Advocate General finds Data Retention Directive incompatible with right to privacy

Practical Law UK Legal Update 4-551-8726 (Approx. 8 pages)

Advocate General finds Data Retention Directive incompatible with right to privacy

by Practical Law IP&IT

Background

Data Retention Directive and implementation in the UK

The EU Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (Data Retention Directive) was adopted in February 2006 (see Legal update, EC Data Retention Directive adopted) and came into force on 3 May 2006.

It provides that member states must adopt laws requiring communications service providers (CSPs) to retain, for a period between six and 24 months, certain types of traffic, subscriber and location data generated by users of their service (Article 6, Data Retention Directive). Individual member states have an option to introduce longer periods where they face "particular circumstances warranting an extension for a limited period" (Article 12(1)). Retained data will be available for the purposes of the investigation, detection and prosecution of serious crime. The definition of "serious crime" is left to the national law of the member states.

The Directive does not regulate the gaining of access to, and use of, the retained data by public authorities and law enforcement authorities of the member states. Member states have the right to regulate access under their national laws (subject to their international legal obligations).

The UK implemented the Directive through The Data Retention (EC Directive) Regulations 2009, which came into force on 6 April 2009. Access to communications data retained by CSPs (whether for their own business purposes or in accordance with the Code) is regulated by Part I of Chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA).

In February 2009, the ECJ dismissed an action filed by the Irish government which had challenged the legal basis for the Directive. The government had argued that the Directive concerned a matter relating to criminal justice rather than the internal market and that it should therefore not have been adopted on the basis of Article 95 of the Treaties establishing the European Communities (TECT) (now Article 114 of the Treaty on the Functioning of the European Union (TFEU) (see Legal update, ECJ dismisses Irish challenge to Data Retention Directive). The court did not examine any possible infringement of fundamental rights arising from interference by provisions of the Directive with the exercise of the right to privacy under Article 8 of the European Convention on Human Rights (Convention).

EU law

Article 5(4) of the Treaty on European Union (TEU) provides that under the principle of proportionality, the content and form of EU action must not exceed what is necessary to achieve the objectives of the Treaties. This means that the EU legislator must not enact laws if this is not necessary, appropriate or proportionate in a strict sense.

Fundamental rights in the EU

The Convention and the EU Charter of Fundamental Rights (Charter) protect EU citizens' fundamental rights, including:

The right to respect for private life (Article 8, Convention and Article 7, Charter).
The right to data protection (Article 7, Charter).
The right to freedom of expression (Article 10, Convention and Article 11, Charter).

Article 52(1) of the Charter provides that

"any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others".

Facts

In 2010, the Irish High Court granted a motion by campaign group Digital Rights Ireland to refer to the ECJ a number of questions concerning the compatibility of the Data Retention Directive with Article 5(4) of the TEU and with certain fundamental rights protected by the Charter.

In 2012, a number of different applicants including the state government of Carinthia and over 11,000 individual applicants brought an action before the Austrian Constitutional Court claiming that the Austrian law transposing the Directive infringed their rights under Article 8 of the Charter. Both courts referred questions regarding the validity of the Directive to the ECJ, which joined them in 2013.

The Irish High Court referred the following questions to the ECJ:

Is the restriction on the rights of the plaintiff arising from the requirements in Articles 3, 4 and 6 of the Directive incompatible with Article 5(4) of the TEU in that it is disproportionate or unnecessary or inappropriate to achieve the legitimate aims of:
- ensuring that certain data are available for the purposes of investigation, detection and prosecution of serious crime; and/or
- ensuring the proper functioning of the internal market of the EU?
In particular, the High Court enquired whether the Directive was compatible with Articles 7, 8 and 11 of the Charter and Article 8 of the Convention.
To what extent do the treaties - and specifically the principle of loyal cooperation - require a national court to enquire into, and assess, the compatibility of the national implementing measures for the Directive with the protections afforded by the Charter, including Article 7 of the Charter (as informed by Article 8 of the Convention)?

The Austrian Constitutional Court referred the following question to the ECJ:

Are Articles 3 to 7 of the Directive compatible with Articles 7, 8 and 11 of the Charter?

In addition, the court referred a number of questions concerning the interpretation of the EU treaties, which are not relevant for the purpose of this development.

Decision

Advocate General (AG) Cruz Villalón has concluded that the Data Retention Directive is as a whole incompatible with Article 52(1) of the Charter, since the limitations on the exercise of fundamental rights, which that Directive contains because of the obligation to retain data and which it imposes, are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.

The AG also finds that Article 6 of the Directive is incompatible with Articles 7 and 52(1) of the Charter in that it requires member states to ensure that the data specified in Article 5 of the Directive are retained for a period of up to two years.

The AG identifies four sets of issues raised by the two cases:

The validity of the Directive in the light of Article 5(4) of the TEU.
The compatibility of several provisions of the Directive with Articles 7, 8 and 52(1) of the Charter.
The interpretation of the general provisions of the Charter governing its application and interpretation, and its relationship to the specific Charter rights, the constitutional traditions of the member states and the Convention.
The need for national courts to examine and assess the compatibility of national provisions transposing the Directive with the provisions of the Charter.

The AG also addresses a number of preliminary issues.

Preliminary issues

The AG also addresses the following preliminary issues:

The functional duality of the Data Retention Directive

The AG highlights that the Directive must be seen in the context of the Data Protection Directive (95/46/EC) and the E-Privacy Directive (2002/58/EC), which govern the EU framework in the area of data protection in general and with regard to data protection in the context of electronic communications in particular. Both the Data Protection Directive and the E-Privacy Directive require the deletion of personal information (including traffic data) when they are no longer necessary for the purpose for which they were collected, subject to certain exceptions. Article 5 of the E-Privacy Directive also protects the confidentiality of communications.

Article 15(1) of the E-Privacy Directive permits member states to adopt laws that restrict these rights for a limited period on one of a number of public interest grounds (including national and public security) in accordance with fundamental rights. The Data Retention Directive fundamentally alters this framework by specifically mandating the retention of communications data on the basis of a derogation from the derogating rule (Article 15(1a), E-Privacy Directive). This means that it not only aims to harmonise the laws of member states that had, at the time of its adoption, already enacted data retention laws but that it also imposes a requirement to enact such laws on those member states that had not.

Classification of the interference with the right to privacy

The AG accepts that individuals' rights under Articles 7, 8 and 11 of the Charter may all be engaged. However, while "the vague feeling of surveillance", which the implementation of the Data Retention Directive may cause, is capable of having an impact on an EU citizen's freedom of expression, he believes that this effect is merely a collateral consequence of interference with the right to privacy. With regard to the difference in scope between Article 7 and Article 8 of the Charter, the AG opines that the Directive is not concerned with the processing of the data, post collection, but with the actual collection and retention. In the AG's opinion, the issue which arises relates to the data as such, namely the fact that it has been possible to record the circumstances of a person's private life in the form of data that may subsequently be processed. The interference is therefore in the first instance with Article 7 (collection and retention) rather than Article 8 (processing).

The AG further concludes that the collection and retention in huge databases of the large quantities of data generated in connection with most of the everyday electronic communications of EU citizens constitutes a particularly serious interference with Article 7 as it establishes the conditions for surveillance which constitutes a permanent threat to citizens' rights throughout the retention period. This is further exacerbated by the importance electronic means of communication have acquired in modern societies. This makes it possible to create a both faithful and exhaustive map of a large portion of a person's conduct that strictly forms part of his private life, or even a complete and accurate picture of his private identity. The large-scale retention also increases the risk that the retained data might be used for unlawful purposes (including, for example, the CSPs themselves, third parties exploiting security weaknesses or access by non-EU governments that may be justified on the basis of local laws).

Proportionality of the adoption of the Directive

The AG clarified that in the context of the present case there was a difference between the proportionality of the adoption of the Directive as such and the proportionality of specific provisions of the Directive in a fundamental rights context. He described proportionality within the meaning of Article 5(4) of the TEU as a general principle governing action of the EU, particularly with respect to member state competence. According to settled case law, an act of the EU is only proportionate if the measures it implements are appropriate for attaining the objectives pursued and do not go beyond that which is necessary to achieve those objectives.

In the AG's opinion, in this case, the proportionality of the Directive must be assessed in the light of two objectives: the need to harmonise national rules in order to ensure the proper functioning of the internal market, and the need to ensure the availability of data for the purposes of the prevention of crime.

The AG concludes that the intensity of the interference with EU citizens' fundamental rights through the implementation of the Directive is manifestly disproportionate to the objective relating to the need to ensure the functioning of the internal market. In this context, the AG highlights the fact that before the Directive was adopted, only a few member states had already enacted their own national data retention laws. However, the Directive, in mandating retention in countries where no such prior obligation existed, went beyond the mere harmonisation of potentially diverging national legal frameworks to have a "creating" effect that extended a measure that interfered with the rights of citizens to all of the EU. The Directive would therefore fail the proportionality test for the very reason which justified its legal basis.

At the same time, the AG acknowledged that the collection and retention of communications data might be considered an appropriate and necessary means to achieve the other objective that the data be available for law enforcement purposes. The question then arises whether a measure that would be disproportionate on the grounds of its predominant objective could nonetheless be proportionate on the basis of "background" objective. However, in view of his subsequent conclusions, the AG did not deem it necessary to resolve that issue in the present case.

Proportionality of the Directive in the context of fundamental rights

The AG highlights that the interference of the measures imposed by the Directive with the right to privacy is permissible only to the extent that it complies with the conditions laid down in Article 52(1) of the Charter. This means that it must be "provided for by law" and proportionate.

Provided for by law

The AG makes it clear that although the Directive clearly meets the formal requirements of Article 52(1) the requirement also concerns the quality of the law in question. This means that any limitations the law imposes on the exercise of fundamental rights must be accompanied by the necessary level of detail that is required to be displayed by the guarantees with which such limitations must be coupled.

The AG strongly criticises the lack of guarantees with regard to the access to and use of the retained data by public bodies. While the detailed regulation of law enforcement activity fell, at the time, outside the legal competence of the EU since it concerned matters reserved to the member states under Title V of the TEU, the AG stresses that this did not relieve the EU from adopting at the very least a set of principles that would guide the member states action in this regard. This was particularly the case given the "creating" effect of the Directive, which made it necessary for those member states that had not yet adopted data retention laws to enact such laws and the accompanying access provisions. In the AG's opinion, the EU legislature cannot, when adopting an act imposing obligations that interfere with the fundamental rights of citizens, entirely leave the task of defining the guarantees capable of justifying that interference to the member states.

In particular, the AG put forward the following principles that should be included in the Directive or any successor legislation:

A more precise description than "serious crime" of the types of criminal activities that would justify access to the retained data.
A provision that limits access to the retained data, if not solely to judicial authorities, then at least to independent authorities or oversight bodies or to third parties on making a request to such bodies. The Directive should also have required a case-by-case of requests for access in order to limit the data provided to that which is strictly necessary.
A principle that member states may provide for exceptions preventing access to retained data in certain exceptional circumstances or may prescribe more stringent requirements for access in situations where access may infringe fundamental rights.
A principle that authorities authorised to access retained data must
- erase them once their usefulness has been exhausted; and
- notify the individuals concerned at least retrospectively after the elimination of any risk that that notification might undermine the effectiveness of the measure.

Proportionality

In the light of his conclusions, the AG did not see the need for a detailed examination of the issue of proportionality under Article 52(1) of the Charter. In the AG's opinion, the Directive pursues a perfectly legitimate objective and may be regarded, given the limited powers that the court may exercise in this regard, as appropriate and even, subject to the guarantees proposed, as necessary for achieving that objective.

However, the AG did raise two issues for the EU legislature to consider going forward. First, it is important from the perspective of necessity to stress the need for a continuing reassessment by the European Commission of the circumstances on which the measures contained in the Directive are based. Second, the AG was not convinced by the temporal scope of the Directive. In particular, he opines that there is no justification for not limiting the data retention period to be established by the member states to less than one year.

Competence of national courts to assess compatibility of national laws implementing EU law with the Charter

Although the AG considers it unnecessary to answer this question in the light of his conclusions so far, he confirms that in his opinion national courts should be required to examine and assess national measures implementing a directive in the light of the protections afforded by the Charter to which the national courts are subject.

The effect of a finding of invalidity

Despite the fact that he ruled the Directive as a whole incompatible with Article 52(1) of the Charter, the AG considers that the effects of that finding should be suspended pending adoption by the EU of the measures necessary to remedy the invalidity. However, he makes it clear that those measures must be adopted within a reasonable period.

Comment

The AG's opinions are not binding on the ECJ and there is no guarantee that the court will follow his arguments in its own decision. However, they often contain useful guidance on the issues the court will consider. In this context it is interesting to note that while the AG raised the question of the proportionality of the adoption of the Directive as a whole, he seems content that the individual requirements it imposes could be proportionate in a fundamental rights context provided it includes provisions relating to access and use of the retained data and limits the retention period to no more than one year. This leaves the door open for the Commission to prepare a revised Directive, which member states that have not yet transposed the existing Directive would have to implement.

Although this may be considerably more difficult in the current political climate and following revelations of mass surveillance by several countries' security services, the AG's view that the retention could be considered both necessary and appropriate to achieve what he himself describes as a "background objective" will make it easier for law enforcement agencies and security services to insist on the adoption of a new, albeit slightly more restricted, legal basis for their activities. For CSPs this means that for the time being, their obligation to retain communications data under national laws implementing the Directive will remain, particularly if the AG's suggestion that the finding of invalidity should be suspended until a new or revised Directive has been adopted. For privacy groups, the AG's opinion represents something of a partial victory. While the AG has formally acknowledged that data retention constitutes a serious interference with the right to privacy, he has also taken great care to highlight that, in principle, it can continue as a practice, despite the many procedural and substantive challenges he identifies.

Source

Advocate General's opinion in Joined Cases C-293/12 Digital Rights Ireland and C-594/12 Seitlinger and others, 12 December 2013.

Advocate General finds Data Retention Directive incompatible with right to privacy | Practical Law