The future of national data retention obligations – How to apply Digital Rights Ireland at national level?

Note by the editors: we will take a short break over the summer and resume blogging in the week of 16 August

By Vanessa Franssen

On 19 July, Advocate General (AG) Saugmandsgaard Øe delivered his much awaited opinion on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, which were triggered by the Court of Justice’s (CJEU) ruling in Digital Rights Ireland, discussed previously on this blog. As a result of this judgment, invalidating the Data Retention Directive, many Member States which had put in place data retention obligations on the basis of the Directive, were confronted with the question whether these data retention obligations were compatible with the right to privacy and the right to protection of personal data, guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (Charter). Hence, without a whisper of a doubt, several national legislators eagerly await the outcome of these joined cases, in the hope to get more guidance as to how to apply Digital Rights Ireland concretely to their national legislation. The large number of Member States intervening in the joined cases clearly shows this: in addition to Sweden and the UK, no less than 13 Member States submitted written observations. The AG’s opinion is a first – important – step and thus merits a closer look.

National and European shock waves after Digital Rights Ireland

The Digital Rights Ireland case was ground-breaking in many respects, and caused a real shock effect across the EU. As a result of the CJEU ruling, national data retention legislation was invalidated in several Member States. For instance, the District Court of The Hague struck down the Dutch national data retention legislation on 11 March 2015, and shortly afterwards, on 11 June 2015, the Belgian data retention law was annulled by the Constitutional Court, which largely copy-pasted the CJEU’s reasoning. This situation creates great uncertainty about the further potential use of traffic and location data of electronic communications in national and transnational criminal investigations (see eg the Workshop on data retention organized by the Consultative Forum and the Luxembourg Presidency), especially because such data are used in an increasingly large number of criminal cases, not just as incriminating, but also as exculpatory evidence.

In other Member States, the legislator very quickly launched the process for amending the national data retention legislation. For instance, in the UK, the Data Retention and Investigatory Powers Act was adopted only three months after the CJEU’s ruling. By contrast, in Luxembourg, which has invested significantly in the digital economy in the last few years while also emphasizing the importance of the protection of privacy and personal data, the legislative process kicked off in January 2015 but has still not resulted in new legislation.

At the European level, the legislator has so far shown little appetite to adopt a new Data Retention Directive, despite some attempts of the Luxembourg Presidency in the Autumn of 2016 to initiate such legislative process, or at least to stimulate the discussion. This should not come as a real surprise. On the one hand, the CJEU has been very active in the field of data protection over the last two years, addressing a large number of questions and raising new ones (some of which have been discussed previously on this blog: see here, here and here). On the other, the EU was already busy tackling other urgent and delicate data protection issues, such as the adoption of the new General Data Protection Regulation, repealing Directive 95/46/EC, and the Data Protection Directive with respect to the processing of personal data for criminal investigations, repealing Council Framework Decision 2008/977/JHA, and the negotiations and adoption of the new Umbrella Agreement with regard to EU-US law enforcement cooperation.

Short background to the cases

Immediately after the Digital Rights Ireland ruling, Tele2 Sverige AB (a provider of electronic communications) notified  the Swedish competent authority that it would no longer comply with the Swedish national data retention obligations as it considered those obligations were not meeting the CJEU’s conditions. This decision obviously caused great concern for the national authority, ordering Tele2 Sverige to resume its retention of data. Yet, Tele2 Sverige persevered and appealed this order before the Administrative Court in Stockholm and subsequently before the Administrative Court of Appeal, which referred the matter for a preliminary ruling to the CJEU. (Opinion, §§ 50-55)

In the meantime in the UK, the 2014 Data Retention and Investigatory Powers Act was challenged before the High Court of Justice of England and Wales and declared invalid on 17 July 2015, because the data retention regime did not provide for adequate safeguards in order to protect the right to privacy and the right to protection of personal data laid down in the Charter. In other words, the UK data retention regime did not comply with the conditions put forward by the CJEU in Digital Rights Ireland. However, the Home Secretary appealed this judgment and the Court of Appeal decided to refer two questions to the CJEU for a preliminary ruling. (Opinion, §§ 56-60)

Questions submitted to the CJEU

Interestingly, the approach of both referring courts is quite different, as results clearly from the way they formulate their respective questions for the CJEU.

The Swedish referring court asks the CJEU, first of all, whether

a general obligation to retain data in relation to all persons and all means of electronic communication and extending to all traffic data, without any distinction, limitation or exception being made by reference to the objective of fighting crime (…) [is] compatible with Article 15(1) of Directive 2002/58, taking into account Articles 7, 8 and 52(1) of the Charter?’ (Opinion, § 55)

Should such a general data retention obligation not be compatible with the Charter, could a data retention obligation then nevertheless be compatible with the Charter if the access of the competent authorities to the retained data is regulated as it is under Swedish law, if the protection and security of the data are regulated as they are under Swedish law, and if all relevant data must be retained for a period of 6 months before being erased, as imposed by Swedish law?

By contrast, the Court of Appeal of England and Wales is of the view that the CJEU did not set out ‘specific mandatory requirements of EU law with which national legislation must comply, but was simply identifying and describing protections that were absent from the harmonised EU regime.’ (Opinion, § 59)

Nevertheless, to be absolutely sure, it asks the CJEU to clarify this point:

Does the judgment of the Court of Justice in Digital Rights Ireland (including, in particular, paragraphs 60 to 62 thereof) lay down mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the [Charter]?’ (Opinion, § 60)

Furthermore, the Court of Appeal would like to know whether Digital Rights Ireland expands the scope of Articles 7 and/or 8 of the Charter beyond that of Article 8 of the European Convention of Human Rights (ECHR), as interpreted by the European Court of Human Rights (ECtHR). Put differently, the referring court wonders whether the level of protection offered by the Charter is higher than that under the ECHR.

The AG’s opinion

The latter question raised by the Court of Appeal in the UK case should be rejected as inadmissible according to the AG, because it is only ‘of purely theoretical interest’ (§ 82) and not ‘relevant to the resolution of the disputes’ (§ 75). Even if the Court would want to address the question, EU law does of course not prevent the Court (or the legislator) from going beyond the protection offered by the ECHR (§ 80). On the contrary, in my view it may be quite desirable to go beyond the minimum safeguards guaranteed by the ECHR, and not just with respect to Article 8. Unfortunately, EU legislation – for instance also with respect to procedural safeguards in criminal proceedings – does not pass, or barely passes, the minimum level of protection granted by the ECHR (see, for instance, the analysis on this blog regarding the recently adopted Presumption of Innocence Directive).

Subsequently, the AG addresses the first question of the Swedish referring court, regarding the compatibility of a general data retention obligation with Article 15(1) of Directive 2002/58/EC (the Directive on privacy and electronic communications) and Articles 7 and 8 of the Charter. In a first step, the AG affirms that a general data retention obligation falls within the scope of Directive 2002/58/EC, despite the exclusion of State activities relating to criminal law by Article 1(3) of the Directive. Indeed, it is not because the data retained can be accessed and used by police and judicial authorities for criminal investigations that the data retention rules, which address private actors providing electronic communications services (service providers), would themselves be excluded from the scope of the Directive (§§ 87-97). Next, the AG scrutinizes whether the possibility offered by Article 15(1) of Directive 2002/58/EC to restrict the rights and obligations of the Directive allows for the creation of a general data retention regime by national law. Unlike some of the civil liberties organisations intervening in the joined cases, the AG considers that the wording of Article 15(1) of Directive 2002/58/EC (‘Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period’) indicates that data retention obligations are not, as such, inconsistent with the Directive. The same goes for general data retention obligations, yet only if they ‘satisfy certain conditions’ (§ 108). Recital (11) of the Directive confirms this as it states that the Directive

does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security (…) and the enforcement of criminal law.

Hence, it

does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the [ECHR]

provided that those

measures [are] appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and (…) subject to adequate safeguards in accordance with the [ECHR].

In sum, what matters, is that (general) data retention rules meet certain requirements, which ensure striking an acceptable balance between the purposes pursued by those rules and the individual’s fundamental rights. These rights are not just the ones laid down in the ECHR, but also the ones of the Charter as data retention rules ‘constitutes a measure implementing the option provided for in Article 15(1) of Directive 2002/58’ (§ 121). In other words, national legislation encompassing data retention obligations are ‘governed’ by EU law, which triggers the application of the Charter, as the CJEU clarified in the Åkerberg Fransson case (discussed on this blog) and refined in later case law (eg Siragusa, also analysed on this blog, and Julian Hernández and others, §§ 32-49). By contrast, whether the Charter also applies to the national rules determining under what conditions police and judicial authorities can access the retained data is less obvious, because Directive 2002/58/EC does not cover ‘activities of the State in areas of criminal law’ (Art. 1(3)). While the AG is inclined to conclude that the Charter does not apply to those rules (§§ 123-124), he also stresses that

the raison d’être of a data retention obligation is to enable law enforcement authorities to access the data retained, and so the issue of the retention of data cannot be entirely separated from the issue of access to that data. As the Commission has rightly emphasised, provisions governing access are of decisive importance when assessing the compatibility with the Charter of provisions introducing a general data retention obligation in implementation of Article 15(1) of Directive 2002/58. More precisely, provisions governing access must be taken into account in the assessment of the necessity and proportionality of such an obligation.’ (§ 125, emphasis)

In other words, does this mean that the Charter indirectly applies to national rules regulating the access to the retained data? It will be interesting to see if and how the CJEU addresses this point, adding another piece to what Benedikt Pirker described on this blog as ‘the jigsaw puzzle of earlier decisions on the scope of EU fundamental rights’.

This brings the AG to the biggest and most tricky questions submitted for a preliminary ruling, combining the second question of the Swedish court and the first question of the Court of Appeal, concerning the conditions national legislation should respect when creating a general data retention obligation. Without a doubt, general data retention obligations constitute a serious interference with the right to privacy (Article 7 of the Charter) and the right to the protection of personal data (Article 8 of the Charter) (§ 128). So the crucial question is whether such interference may be justified and on what conditions (§ 129).

Based on a reading of Article 15(1) of Directive 2002/58/EC and Article 52(1) of the Charter, the AG identifies six cumulative conditions that must be met to justify the serious interference caused by a general data retention obligation:

–        the retention obligation must have a legal basis;

–        it must observe the essence of the rights enshrined in the Charter;

–        it must pursue an objective of general interest;

–        it must be appropriate for achieving that objective;

–        it must be necessary in order to achieve that objective;

–        it must be proportionate, within a democratic society, to the pursuit of that same objective.’ (§ 132)

While most of these requirements were already put forward by the CJEU in Digital Rights Ireland, when evaluating the legal regime laid down in the Data Retention Directive, the AG nevertheless wishes to revisit them, ‘[f]or the sake of clarity and given the facts which distinguish the present cases from Digital Rights Ireland’ (§ 133). In particular, he wants to have a closer look at the requirement of a legal basis (which was not addressed in Digital Rights Ireland) and the necessity and proportionality of data retention obligations in a democratic society.

The first requirement, imposing the need for a legal basis, should be interpreted in light of Article 52(1) of the Charter, stating that limitations to the rights of the Charter should be ‘provided for by law’ – a phrase that resonates the wording of the ECHR (‘in accordance with the law’, Article 8 ECHR) and the case law of the ECtHR (§ 141) – as well as in light of Article 15(1) of Directive 2002/58/EC. As a result, a regime of general data retention should be established on the basis of measures adopted by a legislative authority, that are accessible and foreseeable while offering adequate protection against arbitrary interference with the rights of privacy and data protection (§ 153). That being said, considering the differences in the various language versions of Article 15(1) of Directive 2002/58/EC (§§ 145-147), the AG acknowledges that regulatory measures adopted by an executive authority might also suffice, although he would personally prefer to give the executive authority only the responsibility of implementing the measures adopted by the legislative authority (§§ 152-153).

Second, any general data retention regime should observe the essence of the rights enshrined in Articles 7 and 8 of the Charter, as the CJEU also highlighted in Digital Rights Ireland. As long as the national data retention obligations do not concern the content of the electronic communications and as long as they provide for safeguards that ‘effectively protect personal data’ retained by service providers ‘against the risk of abuse and against any unlawful access and use of that data’ (§ 159), this requirement does not seem to create particular problems in the cases submitted to the CJEU.

Third, the interference with the rights to privacy and data protection caused by a general data retention obligation can only by justified if the latter pursues ‘an objective of general interest recognised by the European Union’. As the CJEU pointed out in Digital Rights Ireland, the objective to fight serious crime (such as international terrorism) is definitely recognized by EU law; Article 6 of the Charter does not only warrant the right to liberty, but also the right to security. Yet, whether data retention obligations are also justifiable, more generally, to combat ordinary crime, or even in proceedings other than criminal proceedings, as the UK government argues in its submission before the CJEU, is much less obvious. It should be acknowledged that limitations allowed for by Article 15(1) of Directive 2002/58/EC are not confined to ‘serious crime’. Indeed, this provision allows Member States to adopt restrictions that are necessary, appropriate and proportionate within a democratic society ‘to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences’. Nevertheless, in the AG’s view, the interferences caused by a general data retention regime are so serious that the fight against ‘ordinary offences and the smooth conduct of proceedings other than criminal proceedings’ are not ‘capable of justifying a general data retention obligation’ considering the ‘considerable risks that such obligations entail’ (§§ 172-173).

Moving forward, the AG evaluates the proportionality of general data retention obligations, which he splits up in three separate (sub-)requirements: are they appropriate (fourth requirement) as well as strictly necessary (fifth requirement) to achieve the aforementioned objective of fighting serious crime and proportionate in a democratic society (sixth requirement). Like the CJEU in Digital Rights Ireland, the AG sees no obstacle in the appropriateness of general data retention obligations to fight serious crime (§ 177). He even insists on the usefulness of such data, which allow police and judicial authorities to ‘examine the past’, even with respect to persons who were not suspected of a serious crime at the time of the electronic communications (§§ 178-181). Considering the current safety threats and the numerous terrorist attacks that took place after the Digital Rights Ireland judgment, any other viewpoint would have surprised.

Next, the AG addresses the fifth requirement: are general data retention obligations really (ie strictly) necessary to combat serious crime? This requirement unfolds in two questions. For one, is a general data retention obligation strictly necessary, or on the contrary, does it go ‘beyond the bounds of what is strictly necessary for the purposes of fighting serious crime, irrespectively of any safeguards that might accompany such an obligation’ (emphasis added)? For another, if a general data retention does not exceed what is strictly necessary, ‘must it be accompanied by all the safeguards mentioned by the Court in paragraphs 60 to 68 of Digital Rights Ireland’ (§ 189).

As regards the first of these two questions, the AG adheres to the point of view that most parties (in particular the Member States) took in their written submissions:  a general data retention obligation as such does not exceed the limits of strict necessity. According to the AG, paragraphs 56 to 59 of Digital Rights Ireland should indeed be interpreted as meaning that a general data retention obligation does not pass the strict necessity test but only if ‘it is not accompanied by stringent safeguards concerning access to the data, the period of retention and the protection and security of the data’ (§ 195, original emphasis).

One may wonder whether this is a correct reading of the CJEU’s judgment, which emphasized that the Data Retention Directive required the retention of all traffic data relating to all means of electronic communications and regarding all persons (‘practically the entire European population’), ‘without any differentiation, limitation or exception being made in light of the objective of fighting against serious crime’ (§§ 56-57). That being said, as some governments pointed out, if the Court would have considered that a general data retention obligation by itself exceeds the threshold of what is strictly necessary, then why did it bother to spell out in the subsequent paragraphs the safeguards that should apply? The upcoming judgment will undoubtedly tell us which interpretation is the right one.

Furthermore, the AG insists on the fact that national courts will have to assess whether there are no equally effective and less restrictive means available in the national system to achieve the same goal as a general data retention obligation (§§ 206-215), thereby passing on a difficult but very important balancing exercise to the national courts.

Assuming a general data retention obligation is strictly necessary, then all the safeguards put forward by the CJEU in Digital Rights Ireland (§§ 60-68) should respected by national law. Any other approach which would allow for a further balancing exercise between the different safeguards (as, for instance, the German government suggested, using the metaphor of ‘communicating vessels’) would, according to the AG, empty those safeguards of their practical effect (§§ 221-227). This means that national data retention rules should

1) make sure that the ‘access to and the subsequent use of the retained data [are] strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto’ (§ 229);

2) make the access to those data ‘dependent on a prior review carried out by a court or by an independent administrative body’ in order to assess the strict necessity of the access and subsequent use of the data (§ 232);

3) require service providers ‘to retain data within the European Union, in order to facilitate the review’ and to make sure that the EU safeguards apply (§§ 238-240), and

4) limit the retention period in function of the usefulness of the data (§ 242).

While it is again for national courts to evaluate whether the safeguards provided for by national law are sufficient, the AG does not hide his opinion that both the Swedish and the UK regime reveal a number of deficiencies in this respect (§§ 230, 233 and 239).

Sixth and last, the AG emphasizes the need to evaluate the ‘proportionality stricto sensu’ of a general data retention obligation, which consists in weighing the advantages and disadvantages of such an obligation within a democratic society (§ 248). Once more, the AG argues this is a task for national courts, but he nonetheless points out that a general data retention obligation entails a considerable risk of mass surveillance (§ 256). Based on an analysis of a large amount of (meta-)data, authorities could easily find as much, or even more, about an individual as they can by means of targeted surveillance measures, including the interception of content data (§§ 254 and 259). Unlike the content of communication, meta-data ‘facilitate the almost instantaneous cataloguing of entire populations’ (§ 259). If one just considers the large amount of requests service providers in Sweden and the UK receive from the competent authorities, one realizes that the risk of abusive or illegal access to the retained data is far from ‘theoretical’ (§ 260).

Some first thoughts

As the above analysis suggests, the AG’s opinion offers a lengthy and mitigated assessment of the six cumulative requirements that general data retention obligations under national law should meet. Some of these requirements (eg the requirement of a legal basis) can easily be fulfilled. Yet others will raise many problems for national legislators when delineating the domestic data retention framework.

For instance, the requirement that general data retention obligations must pursue ‘an objective of general interest recognised by the European Union that is capable of justifying a general data retention obligation’ will undoubtedly raise many problems at the national level. Is the fight against serious crime indeed the only acceptable objective? For sure, the ‘material objective’ of the Data Retention Directive was ‘to contribute to the fight against serious crime and thus ultimately to public security’, which made the CJEU decide that the Directive satisfied an objective of general interest (Digital Rights Ireland, §§ 41-44). But does this mean, as the AG advocates, that it is the only possible justifiable objective for national data retention obligations, considering the seriousness of the interferences with the right to privacy and the right to protection of personal data? Furthermore, assuming it is, what offences are sufficiently ‘serious’ to justify a general data retention obligation? In Digital Rights Ireland, the CJEU explicitly stated that this is to be ‘defined by each Member States in its national law’ (§ 41). Yet, the AG suggest a different approach, by stressing that it should be ‘an objective of general interest recognized by the European Union’. Hence, how much leeway do Member States have? If an EU-wide understanding of the label ‘serious crime’ is to be preferred, would the list of Eurocrimes (which are in fact broad categories of crimes) in Article 83(1) TFEU then be of sufficient guidance?

Another concern of police and judicial authorities, which national legislators will want to take into account, is that what starts out as a simple, ‘ordinary’ criminal case, may very well turn out to be much more ‘serious’ in a later stage of the investigation. It may not be so easy to reconcile this concern with the safeguard to limit the data retention period in light of the usefulness of the data, ie considering the objective pursued or according to the persons concerned.

One may also wonder whether the AG’s opinion provides as much clarity as national legislators hope to get from the CJEU. Many issues will still need to be addressed by national legislators (eg to design safeguards that pass the Digital Rights Ireland test) and national courts (eg to evaluate whether there are no less restrictive alternatives than a general data retention obligation and whether the risk of mass surveillance does not outweigh the benefits offered by a general data retention obligation).

For sure, this is only a first reflection. Further reflection will undoubtedly follow after the Grand Chamber of the CJEU will have rendered its ruling. In the meantime, national legislators will have to be patient and uncertainty will persist about the potential use in criminal proceedings of traffic and location data retained on the basis of a general data retention obligation.