the bulk acquisition of communications data by the Security and Intelligence Agencies, which had been in place through secretive interpretations of previous legislation. MI5 has been getting a copy of all of the country’s phone calls, texts and possibly other data for decades. Clearly, this would not fit the criteria set out by the CJEU and we expect these practices to be challenged in court.
Retained data must be kept in the EU
This was a point raised in the original UK ruling and unsurprisingly it was ratified by the CJEU. It is worth repeating as a reminder of the dire consequences that leaving the EU data protection regime, including data retention, would have for the UK digital economy.
122 With respect to the rules relating to the security and protection of data retained by providers of electronic communications services, it must be noted that Article 15(1) of Directive 2002/58 does not allow Member States to derogate from Article 4(1) and Article 4(1a) of that directive. Those provisions require those providers to take appropriate technical and organisational measures to ensure the effective protection of retained data against risks of misuse and against any unlawful access to that data. Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the providers of electronic communications services must, in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high level of protection and security by means of appropriate technical and organisational measures. In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraphs 66 to 68).
If you want to support our work in future cases, and help to ensure that this ruling is enforced, please join ORG today.