National Mass Communications Data Surveillance and the Law


the spectre of Brexit casts considerable uncertainty over the exact consequences of the CJEU’s judgement for the UK Government in this area of data protection law


Answers to the questions referred by the Swedish and UK national courts to the Court of Justice of the European Union (CJEU) have been greatly anticipated by those interested in human rights and the laws governing State surveillance across the EU. Moreover, the matters at issue in the Joined Cases of Watson and Tele2 Sverige have engaged policymakers, communication service providers and human rights advocates since the Grand Chamber of the Luxembourg Court made legal history in its 2014 landmark judgement of Digital Rights Ireland.

The court proceedings and drafting of Digital Rights Ireland occurred during, and were undoubtedly influenced by, the height of the Snowden revelations and culminated in the first time an entire EU law was struck down for its incompatibility with the EU Charter of Fundamental Rights. Previously, the impugned legislative instrument in question (Data Retention Directive 2006/24/EC) had imposed a mandatory obligation on every EU Member State to ensure the mass retention of communications data (metadata) for the purpose of countering serious crime. Consequently, the fundamental rights requirements and safeguards established by the CJEU in this seminal judgement have posed a number of thorny questions for policymakers.

 

Watson and Tele2 Sverige – the legacy of Digital Rights Ireland

Arguably, the most significant question raised by Digital Rights Ireland was whether the CJEU had in fact held that the very measure of mass data retention itself was incompatible with EU fundamental rights, thereby rendering such surveillance invalid under EU law. Commentators were split in their interpretation of this aspect of the judgement. Some have advocated that Digital Rights Ireland provides that mass surveillance is an “unjustifiable infringement” of EU law. Others have disagreed but welcomed the judgement as an opportunity for ensuring greater human rights compliance in this difficult area of EU law.

Two other particularly contentious issues also arose for policymakers to grapple with. Reflecting its (mostly) conservative and stone-by-stone jurisprudential approach, the second issue concerned the omission of the CJEU to address whether the standards established in Digital Rights Ireland were limited to the review of the impugned EU Data Retention Directive or whether the requirements also applied to national laws governing mass data retention obligations. Thirdly, if the application of these standards extends to such national regimes, are Member States required to implement all of the safeguards set out by the CJEU in Digital Rights Ireland?

As these issues involve the interpretation of EU law, the constitutional courts of Member States are legally required to refer these matters to the CJEU for review. Hence, following such requests from the Swedish and UK Courts of Appeal concerning the above questions, Advocate General Henrik Saugmandsgaard Øe has published his (non-legally binding) opinion to assist the Luxembourg Court in its determination of these complex issues of EU fundamental rights and data protection law.

 

Key Observations and Recommendations by the Advocate General

1. Mass data retention is not incompatible with EU Fundamental Rights

The Advocate General expresses his main recommendation to the CJEU from early on in his Opinion that the very measure of mass data retention itself is not incompatible with EU fundamental rights. Instead, he posits that national mass data retention obligations may be deemed compliant with EU law if they are “accompanied by certain safeguards concerning access to the data, the period of retention and the protection and security of the data”.

2. Digital Rights Ireland – requirements and safeguards apply to national data retention regimes

Article 15(1) of the e-Privacy Directive 2002/58/EC provides that Member States can restrict the scope of traditional data protection safeguards and adopt national legislative measures for the retention of communications data. In agreement with the European Commission, the Advocate General contends that this provision does not constitute a derogation based on the rationale that recital 11 of the 2002 EU Directive states that the e-Privacy Directive does not affect the Member States’ entitlement to adopt the measures referred to in Article 15(1). Moreover, the Advocate General also highlights that the title of Article 15 is headed: “Application of certain provisions of Directive [95/46]” whereas Article 10 of same is entitled “Exceptions” (“Derogations” in the French language version).

Consequently, any national data retention obligations enacted pursuant to Article 15 of the e-Privacy Directive fall therefore under the scope of EU law. Accordingly, these measures are then subject to the standards of the EU Charter of Fundamental Rights which apply to Member States when they implement EU law (EU Charter, Art.51(1)).

3. Two sets of conditions must be met – as mandated by Article 52 of the EU Charter and Article 15 of the e-Privacy Directive

The Advocate General identifies six requirements that have been established under both of these provisions in order for a mass data retention obligation to be justified and therefore compatible with EU fundamental rights law:

  1. The retention measure must have a legal basis;
  2. This measure should observe the essence of the rights enshrined in the Charter;
  3. It must pursue an objective of general interest;
  4. It must be appropriate for achieving that objective;
  5. It must be necessary in order to achieve that objective;
  6. It must be proportionate, within a democratic society, to the pursuit of that same objective.

All of these requirements (with the exception of the second concerning the essence of rights enshrined in the Charter) draw from the long-established principles and safeguards of the legality, necessity and proportionality conditions required under Article 8(2) of the European Convention on Human Rights (ECHR). This reliance on the more comprehensive system of European human rights law is also demonstrated in the detailed engagement and frequent referencing to the case law of the European Court of Human Rights (ECtHR) made by the Advocate General throughout his analysis.

It is important to highlight here that EU law requires (EU Charter, Art.52) that the standards of the EU Charter must not fall below the ECHR standard when corresponding rights are in question (in this case the right to respect for private life as guaranteed under Art.7 of the EU Charter and Art.8 of the ECHR). Furthermore, given that the Strasbourg Court has examined the State surveillance of communications data and the interference posed by this covert measure to private life and correspondence since 1984 (Malone v UK), the significant role played by the ECtHR case law in this Opinion should be unsurprising.

Generally, however, the explicit reliance placed by the CJEU on the ECHR and ECtHR case law has declined significantly since the EU Charter of Fundamental Rights became part of EU law in 2009. Tensions in the relationship between the Luxembourg and Strasbourg Courts abound particularly since the former’s much criticized opinion on the EU’s accession to the ECHR (whereby the EU will then become formally subject to this international human rights treaty). Hence, the analytical approach and weight accorded to the legal authority of the ECHR within the interpretation and development of EU fundamental rights law by the Advocate General is a positive step forward in the EU’s protracted and rocky path toward accession.

Overall, the Advocate General’s Opinion draws heavily though not blindly from the landmark judgement of Digital Rights Ireland in setting out these key fundamental rights requirements. A clear example of this involves highlighting the omission of the CJEU to have formally examined the requirement of “to be provided for by law” under Article 52 of the Charter. The recommendation by the Advocate General that the Grand Chamber of the CJEU should confirm that the interpretation of this requirement must be understood in the substantive sense (rather than the formal or literal meaning of the word ‘law’) is welcome.

As is well established in the case law of the ECtHR cited by the Advocate General, the substantive ‘provided for by law’ condition (or legality test) requires that a data retention measure must have a basis in law, be clear and accessible to the individual, foreseeable in its application. Moreover the measure must also provide adequate protection against arbitrary interference and define with sufficient clarity the scope and manner of exercise of the power conferred on the relevant public authorities.

4. The essence of Article 7 of the EU Charter is not affected by mass data retention

The Advocate General observed that mass communications data retention does not “adversely affect” the essence of the right to respect for private life protected under the EU Charter on the ground that access to the content of the communication is excluded. This determination follows the approach and dearth of analysis concerning what constitutes an interference with the “essence” of the right to respect for private life by the CJEU in Digital Rights Ireland and will have disappointed human rights advocates.

Moreover, the Advocate General’s application of Article 52 of the Charter here is at odds with his subsequent analysis of the interference to private life posed by mass communications data retention. Later in the Opinion when examining the requirement of proportionality, the Advocate General notes that the use of such information (excluding content) makes it possible “to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity”.

The Advocate General then proceeds to state that in the context involving either a specific individual or in the context of an interference involving many individuals: “a general data retention obligation will facilitate equally serious interference as targeted surveillance measures, including those which intercept the content of communications” (emphasis added).

Furthermore, he adds that: “I would emphasise that the risks associated with access to communications data may be as great or even greater than those arising from access to the content of communications as … metadata facilitate the almost instantaneous cataloguing of entire populations, something which the content of communications does not” (emphasis added).

Arguably, the Advocate General should therefore have recommended that the CJEU equate the level of risk to private life posed by the retention of and access to communications data with the traditional acquisition of content within its application of what constitutes an interference under Article 52 of the Charter.

Alternatively, and at the very least, the examination of this key requirement under Article 52 should warrant further engagement by the CJEU rather than perpetuate the (now outdated) legal fallacy that metadata is not considered to reveal as much as content and is thereby consequently accorded a lower level of safeguards and oversight. By not recommending either approach represents a missed opportunity to prompt the CJEU to demonstrate its capacity to provide a robust and progressive approach to the protection of fundamental rights in a rapidly evolving digital age.

5. Only the fight against serious crime is an objective in the general interest capable of justifying mass data retention

The Advocate General made his stance on this issue unequivocally clear. Within the context of the proportionality requirement under Article 52 of the EU Charter, he stressed that “[t]he considerable risks that such obligations entail outweigh the benefits they offer in combating ordinary offences and in the conduct of proceedings other than criminal proceedings”.

This is a recommendation to the CJEU of considerable significance that if adopted by the Luxembourg Court would raise questions of major law reform for Sweden and the UK. The wide scope of the relevant legislation in both countries (Law 2003:389 on electronic communications (as amended) and the UK Data Retention and Investigatory Powers Act 2014) provides that mass data retention may be permitted for the purpose of tackling ordinary crime.

6. All of the fundamental rights safeguards established in Digital Rights Ireland are mandatory

The Advocate General endorsed the approach proposed by Mr. Tom Watson and others, the Open Rights Group and Privacy International, that the minimum safeguards set out by the CJEU in their landmark 2014 judgement must all form part of a national mass communications data retention regime so that the interference with fundamental rights is limited to what is strictly necessary.

By doing so, the Advocate General rejected outright the argument from the German, Estonian, Irish, French and UK Governments that these safeguards were “merely illustrative”. Moreover, the Advocate General also dismissed the submission by the German Government that the appropriate role for these safeguards should fall within the metaphorical framework of ‘communicating vessels’. Such a framework would consist of “a more flexible approach to one of the three aspects identified by the Court (such as access to the retained data) may be compensated by a stricter approach to the other two aspects (the retention period and the security and protection of the data)”.

Three persuasive reasons underpinned his critical examination of the “pernicious” ‘communicating vessels’ framework. First, the Advocate General highlights that the jurisprudence of the CJEU Digital Rights Ireland does not envisage such an approach. In particular, the Advocate General stresses that the CJEU “made no allusion … to any possibility of ‘compensating’ a more flexible approach to one of the three aspects it identified by a stricter approach to the remaining two”. Secondly, the Advocate General pointedly observes that such an approach would only serve to “deprive” and undermine the “practical effect” of the safeguards established by the CJEU. Thirdly, he emphasizes that the safeguards in question are overall “quite minimal” and should not be difficult for Member States to implement.

7. Access to retained data must be dependent on a prior review carried out by a court or an independent administrative body

The Advocate General’s stance on the importance of this particular safeguard is nothing short of resolute. His examination of this issue begins boldly with the observation that: “I see no reason to take a flexible attitude to this requirement for prior review by an independent body, which indisputably emerges from the language used by the Court in … Digital Rights Ireland”.

Stressing the need for such a requirement, the Advocate General highlights the severe degree of interference posed by the retention and access to mass data retention regimes to the individual’s fundamental rights to privacy and the personal data. On this point, he stresses the risk of abusive or illegal access to mass retained data particularly in light of the “extremely high number of requests for access” by both the Swedish and UK public authorities. Regarding the latter, submitted evidence indicated records showing 517, 236 authorisations and 55, 346 urgent oral authorisations made in 2014 alone.

Furthermore, the Advocate General noted the criticism by human rights experts of the trend regarding replacing traditional independent authorization procedures and effective oversight with “self-authorisation systems for giving intelligence and police services access to data”. Subsequently, the Advocate General remarked that the public authorities in question are in no position to carry out an effective review with respect to approving access to retained data as they “have every interest in requesting the broadest possible access”.

8. National courts can impose greater safeguards

The Advocate General stressed that the EU Charter provides only minimum safeguards that can be rejected as incompatible with the requirement of proportionality under national laws which may require higher standards. This emphasizes the significant role of national courts as guardians of fundamental rights. Accordingly, they are in a position to determine that even if the data retention provisions enacted under the UK Investigatory Powers Bill meet the minimum safeguards set out by Digital Rights Ireland, they may still not be compatible with the UK Human Rights Act.

 

Looking forward

Given the recommendation that the mass retention of data is not in of itself a measure that is incompatible with EU fundamental rights, the Advocate General’s overall approach towards creating greater fundamental rights compliance in this difficult area of EU law is unclear at first blush. In addition, the outdated approach adopted by the Advocate General towards according greater weight to the risk and harms posed to the rights to respect for private life and data protection by the retention and access to content as opposed to communications data/metadata is disappointing. For instance, having access to six months of one mobile phone’s traffic and location data enables public authorities to peer into an individual’s private life from at least 36,000 different vantage points. Current EU jurisprudence, however, indicates that this does not amount to adversely affecting the “essence” of the right to respect for private life under Article 7 of the EU Charter of Fundamental Rights.

However, evidence of such an approach is demonstrated in two ways. First, it can be seen in the strict approach of the Advocate General towards the mandatory application of all the requirements and safeguards established in Digital Rights Ireland to national data retention regimes. Secondly, the Advocate General stressed that Digital Rights Ireland provides only minimum safeguards which can be rejected as incompatible with the requirement of proportionality under national laws which may require higher standards. This emphasizes the significant role that can be played by national courts as guardians of fundamental rights.

Finally, the spectre of Brexit casts considerable uncertainty over the exact consequences of the CJEU’s judgement for the UK Government in this area of data protection law. Nevertheless, it will not be realistically possible for UK public authorities to completely ignore the conclusions of the CJEU in Watson and Tele2 Sverige irrespective of what form the EU-UK legal relationship ultimately takes. For example, should the UK remain part of the European Economic Area (EEA) Agreement (like Iceland, Liechtenstein and Norway) it will be legally bound to bring its data protection law in line with EU standards. Alternatively, the UK could opt to remain outside of the EU and be treated as a “third country”. However, as recently addressed by the CJEU in Schrems, its landmark judgement concerning EU-US data transfers, the UK will have to ensure that its laws provide “adequate” levels of data protection or else the transfer of personal data (and by extension trade) between the EU and the UK will be prohibited.

Hence, the Advocate General’s Opinion should be carefully considered as it may play a significant role in influencing the legally-binding judgement of the Luxembourg Court to be delivered this autumn.

Posted: Tuesday 9 August 2016

Contributor:

Tags: policylawinterneteuropedigital rightsbrexit