Reconsidering the blanket-data-retention-taboo, for human rights’ sake?

Belgian Constitutional Court offers CJEU chance to explain its puzzling Tele2 Sverige AB-decision

By Frank Verbruggen, Sofie Royer, and Helena Severijns

Compulsory retention, by ICT-providers, of all non-content user and traffic data, to ensure that that data will be available for subsequent use by law enforcement or intelligence, has been a controversial issue in the EU for several years now. On 19 July 2018 the Belgian Constitutional Court requested a preliminary ruling from the CJEU. Basically, it asks the EU Court to further clarify its earlier case law. The Belgian constitutional judges indicate that they find some aspects of the CJEU’s previous decisions puzzling and they also offer a new angle by explicitly linking the matter to the positive obligations of member states under the European Convention on Human Rights. The implied suggestion seems that the CJEU did not give those obligations enough weight when it found blanket data retention obligations disproportionate.  

  1. 2006 Directive annulled by CJEU in ‘Digital Rights Ireland’ (2014)

For detectives, communication and location data, from which they can deduce past correspondence partners or individuals’ whereabouts at specific moments, have become a key source of information. Article 15(1) of Directive 2002/58/EC (also called ePrivacy Directive) allowed member states to enact data retention legislation, without making it compulsory. To assure that such data would be available for law enforcement in all member states, the EU adopted in 2006 Directive 2006/24/EC which harmonised the data retention obligations of providers of electronic communication and networks. In its landmark decision Digital Rights Ireland (previously discussed on this blog) the CJEU found the Directive incompatible with the Charter of Fundamental Rights of the European Union (CFREU): ‘By adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter’ (para. 69).

The decision sparked jubilant reactions from Big Brother-fearing NGO’s and academics. Law enforcement agencies, intelligence services and governments reacted with disappointment verging on disbelief and sometimes even outright anger. Nuanced, yet optimistic academics[i] tried to bridge the gap by pointing out that the CJEU had not prohibited data retention as such. On the contrary: albeit under strict conditions that definitely had not been met by the Directive (para. 69).

After the annulment of the 2006 Directive, the European Commission decided not to take any initiative for a new one. That implied that the matter was left to the member states, which could rely on the exemption in Article 15(1) of the ePrivacy Directive. Member states rewrote their legislation, taking into account the hints and reasoning of the CJEU in Digital Rights Ireland, but there was never any doubt that those new laws would also be challenged. Article 15(1) itself referred to the fundamental principles of EU-law and the annulment in Digital Rights Ireland was directly based on the CFREU. Hence, national legislation based on the ePrivacy Directive was obviously likely to face the same post-Digital-Rights-Ireland-scrutiny by the CJEU.

  1. Member State Data Retention Legislation Incompatible with EU Law: ‘Tele2 Sverige AB and Watson’ (2016)

Indeed, the CJEU did not have to wait long for member states’ judges to request preliminary rulings on national data retention regimes. In its decision Tele2 Sverige AB and Watson, it found Swedish and British legislation incompatible with EU law.

If, using a boxing metaphor, Digital Rights Ireland had data retention legislation in the ropes, Tele2 Sverige AB and Watson really had it down on the canvas. Now everyone is counting to ten to see whether it is a definitive knock-out or whether data retention somehow manages to pull itself together and get to its feet again. There are already questions pending at the CJEU from the Provincial Court in Tarragona, Spain and the UK Investigatory Powers Tribunal. On 19 July 2018, the Belgian Constitutional Court also decided to ask some interesting questions.

Belgium’s first law on compulsory data retention had been struck down in 2015 by the Belgian Constitutional Court, in a judgment that almost copy-pasted Digital Rights Ireland. A new version of the law, enacted on 29 May 2016, quickly tried to solve the problems identified by the Constitutional Court. The Belgian federal government had sponsored the Bill and it was, already during the drafting process, very explicit that it tried to heed some of the suggestions made by the CJEU in Digital Rights Ireland. But it also admitted that it had found it hard, and in some respects impossible or pointless, to follow all of them. The government’s frustration reached a fever pitch when Tele2 Sverige AB decision explicitly banned blanket retention.

  1. Belgian Law Challenged: Debate on the Interpretation of Tele2 Sverige AB

Belgium’s Constitutional Court faces a fresh series of requests for the annulment of the ‘unconstitutional’ data retention legislation, filed by NGO’s and some professional associations. The latter felt that their fundamental right to secrecy and privileged communication had been violated, because no exceptions were made for the communications of lawyers, medical doctors or tax consultants.

It was no surprise that the Constitutional Court’s 76 page decision of 19 July 2018 contained extensive references to or quotations from the CJEU’s decisions and the opinions of the Advocates General in Digital Rights Ireland and Tele2 Sverige AB. The Belgian constitutional judges diagnosed the debate between those who challenged the 2016 law and the government who defended it as a clash of different interpretations of Tele2 Sverige AB.

The challengers pointed out that after Tele2 Sverige AB there could be no doubt that compulsory retention of all data related to all people (so-called blanket data retention) was as such, by definition, disproportionate. The CJEU would only allow data retention for preventive purposes in respect of specific groups and/or specific geographic areas with clear links to the purpose of data gathering: the fight against very serious crime and terrorism. Even for ‘targeted retention practices’, the petitioners stated, enough guarantees should be offered by law and – according to – privileged professionals should get an overall exemption, or at least extra protection against the retention of metadata. The extra guarantees mentioned by the CJEU therefore only refer to ‘focused’, ‘limited’ retention duties. Blanket retention would be impossible because Article 15(1) ePrivacy Directive makes data retention the exception which has to be interpreted strictly. A generalised gathering obligation would turn that exception into the rule. It would therefore still be possible to order data retention in relation to a group of suspects or suspect communication tools or systems, in relation to and for the duration of a major event (sports, high profile or controversial visitors, concerts…). Even that kind of data gathering would be subjected to strict legal rules and control mechanisms.

The Belgian government, on the other hand, had its own reading of Tele2 Sverige AB. The CJEU had listed a number of shortcomings in the data retention rules which, taken together, made the whole system disproportionate in its infringements of privacy and data protection rights. The Belgian government claimed that it was wrong to single out one of the elements in the list of shortcomings (for instance, the blanket nature of the retention) and decide that it, in itself, irremediably rendered the practice incompatible with the CFREU (Judgment Belgian Constitutional Court of 19 July 2018, para. A.10.4). The challengers of the 2016 law, by contrast, made reference to the opinion of the Advocate General in in Tele2 Sverige AB, stating that the requirements set out in Digital Rights Ireland were mandatory, cumulative and minimal (para. A.9.3).

  1. Having the Data for Future Retroactive Use, Not Just for Terrorism or Serious Crime

The Belgian government suggests that the CJEU has not fully gripped the key feature of data retention laws as an addition to the already existing measures of focused, targeted gathering of data in the present or future. It is there to make sure data from the past will still be available for (targeted) access. When a previously unknown person drives a truck or van into tourists in Nice or Barcelona or another one dies in what at first impression had seemed a gas explosion, the authorities will try to go back and find out whom they talked with, where they have been, who rented the van etc. When a school child attempts suicide after having been bullied, or when its mother’s private pictures are spread through social media, law enforcement wants to be sure the electronic traces that can help to identify or locate the perpetrator, will still be there. If a 15-year-old has gone missing, locating the mobile phone, the last activities and contacts through electronic communication will be crucial leads in the effort to find him or her. If a body is found after some weeks and a suspect is identified after yet another few weeks, investigators should be able to control the whereabouts, alibi or communications in the period surrounding the alleged offence.

In the procedure before the Constitutional Court, the Belgian government insisted that you cannot know in advance which data you will need. That is why it deems it impossible to limit the gathering to defined groups or areas (Judgment 19 July 2018, para. A.5.12). It even suggests that the definition of ‘target groups’ at the moment of gathering is likely to be (perceived as) discriminatory (paras A.8.3 and A.13.3). Immediately excluding all data related to lawyers, doctors or other privileged groups would be unfair, as they can also perpetrate offences or be victimised (para. A.5.7). Hence, the Belgian law maintains the obligation to make sure that all data will be retained (blanket retention), but only a very small portion of that data will actually be open to law enforcement requests or orders when the need arises. The only limitation on the gathering of these non-content data is a temporal one. In principle, the maximum term is 12 months.[ii] The other human rights guarantees will therefore be available in the strict regulation of access and use. Only for the more serious offences or threats the authorities will be able to go back in time for 12 months. Regarding traffic data, they relate to the terrorist offences as defined by the Belgian Criminal Code. For access to data which might endanger legal or medical privilege, some extra guarantees are built in. Traffic data, for instance, can only be accessed if the lawyer or medical doctor is suspected of having committed an offences punishable by at least one year of imprisonment, or an offence committed within the framework of a criminal organisation, or if third persons are suspected of having committed such an offence, using their communication means. Moreover, the president of the bar council needs to be informed. Data covered by the privilege will not be included in the written report.[iii]

The Belgian authorities thus strongly defend the rule that all data are kept, but only specific data will be accessed upon procedures with (some) guarantees. It is worthwhile noting that this rule also applies to access by intelligence services, which in Belgium are subject to quite strict regulations and quasi-judicial control.

In its decision of 19 July 2018, the Belgian Constitutional Court decided to send three questions to the Court of Justice. First, it asks whether a general data retention obligation that is provided with storage and and access safegards, can be compatible with EU law, when it is not only aimed at fighting serious crime, but also intended to safeguard national security, defence, public security, and to prevent, investigate, detect and prosecute other criminal offences. Second, the Court asks the same question as regards data retention legislation that would enable the state to fulfill its positive obligations to identify perpatrators of sexual child abuse, when they made use of electronic communication means, in order to effectively investigate and prosecute these crimes. If the Court of Justice should come to the conclusion that the Belgian legislation violates EU Law, the Constitutional Court finally asks whether the consequences of the 2016 law can be maintained, in order to enable the further use of previously stored data, so that legal incertainty can be avoided.

As such, the contested Belgian legislation might seem less invasive than the UK legislation at issue in the Reference for a preliminary ruling from the Investigatory Powers Tribunal – London (United Kingdom) made on 31 October 2017 in the case of Privacy International v. Secretary of State for Foreign and Commonwealth Affairs and Others. The UK intelligence community states that it actually needs the bulk data, albeit only those related to cross-border communication, i.e. that it has to analyse all the data to detect and find threats. That has a far bigger ‘Big Brother ring’ to it, but on the other hand the UK has traditionally adopted a stricter regime on the use of intelligence data: they cannot be used as evidence in criminal cases. Still, it would be quite remarkable if the CJEU accepted the UK’s arguments while finding the Belgian law in violation of EU law.

Interestingly, all three member states which have made requests for a preliminary ruling in the aftermath of Tele2 Sverige AB – the UK, Spain and Belgium – stress that data retention is not just needed for serious crime or terrorism. The Belgian government, for instance, pointed out that the finding of missing persons (even when there is no suspicion of a criminal offence, for instance missing minors or mentally ill) might require access to the data. Emergency call handlers and authorities dealing with nuisance or abuse calls also profit, albeit that the access will be very specific and limited. The government even added that the invasion of privacy might favour not only victims, but also some suspects (para. B.20.1). One can indeed think of situations where access to past data will allow the authorities to check or confirm whereabouts, to identify witnesses which could confirm their alibi, to establish that a suspect’s computer system was tampered with, etc. Since CJEU stated in Tele2 Sverige that EU law precluded ‘national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention,’ other purposes are stressed by the Belgian government. Moreover, the ePrivacy Directive does also list other goals: to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC (meanwhile repealed by the GDPR).

It remains to be seen whether the proportionality test used by the CJEU will be affected by these considerations. Those who challenged the Belgian law, using quotes from the Tele2 Sverige AB decision, seem confident that if even terrorism and organised crime cannot justify blanket retention, a fortiori minor offences or issues cannot.

  1. Positive Human Rights Obligation to Create Data Retention Legislation?

The most interesting aspect in the Belgian discussion is the use of human rights as an argument in favour of data retention. As it appears from the well-established case law of the European Court of Human Rights (‘ECtHR’), data retention and law enforcement access to that data can be necessary to ensure the effective protection by the member states of certain fundamental rights, especially with respect to (vulnerable) victims of crime. The ECtHR also seems to accept certain forms of bulk data gathering by States for the purposes of surveillance, as its 19 June 2018 decision in the Centrum för Rättvisa v. Sweden case has shown. This does, however, not mean anything is acceptable: in the recent Big Brother Watch a.o/United Kingdom case (discussed on this blog), the ECtHR decided that the UK legislation on bulk interception and the regime for obtaining communications data from communications service providers violated both Articles 8 and 10 ECHR.

Whereas economic freedoms and competition were at the heart of the historic case law of the CJEU, over the last decades and especially in the 21st century, the Court of Justice has insisted on the Union being built on core values, human rights, the rule of law and democracy. It becomes clear from decisions like Kadi and Al-Bakaraat (even the UN Security Council cannot simply override core EU fundamental rights), the advisory opinion on the accession of the EU to the ECHR (discussed previously on this blog), and from its concerns regarding the rule of law in Poland, accepting the refusal of mutual recognition if another EU member states does not respect judicial independence (for an analysis of the Opinion of Advocate General Tanchev in this case, see here). Some values may be accepted globally (at least in theory), other fundamental rights and especially their interpretation and power to limit the freedom of legislators and governments, are distinctly ‘European’. The refusal of the death penalty is one of them[iv], but nowadays privacy and data protection are probably the flagship. The CJEU has shown it is willing to play hardball in many sensitive cases: PNR (discussed here), Google Spain (discussed here), Schrems (discussed here), etc. Digital Rights Ireland and particularly Tele2 Sverige AB were yet another strong statement of the Court, especially after the Snowden and other revelations had shown that governments had secretly been eroding most of the fundamental privacy and data protection guarantees.[v]

With its first question (supra) the Belgian Constitutional Court somehow asks the CJEU whether, in its eagerness to stress data protection and the protection of privacy as a core EU value, it may perhaps have overstated its case. Should blanket data retention be banned whatever the interests are and even if strict storage, access and use regimes mitigate the impact on privacy and data protection?

That blanket data retention might be necessary because of (positive) human rights obligations of the member states under the ECHR, is a nice way to alter the framing of the problem. From a vertical conflict, between the authorities and the citizen who has to be protected against the massive powers, it becomes a horizontal conflict, in which one person’s human right might be infringed as the price to protect another person’s human rights. The ECtHR has insisted that positive obligations of member states are important for those individual rights to be effective. And effectiveness is of course also a key concept in the CJEU case law. The Belgian Constitutional Court refers to the decision in K.U. v. Finland, in which the ECtHR explicitly told member states to prioritise the protection of minors against (sexual) bullying over the protection of privacy of internet users. That seems difficult to render compatible with the blanket ban on data retention, so member states would be caught between their obligations under the ECHR and under the CFREU. The CJEU has always been keen on avoiding such situations and on adjusting its judgments to the case law of the ECtHR to the largest extent possible. Avoiding dissonance between the Luxembourg and Strasbourg Courts is so fundamental to the rule of law in the EU that it might well deserve an elegant U-turn (if Tele2 Sverige AB banned all blanket data retention per se, which is to be clarified; supra) or at least a nuance of its Tele2 Sverige AB decision (if it did not).

  1. Consequences of Illegal Gathering of Data: Exclusion of Evidence?

The answer to the final question (supra) from the Belgian Court will have an enormous practical impact if the CJEU explicitly (re)states the ban on blanket data retention: can the evidence be used in spite of the illegal gathering? Unlike the ECtHR, which has always given member states quite some leeway in the use as evidence of information gathered in violation of Article 8 ECHR, the CJEU seems to have used effectiveness as an argument for an exclusionary rule for evidence gathered in violation of fundamental rights (WebMindLicenses). It would be nice to know whether that 2015 judgment was a one off or that indeed the CJEU is willing to let some suspects walk away to underline the importance of the matter.

  1. The Privacy Downside to Completely Ditching Blanket Data Retention

It is hard to predict whether the CJEU will speak out unequivocally against any blanket data retention, drawing a clear privacy line in the sand or rather adjust its position to align the human rights standards with those set by the ECtHR. Personally we would prefer the latter. Although we agree privacy is too easily dispatched with nowadays, a complete ban on blanket data retention, regardless of the conditions for subsequent access, might have undesired side-effects.

First of all, it will be hard to deny that law enforcement often needs the data. A radical prohibition of blanket retention will make EU member state authorities increasingly dependent on (foreign) internet service providers (‘ISPs’). For commercial or technical reasons, these private corporations may keep certain data for a certain period of time (for instance Art. 122 Law on electronic communications, Art. 5(1) ePrivacy Directive). However, that will not necessarily be all the data law enforcement needs, as the commercial interests of the ISPs differ from the forensic ones of law enforcement. Ironically, public authorities would profit from the industry keeping more data than necessary. The ban on blanket retention would create a disincentive for governments to support their DPA’s strict enforcement of data protection law, which often implies (Art. 6(1) and 6(2) ePrivacy Directive) prompt deletion of data. One could say that such a privacy-oriented policy is principled, but it might be counterproductive and therefore not exactly a smart policy for the era of ‘smart technology’.

Another concern is that an EU-law-taboo on general data retention will also increase the dependence of intelligence agencies, especially those of small countries like Belgium, on information of foreign services that might not (or no longer) be bound by EU law or choose not to abide by it, for instance US, post-Brexit-UK or Israeli services which are important partners in the fight against terrorism and the so-called foreign fighters. Again, even if the human rights and accountability concerns behind the outright banning of blanket data retention are sincere, the remedy might be worse than the illness. Belgium has chosen to regulate data retention for both intelligence and law enforcement together in a single law. Should the CJEU inspire the Constitutional Court to annul the law, both would suffer. Whether a national data retention obligation for intelligence purposes only would be possible, is a very interesting question, as the matter of national (‘internal’) security is explicitly excluded from the realm of Union law (Art. 72 TFEU, recital 11 and Art. 15(1) ePrivacy Directive, recital 16 in the preamble to the GDPR) and therefore beyond the protection of the CFREU.  Meanwhile, it will be interesting to see what the CJEU answers to the UK questions on the analysis of bulk data by intelligence services.

Finally, data retention regimes like the Belgian one oblige ISPs to keep and protect the data, while strictly regulating the access to that data by a restricted group of compliance officers within the corporation on the one hand, and by law enforcement authorities on the other hand. This set-up avoids the storage of bulk data in a single, central government-run database Consequently, in the event of data leaks or hacking, compromising the integrity of the data, the damage will be more limited and easier to contain.

  1. Conclusion

The CJEU seemed adamant when it ruled against blanket data retention. However, it limited its judgment to data retention for the purpose of fighting crime. If blanket data retention could exist for reasons of national security falling outside the scope of EU law, the answer to the first question of the Tele2 Sverige AB decision is in vain and blanket data retention continues to exist. The question would consequently shift to the access to the data by law enforcement authorities. If it comes to that, the CJEU would do better to focus on guarding the rules on access to data that are already retained.

[i] J. KÜHLING and S. HEITZER, “Returning through the national back door? The future of data retention after the ECJ judgment on Directive 2006/24 in the UK and elsewhere”, E.L.Rev. 2015, 40(2), 263-278 266; T. OJANEN, “Privacy is more than just a seven-letter word: the Court of Justice of the European Union sets constitutional limits on mass surveillance”, E.C.L. Review 2014, 10(3), 528-541 540-541; M.-P. GRANGER and K. IRION, “The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection”, E.L.Rev. 2014, 39(6), 835-850, 848-849.

[ii] For identification data the starting point of this 12 months period is the latest date on which communication through the used service was possible (Art. 126 (3) Belgian law on electronic communication), resulting in a much longer retention period than 12 months as was pointed out by one of the challengers (para. A.3.4).

[iii] Art. 88bis Code of Criminal Procedure.

[iv] E. VANDEBROEK and F. VERBRUGGEN, “The EU and Death Penalty Abolition: The Limited Prospects of Judicial Cooperation in Criminal Matters as an External Policy Tool”, New J.Eur.Crim.L. 2013, 481-505.

[v] The curiousity that the Tele2 Sverige AB and Watson case was initially Tele2 and Davies is symbolicly important. David Davies, later a chief Brexiteer and minister for Brexit, actually invoked EU-law and in particular the CFREU against the UK legislation, adopted by the sovereign parliament in Westminster. Later on he was removed as an applicant from the case. One could forgive the CJEU for gloating a little over that irony and the recognition of the Charter’s value even in the eyes of some of its most outspoken critics.