ECJ declares Data Retention Directive invalid

Practical Law UK Legal Update Case Report 5-564-2768 (Approx. 11 pages)

ECJ declares Data Retention Directive invalid

by Practical Law IP&IT

Background

Data Retention Directive and implementation in the UK

The Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (2006/24/EC) (Data Retention Directive) was adopted in February 2006 (see Legal update, EC Data Retention Directive adopted) and came into force on 3 May 2006.

It provides that member states must adopt laws requiring communications service providers (CSPs) to retain, for a period between six and 24 months, certain types of traffic, subscriber and location data generated by users of their service (Article 6). Individual member states have an option to introduce longer periods where they face "particular circumstances warranting an extension for a limited period" (Article 12(1)). Retained data will be available for the purposes of the investigation, detection and prosecution of serious crime. The definition of "serious crime" is left to the national law of the member states.

The Directive does not regulate the gaining of access to, and use of, the retained data by public authorities and law enforcement authorities of the member states. Member states have the right to regulate access under their national laws (subject to their international legal obligations).

The UK implemented the Directive through The Data Retention (EC Directive) Regulations 2009, which came into force on 6 April 2009. Access to communications data retained by CSPs is regulated by Part I of Chapter II of the Regulation of Investigatory Powers Act 2000.

In February 2009, the ECJ dismissed an action filed by the Irish government which had challenged the legal basis for the Directive. The government had argued that the Directive concerned a matter relating to criminal justice rather than the internal market, and that it should therefore not have been adopted on the basis of Article 95 of the Treaties establishing the European Communities (TECT) (now Article 114 of the Treaty on the Functioning of the European Union (TFEU) (see Legal update, ECJ dismisses Irish challenge to Data Retention Directive). The court did not examine any possible infringement of fundamental rights arising from interference by provisions of the Directive with the exercise of the right to privacy under Article 8 of the European Convention on Human Rights (Convention).

EU law

Article 5(4) of the Treaty on European Union (TEU) provides that, under the principle of proportionality, the content and form of EU action must not exceed what is necessary to achieve the objectives of the Treaties. This means that the EU legislator must not enact laws if this is not necessary, appropriate or proportionate in a strict sense.

Fundamental rights in the EU

The Convention and the EU Charter of Fundamental Rights (Charter) protect EU citizens' fundamental rights, including:

The right to respect for private life (Article 8, Convention and Article 7, Charter).
The right to data protection (Article 7, Charter).
The right to freedom of expression (Article 10, Convention and Article 11, Charter).

Article 52(1) of the Charter provides that:

"any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others".

Facts

In 2010, the Irish High Court granted a motion by campaign group Digital Rights Ireland to refer to the ECJ a number of questions concerning the compatibility of the Data Retention Directive with Article 5(4) of the TEU, and with certain fundamental rights protected by the Charter.

In 2012, a number of different applicants, including the state government of Carinthia and over 11,000 individual applicants, brought an action before the Austrian Constitutional Court claiming that the Austrian law transposing the Directive infringed their rights under Article 8 of the Charter. Both courts referred questions regarding the validity of the Directive to the ECJ, which joined them in 2013.

The Irish High Court referred the following questions to the ECJ:

Is the restriction on the rights of the plaintiff arising from the requirements in Articles 3, 4 and 6 of the Directive incompatible with Article 5(4) of the TEU in that it is disproportionate or unnecessary or inappropriate to achieve the legitimate aims of:
- ensuring that certain data are available for the purposes of investigation, detection and prosecution of serious crime; and/or
- ensuring the proper functioning of the internal market of the EU?
In particular, the High Court enquired whether the Directive was compatible with Articles 7, 8 and 11 of the Charter and Article 8 of the Convention.
To what extent do the Treaties, and specifically the principle of loyal co-operation, require a national court to enquire into, and assess, the compatibility of the national implementing measures for the Directive with the protections afforded by the Charter, including Article 7 of the Charter (as informed by Article 8 of the Convention)?

The Austrian Constitutional Court referred the following question to the ECJ:

Are Articles 3 to 7 of the Directive compatible with Articles 7, 8 and 11 of the Charter?

In addition, the court referred a number of questions concerning the interpretation of the EU Treaties, which are not relevant for the purpose of this development.

In December 2013, Advocate General Cruz Villalón gave an opinion in which he concluded that the Data Retention Directive is, as a whole, incompatible with Article 52(1) of the Charter, since the limitations on the exercise of fundamental rights it contains are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use (see Legal update, Advocate General finds Data Retention Directive incompatible with right to privacy). He recommended that the ECJ find that the Directive is invalid, but that the effects of that finding should be suspended pending adoption by the EU of the measures necessary to remedy the invalidity.

Decision

The ECJ ruled that the Data Retention Directive is invalid because the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.

The ECJ's detailed reasoning is summarised below.

Application of Charter rights

The court opined that the questions of the referring courts could essentially be viewed as a request to the ECJ to examine the validity of the Data Retention Directive in the light of Articles 7, 8 and 11 of the Charter.

It found that the retention of communications data pursuant to Articles 3 to 5 of the Directive, for the purpose of possible access to them by the competent national authorities, directly and specifically affects private life. It based its conclusion on the fact that communications data "as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out and the social environments frequented by them" (paragraph 27). As a result, it found that the Directive fell within the scope of Article 7 of the Charter.

The court also made it clear that the mere retention of communications data already constitutes the processing of personal data within the meaning of Article 8 of the Charter and, therefore, necessarily has to satisfy the data protection requirements arising from that Article. This assessment differs from the Advocate General's view, who had argued that the Article 7 right applied to the collection and retention of data, while the Article 8 right covered its subsequent use. Since the Directive was not concerned with the latter, the Advocate General did not think that Article 8 needed to be examined.

Finally, the ECJ also acknowledged the potential impact data retention could have on individuals' exercise of the freedom of expression guaranteed by Article 11 of the Charter. Although the court ultimately did not see a need to examine the validity of the Directive in the light of Article 11, it found that it was not inconceivable that the retention of the data in question might have an effect on internet users' use of means of electronic communication.

Interference with the rights to privacy and data protection

The ECJ held that the data retention requirement imposed by Articles 3 and 6 of the Data Retention Directive constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter. As the Advocate General already pointed out in his opinion, such a retention requirement derogates from the system of protection of the right to privacy established by the Data Protection Directive and the E-Privacy Directive (2002/58/EC). In addition, the access of the competent national authorities to the retained data constitutes a further interference with that fundamental right.

Given that the Directive also provides for the processing of personal data, it constitutes an interference with the right to the protection of personal data guaranteed by Article 8 of the Charter.

Justification of the interference

The ECJ held that the interference with the rights in Articles 7 and 8 was not justified.

Essence of the rights

The court held that because the Directive does not "permit the acquisition of knowledge of the content of the electronic communications," it does not adversely affect the essence of the right to privacy. Similarly, the essence of the data protection right is unaffected because the Data Retention Directive itself provides that CSPs must respect certain principles of data protection and data security.

However, the court made it clear that it considered the Directive to constitute a particularly serious interference with those rights. In particular, the court highlighted "the important role played by the protection of personal data in the light of the fundamental right to respect for private life" and the likely impact on individuals' perception of surveillance. The court confirmed that "the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance".

Objective of general interest

The ECJ also agreed that the interference satisfies an objective of general interest. While, in the first instance, the Directive aims to harmonise the legal framework governing the data retention obligations member states impose on CSPs, the court acknowledged that its material objective is to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime and thus, ultimately, to contribute to public security. The court confirmed that the fight against international terrorism and serious crime constitutes an objective of general interest. In this context, the court pointed out that Article 6 of the Charter lays down the right of any person not only to liberty, but also to security.

Proportionality

However, the court found that the Directive did not comply with the proportionality principle. That principle requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives. In this case, the court also found that in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life, and the extent and seriousness of the interference with that right caused by the Directive, the EU legislature's discretion is reduced, with the result that review of that discretion should be strict.

The court accepted that the provisions included in the Directive were suitable to achieve the material objective. However, it ruled that while the fight against serious crime, in particular against organised crime and terrorism, is of the utmost importance, it "does not, in itself, justify a retention measure such as that established" in the Directive. In particular, the court criticised the EU legislator for adopting a measure that:

Covers, in a generalized manner, all persons and all means of electronic communication, without any differentiation, limitation or exception being made in the light of its crime-fighting objective.
Affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions.
Applies even to persons whose communications are subject to the obligation of professional secrecy.
Does not require any relationship between the data to be retained and a threat to public security and which, in particular, is not subject to a temporal or geographic restriction or a restriction to persons who could, for other reasons, contribute to the prevention, detection or prosecution of serious offences.

The court further criticised the Directive for failing to lay down any objective criterion or substantive and procedural conditions governing competent national authorities' access to the data and their subsequent use for the purposes of law enforcement and public security. In particular, the court stated that it would like to see conditions that:

Provide that access to, and use of, the data in question must be strictly restricted to those purposes and not extended to other purposes.
Limit the number of persons authorised to access and subsequently use the data retained to what is strictly necessary in the light of the objective pursued.
Make access by the competent national authorities to the data retained dependent on a prior review carried out by a court or by an independent administrative body.

Finally, the court condemned that the Directive does not include any provisions that indicate to the member states how they should apply the retention period of between six and 24 months to the retained data. In particular, it highlighted that the Directive does not distinguish between different categories of data on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned. It also does not include a requirement that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary.

As a result, the court concluded that the Directive failed the proportionality test as it does not lay down clear any precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. Instead, it entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.

Data security and cross-border transfers

In addition to its consideration of the strict legal issues under review, the court also used its decision to raise the issue of data security. It highlighted the fact that the Directive does not provide for sufficient safeguards, nor does it impose a specific obligation on member states to establish such safeguards, to ensure the effective protection of the data retained against the risk of abuse and against unlawful access and use. Specifically, the ECJ criticised that Article 7 in conjunction with Article 4(1) of the Directive permits providers to have regard to economic considerations when determining the level of security which they apply. The Directive also fails to ensure the irreversible destruction of the data at the end of the data retention period. The court was of the view that the Directive should include safeguards that are specific and adapted to:

The vast quantity of data to be retained.
The sensitive nature of that data.
The risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality.

More importantly, the court criticised that the Directive does not require the data in question to be retained within the EU. It argues that this makes it impossible to control compliance with applicable EU data protection and data security requirements. That control, which the court views as an essential component of the protection of individuals' data protection rights, must be exercised by an independent authority (Article 8(3), Charter).

Impact of the decision

Although the decision is silent on this matter, a press release published by the court makes it clear that in the light of the fact that the court has not imposed any temporal limitation on the invalidity, the Directive is invalid from the date it came into force. This means that there is currently no EU law mandating the retention of communications data. The European Commission has published an FAQ document explaining that national legislation implementing the Directive will only have to be amended to the extent required by the court's decision. It also highlights that member states' competence to adopt their own national data retention laws under Article 15(1) of the E-Privacy Directive remains unaffected.

Comment

It is difficult to overestimate the potential impact the ECJ's decision is likely to have with regard not only to the retention of communications data, but also the wider field of fundamental rights protection within the EU and the member states. To this extent, the court's decision is truly capable of being a "game changer". However, it is currently unclear how this will play out in detail, and much of this will depend not only on the legal and cultural traditions of the individual member states, but also on the political pressures their governments find themselves under. For EU citizens and businesses, in particular the CSPs that were directly affected by the now invalid retention requirement, this is likely to mean a sustained period of legal uncertainty as the various institutions, both at EU and at member state level, come to an agreement on how the substantive and procedural issues raised by the ECJ's decision should be resolved. This includes a decision on whether providers will now be required to delete communications data retained under national laws implementing the Directive.

Privacy groups, on the other hand, will have been delighted to see that, following the Snowden revelations, the fight against terrorism and serious crime is no longer the universal trump card it once was in a balance of interest consideration between the operational needs of law enforcement and security agencies and the fundamental rights and freedoms of individual citizens. Similarly, CSPs, and by extension other private entities that may be under a legal obligation to disclose personal data they hold about their customers to certain public bodies, are now in a much stronger position if they wish to oppose such disclosure requests. This applies both in the context of the political process preceding the introduction of such a requirement, and after a relevant law has been adopted. For example, when the Data Retention Directive (and, before then, related national laws) were first discussed, CSPs across the EU were almost united in their opposition to the retention requirement, citing cost and operational issues as their reasons for opposing the measure. It was only in the UK that the government was successful in heading off this opposition by agreeing to reimburse CSPs for the costs they incurred in connection with the scheme. In other countries, CSPs were expected to bear those costs as part of the "cost of doing business", and this has arguably raised issues of competitiveness in this sector across the EU.

Finally, all stakeholders will have taken note of the ECJ's comments on the need to store retained data within the EU to ensure oversight of compliance with applicable EU data protection and data security requirements by independent EU authorities in accordance with Article 8(3) of the Charter. This requirement will be the subject of many discussions as difficult decisions have to be made on issues like the future of the EU-US safe harbour arrangement, the data export provisions contained in the proposed EU Data Protection Regulation and the regulation of cloud computing services.

Case

Digital Rights Ireland and Seitlinger and others, Joined Cases C-293/12 and 594/12, 8 April 2014.

ECJ declares Data Retention Directive invalid | Practical Law