Plenty to retain? Opinion of the Advocate General in Joined Cases C-293/12 and 594/12, Digital Rights Ireland ltd and Seitlinger and others
In what circumstances is it possible for the EU to introduce a directive which limits the exercise of fundamental rights guaranteed by the EU Charter? This is just one of the many questions of constitutional significance which the Court is asked to address in Joined Cases C-293/12 and C-594/12. In his Opinion delivered on 12 December 2013, Advocate General (AG) Cruz Villalón provides plenty of food for thought for the Court. For instance, the Opinion offers interesting yet contestable insights into the relationship between the rights to privacy and data protection in the EU legal order.
Facts and Findings
The joined cases are preliminary references from the Irish High Court and the Austrian Verfassungsgerichthof respectively questioning the compatibility of the Data Retention Directive (Directive 2006/24 EC) with EU law. The Data Retention Directive (DRD) requires the collection and storage of telecommunications traffic data (for instance, details on the maker and recipient of telephone calls and the duration of calls) for the purposes of the prevention, detection and investigation of ‘serious crime’. As such the DRD constitutes an exception to the general principle of confidentiality of electronic communications and other principles set out in the E-Privacy Directive (Directive 2002/58).
The two cases were joined for the purposes of the oral procedure and the judgment. As the questions asked by both referring jurisdictions were not identical, the AG focused his Opinion on the overlapping and complementary questions referred relating to the compatibility of the DRD with the provisions of the EU Charter as well as the proportionality of the legislative act.
Proportionality assessment pursuant to Article 5(4) TFEU
Having made a number of preliminary remarks which later influenced his assessment, the AG began by assessing the proportionality of the DRD in relation to its objectives pursuant to Article 5(4) TFEU. The Court had previously dismissed a claim that the DRD was adopted on an incorrect legal basis in C-301/06, Ireland v Parliament and Council. However, it remained unclear in that case whether the Court had ruled only on the validity of the choice of the legal basis for the DRD or whether it had also considered the question of the directive’s proportionality in light of its objectives . The AG therefore undertook this latter assessment. This task was made more difficult given the ‘dual functionality’ of the DRD. The ‘predominant’ objective served by the DRD is to harmonise national rules in order to ensure the proper functioning of the internal market. Indeed, it is legally justified on these grounds (Article 114 TFEU). However, the DRD also serves the additional objective of ensuring the availability of data for the purposes of the prevention and investigation of serious crime. The issue was therefore whether the proportionality of the Directive had to be assessed in light of both of these objectives or simply the primary objective .
The AG began by assessing the proportionality of the DRD in light of the objective of ensuring the functionality of the internal market. He found that the intensity of the DRD’s intervention with regard to fundamental rights (and in particular its ‘creating effect’ in certain Member States where there was no pre-existing legislation) was manifestly disproportionate to this objective. The paradoxical implications of this finding were not lost on the AG who observed that the reason for the DRD’s legitimacy in terms of legal basis – its ambition to ensure the functioning of the internal market – would be the reasons for its illegitimacy in terms of proportionality . While he queried whether this lack of proportionality with regard to the predominant objective could be remedied by taking into consideration the ‘background’ (secondary) objective , he ultimately left the question open by finding that the issue would not be decisive in the current case .
Compliance of fundamental rights limitation with Article 52(1)
The referring courts had alluded to a number of fundamental rights in their questions to the Court. As a preliminary point, the AG narrowed the rights concerned down to two rights – the Charter’s Article 7 right to privacy and the its Article 8 right to data protection – before concluding that the compatibility issue should be assessed primarily from the perspective of an interference with the right to privacy . He also categorised the privacy interference as a serious one  observing, inter alia, that the effects of surveillance are multiplied as a result of the importance of electronic communications in modern societies . He then went on to determine whether this particularly serious interference with the right to privacy was justifiable by examining, first, whether it was in accordance with the law and, secondly, whether it was proportionate.
In order to be ‘in accordance with the law’, a law must be sufficiently precise to circumscribe the limitation of the relevant fundamental right. Given that the EU had no competence to prescribe the conditions under which Member States should allow access and use of retained personal data, the DRD leaves it to Member States to set out the conditions governing access and use. However, the AG held that the EU must, when enacting legislation which interferes with the fundamental rights of individuals, ‘fully assume its share of responsibility’ by defining some of the safeguards applicable at least in the form of principles . For example, the AG suggests that the EU legislature should have provided a more precise description than ‘serious crime’  or subjected access to the data to oversight by judicial authorities or an independent body . Indeed, the AG held that without knowledge of the conditions for access and use of data collected the Court could not competently assess the compatibility of the interference with EU law [121 & 122]. As a result of this lack of accompanying principles, the AG concluded that the DRD is incompatible with Article 52(1) of the Charter.
He nevertheless went on to assess whether the legislation was proportionate, distinguishing the proportionality assessment conducted under Article 5(4) TFEU, which is a means to ensure respect for Member States competences, from that conducted under Article 52(1), which ensures the proportionality of a limitation to a Charter right. He noted that the objective pursued by the DRD is ‘perfectly legitimate’ . However, he then honed in on the necessity of the period of data retention set out in the DRD (between 6 months and 2 years). Importantly for privacy campaigners, he emphasised that the retention of data regarding the private lives of individuals is an anomaly which ‘can only be exceptional and therefore cannot extend in time beyond the period necessary’ . The AG argued that there is a line which separates the past from the present – ‘historical time’ from ‘present time’ – which should be relevant in assessing the proportionality of the temporal scope of the DRD . He had been unconvinced in the arguments before the Court in oral proceedings that there was a need to extend data retention into this ‘historical time’. As a result, he found that Article 6 of DRD, which sets out the potential retention time, was disproportionate.
Given that many Member States had in general implemented the DRD in a manner which was compliant with fundamental rights, the AG suspended the effects of the finding that the DRD was invalid pending the adoption by the EU legislature within a reasonable period of measures to remedy its legal flaws .
This eagerly anticipated Opinion is remarkable for many reasons. From a general perspective, it highlights the difficulties of clearly delineating the boundaries between EU and Member State competence. If the Advocate General’s Opinion is followed, it will also fend off a clash between the EU and several national constitutional orders. However, it is perhaps more noteworthy for those with an interest in the development of data protection and privacy law before the EU Courts.
Firstly, although the CJEU often treats data protection as a subset of the right to privacy, the AG recognises that data protection is subject to an ‘autonomous regime’ . However, he seems to envisage data protection as a right which applies to the ‘personal sphere’ rather than the ‘private sphere’ unlike the right to privacy. He does this by distinguishing between ‘data that are personal as such…to which the structure and guarantees of [the right to data protection] are best suited’  and ‘data which are in a sense more personal’ . The AG argues that use of ‘special’ personal data may ‘make it possible to create both a faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity’. While the AG was arguably correct to focus on the right to privacy in this instance, these hitherto unheard of categories of data are unconvincing. Taken in individual morsels, the data concerned in this case was not necessarily ‘intimate’: indeed, it could be quite innocuous. However, once aggregated it could paint a revealing picture of an individual’s life. It is precisely this type of aggregation of innocuous data which EU data protection rules and hence the right to data protection are designed to regulate.
Secondly, the AG made the questionable assumption that because the data were not retained by public authorities or under their direct control , the data retention posed a more serious threat to fundamental rights. The legal action currently pending against the UK before the ECtHR for breach of Article 8 ECHR as a result of its TEMPORA surveillance programme may indicate that States also misuse personal data when the stakes are perceived as being high. Perhaps more pertinently, in this era of liquid surveillance, any strict dichotomy between public and private data processing seems artificial, a point noted by AG Kokott in her Opinion in Promusicae.
Finally, the AG allowed a reference to ‘the right to informational self-determination’ of the individual to sneak into his Opinion. While this German constitutional construct has many merits, its role in the EU legal order has been limited thus far. The insertion of a reference to ‘informational self-determination’ in the EU Charter was rejected during its drafting not least because of the strong links it has to one national legal order and the perceived influence this would have on the future design of EU data protection law.
I would like to add another point of critique:
By focusing solely on regulation of the conditions under which the retained data can be accessed or used, the AG ignores the more fundamental question whether the mandatory blanket retention of the traffic- and location data of all EU citizens is lawful to begin with. It could be that this is an underlying assumption that supports the entire opinion, but I would argue that this assumption is so controversial in itself that it is in dire need of justification. The DRD is at odds with communication freedom and the presumption of innocence, as it monitors all communication. In criminal procedures the normal practice is that the collection of information about a person’s conduct starts when he becomes a suspect and the right procedures are followed which, ideally, are reviewed by an independent judge. The consequences of omitting these procedural safeguards can be found in the Netherlands where government agencies access millions (3 million in 2009!) subscriber records every year and the Netherlands are not an exception.