By Orla Lynskey
The CJEU delivered its judgment in Tele2 Sverige AB and Watson on 21 December 2016. The Court had been asked by a Swedish and British court respectively to consider the scope and effect of its previous judgment in Digital Rights Ireland (discussed here). The judgment reflects continuity in so far as it follows in the line of this, and earlier judgments taking a strong stance on data protection and privacy. Yet, the degree of protection it offers these rights over competing interests, notably security, is radical. In particular, the Court unequivocally states that legislation providing for general and indiscriminate data retention is incompatible with the E-Privacy Directive, as read in light of the relevant EU Charter rights. While the judgment was delivered in the context of the E-Privacy Directive, the Court’s reasoning could equally apply to other EU secondary legislation or programmes interpreted in light of the Charter. This judgment will be a game-changer for state surveillance in Europe and while it offered an early Christmas gift to privacy campaigners, it is likely to receive a very mixed reaction from EU Member States as such. While national data retention legislation has been annulled across multiple Member States (Bulgaria, Czech Republic, Cyprus, Germany and Romania), this annulment has been based on an assessment of the proportionality of the relevant measures rather than on a finding that blanket retention is per se unlawful. For those familiar with the facts and findings, skip straight to the comment below.
The preliminary ruling stems from two Article 267 TFEU references regarding the interpretation of the Court’s judgment in Digital Rights Ireland (henceforth DRI). The first, Tele2 Sverige AB, was a Swedish reference resulting from the refusal by Tele2 Sverige (a Swedish electronic communications provider) to continue to retain electronic communications data following the finding in DRI that the Data Retention Directive was invalid. A dispute regarding the interpretation of DRI ensued and the Swedish Justice Minister commissioned a report to assess the compatibility of Swedish law with EU law and the ECHR. This report concluded that DRI could not be interpreted as prohibiting general and indiscriminate data retention as a matter of principle, or as establishing criteria – all of which must be fulfilled – in order for legislation to be deemed proportionate. Rather, it held that it was necessary to conduct an assessment of all the circumstances in order to determine the compatibility of Swedish legislation with EU law. Tele2 Sverige maintained that the report was based on a misinterpretation of DRI. Given these differing perspectives, the referring court asked the Court to give ‘an unequivocal ruling on whether…the general and indiscriminate retention of electronic communications data is per se incompatible with Articles 7 and 8 and 52(1) of the Charter’ .
The second preliminary reference (Watson) arose before the Court of Appeal in the context of applications for judicial review of the UK’s Data Retention and Investigatory Powers Act (DRIPA) on the grounds that this Act was incompatible with the EU Charter and the ECHR. It was disputed before the national court whether DRI laid down ‘mandatory requirements of EU law’ that national legislation for communications data retention and access must respect. The domestic referring court suggested that it was appropriate to distinguish between legislation governing retention, and legislation governing access. DRI was confined to an assessment of the former as it assessed the validity of the Data Retention Directive, which excluded provisions relating to data access. The latter, provisions on data access, must be subject to a distinct validity assessment in light of their differing context and objectives, according to the referring court. The Court of Appeal did not however deem the answer to this question obvious, given that six courts in other EU Member States had declared national legislation to be invalid on the basis of DRI. It therefore asked the Court to consider whether, firstly, DRI lays down mandatory requirements of EU law that would apply to the regime governing access to retained data at national level. It also asked whether DRI expands the scope of the Charter rights to data protection and privacy beyond the scope of Article 8 ECHR. The Watson reference was dealt with pursuant to the expedited procedure provided for in Article 105(1) of the Court’s Rules of Procedure and joined to the Tele2 Sverige reference for oral arguments and judgment.
Findings of the Court
The Scope of the E-Privacy Directive
The Court examined, as a preliminary point, whether national legislation on retention and access to data fell within the scope of the E-Privacy Directive. Article 15(1) of that Directive provides for restrictions to certain rights it provides for when necessary for purposes such as national security and the prevention, investigation, detection and prosecution of criminal offences. Article 15(1) also allows for the adoption of data retention legislation by Member States. However, Article 1(3) of that Directive states that the Directive will not apply to, amongst others, ‘activities concerning public security, defence, State security (…) and the activities of the State in areas of criminal law’. There is thus an apparent internal inconsistency within the Directive.
To guide its findings, the Court had regard to the general structure of the Directive. While the Court acknowledged that the objectives pursued by Articles 1(3) and 15(1) overlap substantially, it held that Article 15(1) of the Directive would be deprived of any purpose if the legislative measures it permits were excluded from the scope of the Directive on the basis of Article 1(3) . Indeed, it held that Article 15(1) ‘necessarily presupposes’ that the national measures referred to therein fall within the scope of that directive ‘since it expressly authorizes the Member States to adopt them only if the conditions laid down in the directive are met’. . In order to support this finding, the Court suggests that the legislative measures provided for in Article 15(1) apply to providers of electronic communications services  and extend to measures requiring data retention  and access to retained data by national authorities . It justifies this final claim – that the E-Privacy Directive includes data access legislation – on the (weak) grounds that recital 21 of the directive stipulates that the directive’s aim is to protect confidentiality by preventing unauthorised access to communications, including ‘any data related to such communications’ . The Court emphasises that provisions on data access must fall within the scope of the Directive as data is only retained for the purpose of access to it by competent national authorities and thus national data retention legislation ‘necessarily entails, in principle, the existence of provisions relating to access by the competent national authorities to the data retained’ . The Court also noted that the Directive requires providers to establish internal procedures for responding to requests for access based on the relevant provisions of national law .
The compatibility of ‘general and indiscriminate’ data retention with EU law
The Court then moved on to consider the most important substantive point in the judgment: the compatibility of ‘general and indiscriminate’ data retention with the relevant provisions of EU law. It began by recalling that the E-Privacy Directive’s overarching aim is to offer users of electronic communications services protection against the risks to fundamental rights brought about by technological advances . It emphasised, in particular, the general principle of confidentiality of communications in Article 5(1) of the Directive and the related safeguards for traffic data and location data (in Articles 6 and 9 respectively), [85-87]. While the Court acknowledged that Article 15(1) of the Directive allows for exceptions to these principles by restricting their scope, it held that this provision must be interpreted strictly. It clearly stated that Article 15(1) cannot permit the exception to the Directive’s confidentiality obligation to become the rule, as this would render the confidentiality obligation meaningless .
The Court also emphasised that according to Article 15(1)’s wording it must be interpreted in light of general principles of EU law, thus including the fundamental rights in the EU Charter . The Court noted, with reference to its previous case-law, the importance of the fundamental rights engaged in the current context, namely the right to privacy (Article 7), the right to data protection (Article 8) and the right to freedom of expression (Article 11) (-). The limitations on the exercise of these Charter rights are echoed in the E-Privacy Directive, recital 11 of which states that measures derogating from its principles must be ‘strictly’ proportionate to the intended purpose, while Article 15(1) itself specifies that data retention should be ‘justified’ by reference to one of the objectives stated in Article 15(1) and be for a ‘limited period’ . In considering whether national legislation complies with these requirements of strict necessity, the Court observed that ‘the legislation provides for a general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’ and that the retention obligation on providers is ‘to retain the data systematically and continuously, with no exceptions’ .
Having established the scope of the retention obligation, the Court emphasised the revealing nature of this data and recalled its finding in DRI that the data ‘taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained’ . The Court also stated that the data provides the means of profiling the individual concerned and – importantly – that the information is ‘no less sensitive having regard to the right to privacy, than the actual content of the communications’ . The Court held that general and indiscriminate data retention legislation entailed a particularly serious interference with the rights to privacy and data protection and that the user concerned is, as a result, likely to feel that their private lives are the subject of constant surveillance . It could also, according to the Court, affect the use of means of electronic communication and thus the exercise by users of their freedom of expression . The Court therefore held that only the objective of fighting serious crime could justify national data retention legislation .
While the Court acknowledged that the fight against serious crime may depend on modern investigative techniques for its effectiveness, this objective cannot in itself justify the finding that general and indiscriminate data retention legislation is necessary for this fight against crime . It noted in particular that such legislation applies to persons for whom ‘there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences’ and that no exception is made for those whose communications are subject to professional secrecy . As a result of these failings, the Court held that the national legislation exceeds the limits of what is strictly necessary and cannot be considered justified under Article 15(1), read in light of the Charter .
The Court did not go so far as to deem all data retention unlawful however. It highlighted that Article 15(1) does not prevent a Member State from introducing legislation that would facilitate targeted retention of traffic and location data for the preventive purpose of fighting serious crime. Such legislation must however be limited to what is strictly necessary in terms of the categories of data retained; the means of communication affected, the persons and the period of time concerned . In particular, such legislation should indicate ‘in what circumstances and under which conditions’ a data retention measure could be adopted as a preventive measure . The Court also emphasised that while the precise contours may vary, data retention should meet objective criteria that establish a connection between the data to be retained and the objective pursued . The national legislation must therefore be evidence-based: this objective evidence should make it possible to ‘identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences’ .
Mandatory Requirements of DRI?
Having established the incompatibility of generalised data retention legislation with EU law, the Court then went on to consider whether EU law precludes national data retention and access legislation if that legislation:
- does not restrict access solely to the objective of fighting serious crime;
- does not require access to be subject to prior review by a court or independent body
- and, if it does not require that the data should be retained within the EU .
The Court reiterated an early finding that access to retained data must be for one of the exhaustive objectives identified in Article 15(1) of the E-Privacy Directive, and that only the objective of fighting serious crime would justify access to retained data . Such legislation must also set out clear and precise rules indicating when and how competent national authorities should be granted access to such data . The Court also held that national legislation must set out the substantive and procedural conditions governing access based on objective criteria [118-119]. Such access can, ‘as a general rule’ be granted only ‘to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime’ . Access to the data of others might exceptionally be granted where, for instance, vital national interests are threatened by terrorist activities, if there is objective evidence to reflect the effective contribution access to such data could make . As a result, access to retained data should, with the exception of cases of validly established urgency, be subject to a prior review by a court or an independent administrative authority at the request of the competent national authorities . These competent national authorities must also notify the persons affected by the data access, under the applicable national procedures, as soon as such notification no longer jeopardises the investigations. The Court highlighted that such notice is necessary to enable these individuals to exercise their right to a legal remedy pursuant to the Directive and EU data protection law .
On the issue of data security, the Court held that Article 15(1) does not allow Member States to derogate from the Directive’s data security provisions, which require providers to take appropriate technical and organisational measures to ensure the effective protection of retained data. The Court held that a particularly high level of data security was appropriate given the quantity and nature of the data retained and the riskiness of this operation. It therefore held that the national legislation must provide for the data to be retained within the EU, and for the irreversible destruction of the data at the end of the data retention period . Member States must also ensure that an independent authority reviews compliance with EU law, as such independent control of data protection compliance is an essential element of the right to data protection set out in Article 8(3) Charter. The Court emphasised the link between such independent supervision and the availability of a legal remedy for data subjects . The Court therefore concluded that national legislation that did not comply with these conditions would be precluded pursuant to Article 15(1) as read in light of the Charter . However, it was for the relevant national courts to examine whether such conditions were satisfied in the present case .
Finally, in relation to the UK Court of Appeal’s query regarding the relationship between the EU Charter rights to data protection and privacy and Article 8 ECHR, the Court held that the answer to this question would not affect the interpretation of the E-Privacy Directive and thus matter in these proceedings . It recalled its settled case-law that the preliminary reference procedure serves the purpose of effectively resolving EU law disputes rather than providing advisory opinions or answering hypothetical questions . This did not however prevent it from offering a sneak preview of its thinking on this matter. It emphasised that, while the EU has not acceded to the ECHR, the ECHR does not constitute a formally incorporated element of EU law. It did however note that Article 52(3) seeks to ensure consistency between the Charter and the ECHR without adversely affecting the autonomy of EU law. EU law is not therefore precluded from providing more extensive protection than the ECHR. The Court added that Article 8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 and which has no equivalent in the ECHR. Therefore, while the Court did not answer the question of which offered a wider scope of protection, it did confirm the distinctiveness of these two rights.
The Tele2 judgment represents a rupture with the past in one very significant way: the Court, for the first time, unequivocally states that blanket data retention measures are incompatible with EU law, read in light of the Charter. This radical finding is likely to receive a mixed reaction. For instance, in the UK some will lament that this judgment comes too late to have influenced the passage into law of the UK’s new data retention legislation, the Investigatory Powers Act, 2016. This legislation – which allows for bulk interception and hacking, amongst other things – should now be found to be incompatible with EU law, with all of the post-Brexit implications for ‘adequacy’ this may entail (also here). Others, such as the UK’s Independent Reviewer of Terrorism Legislation – David Anderson QC – have expressed regret. Anderson QC suggests that:
‘Precisely because suspects are often not known in advance, data retention which is not universal in its scope is bound to be less effective as a crime reduction measure. In addition, a person whose data has not been retained cannot be exonerated by use of that data (e.g. by using location data to show that the person was elsewhere).’
The Advocate General (here; and commentary here) had similarly noted that data retention could help competent authorities ‘examine the past’ [AG, 178]. He had refused to declare general retention measures per se unlawful, preferring instead to assess the compatibility of data retention legislation against strict proportionality requirements [AG, 116]. His approach could therefore be said to be more nuanced and systematic than that of the Court. While examining proportionality stricto sensu he concluded that it would be for national courts to weigh the benefit of ‘examining the past’ with the potential it would provide for authorities to abuse this power by using metadata to catalogue entire populations, noting that evidence of abuses had been put before the Court [AG, 259-260]. This evidence before the Court might help to refute the critique that the Court should have focused on the actual harm of communications metadata retention ‘and sought to avoid assertions based on theory or informal predictions of popular feeling’.
Blanket retention was not the only important point on which the Court and the Advocate General departed. The Advocate General explicitly claimed that DRI set out mandatory requirements [AG, 221] while the Court did not. The Advocate General was also more stringent than the Court by requiring that data is retained in the relevant Member State [AG, 241] while the Court opted for the marginally more realistic requirement that data is retained in the EU. The Advocate General did not, however, consider Article 15(1) a derogation to the E-Privacy Directive (and therefore not a provision that required strict interpretation). The Court did not however engage with his elaborate reasoning on this point [AG, 106-115]. The Court did however confirm that competent national authorities must notify persons affected by data access as soon as such notification no longer jeopardises the investigation . This significant procedural right is likely to play an important role in acting as a check on abusive access requests.
Perhaps the only fly in the ointment for the digital rights groups that intervened before the Court is the Court’s seemingly uncritical endorsement of geographic and group profiling. It does this when it emphasises that there should be relationship between the data retained and the threat, for instance when the data pertains to a ‘geographic area’ . The ethical and social issues such profiling may entail would require further consideration. The Court appears to recognise this by suggesting that such profiling would need to be strictly evidence-based (). Should generalised retention measures be replaced by ad hoc location-based retention measures, the legality of the latter would itself be the subject of much controversy.