Two years after Digital Rights Ireland: general data retention obligations might still be compatible with EU law

A review of the Advocate General’s opinion in Joined Cases C-203/15 and C-698/15

An article by Pieter Gryffroy*

A. Introduction

In its judgement of 8 April 2014 in the Digital Rights Ireland case,[1] the Court of Justice declared the 2006 Data Retention Directive (hereinafter: the Data Retention Directive)[2] invalid. The grounds for doing so were threefold. Firstly, the Directive had an insufficiently specific scope, covering “in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime”.[3] Secondly, the Directive failed to lay down objective criteria to determine the limits of access to the retained data for the purposes of prevention, detection and prosecution of serious criminal offences.[4] Thirdly, the Directive did not make any distinction between the different categories of data in relation to the duration of the retention, nor did it require that the determination of the period of retention be based on objective criteria and be limited to what is strictly necessary.[5] Therefore, while the Court recognised that the retention of data genuinely satisfies an objective of general interest,[6] it found that the interferences with the rights laid down in articles 7 (respect for private life) and 8 (protection of personal data) of the EU Charter created by the Data Retention Directive did not meet the conditions of proportionality.[7]

The decision in the Digital Rights Ireland Case created a legal vacuum in the EU. Moreover, in March 2015, the European Commission announced that it would not propose a new legal initiative concerning the subject matter of the Directive that was struck down by the Court.[8] As such it was left to the Member States to create their own legal framework for data retention following the annulment of the Directive, either by introducing new rules or adapting the existing national legislation transposing the Directive, in so far as necessary. After all, it is not because the Directive as such was invalidated, that the national laws transposing the Directive are necessarily incompatible with EU law, given that Member States retain some discretion in formulating the implementing provisions. The opinion of Advocate General Saugmandsgaard Øe,[9] which is under review in this article, addresses the interpretation of Digital Rights Ireland in the national context. More specifically, it assesses the general data retention obligations, imposed on telecommunications service providers by national laws in Sweden and the UK, as in force after the judgment in Digital Rights Ireland.[10]

B. Facts and Questions

I. Case C-203/15

On 9 April 2014, the day after the Court of Justice had rendered its judgment in Digital Rights Ireland, the telecom operator Tele2 Sverige (hereinafter: Tele2) notified the Swedish Post and Telecommunications Authority (hereinafter: PTS) that it would cease to retain data as required by the Swedish national rules implementing the Data Retention Directive. Tele2 also proposed to delete the data it had retained in application of those rules. The telecom operator did so because it had concluded that the Swedish rules in force, i.e. those transposing the Directive, were incompatible with the EU Charter of Fundamental Rights.[11] Notably, the Swedish rules did not only suffer from largely the same defects as the Directive, but even included a general retention obligation with a larger scope than the obligation under the Directive,[12] combined with lenient rules of access.[13]

In reaction to Tele2’s decision, the National Police Board complained to the PTS, stating that Tele2’s refusal to further cooperate endangered the police’s law enforcement activities.[14] On the 27th of June 2014, the PTS ordered Tele2 to resume its obligations under Swedish law within the month.[15] Tele2 contested this decision before the Stockholm administrative court, which dismissed the action. Thereupon Tele2 appealed that judgment before the Stockholm Administrative Court of Appeal, which referred the matter to the Court of Justice.[16]

In essence, the referring Court asks the Court of Justice whether the Swedish rules encompassing restrictions of articles 7 and 8 of the EU Charter are compatible with EU law, specifically article 52(1) of the Charter and article 15 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (hereinafter: the E-Privacy Directive).[17] Both provisions specify conditions under which national law may restrict the scope of the right to privacy and data protection, which they aim to protect.

II. Case C-698/15

In the wake of the Digital Rights Ireland case, the UK Parliament pushed through a new act, allowing security services continued retention and access to the data that was previously retained and accessed under the legislation implementing the Data Retention Directive. The so-called Data Retention and Investigatory Powers Act 2014 faced substantial resistance from Members of Parliament, civil rights organisations and legal scholars for being passed too speedily and not striking an appropriate balance between security, privacy and freedom of enterprise.[18] In the end, three applications were filed for judicial review of the lawfulness of the Act before the High Court of Justice (England and Wales), specifically against the broad power of the Home Secretary “to require public telecommunications operators to retain [all] communications data for a maximum period of 12 months”.[19]

The High Court declared that the act was inconsistent with EU law, specifically with the requirements laid down in Digital Rights Ireland, which the court considered to apply to national law on this issue.[20] However, on appeal, brought by the Home Secretary, the Court of Appeal (England and Wales) (Civil Division) provisionally stated that the Court of Justice did not lay down requirements for national law in Digital Rights Ireland, but simply identified and described protections and safeguards, which were absent from the harmonized EU regime.[21] Because clarification was still needed, the Court of Appeal referred the matter to the Court of Justice.

In essence, the referring Court asks whether Digital Rights Ireland creates mandatory requirements of EU law “applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation” which are to be applied by a Members State “in order to comply with Articles 7 and 8 of the [Charter]”.[22]

By decision of 10 March 2016 the Court joined both cases for the purposes of the oral hearing and the rendering of the judgment.[23] The common question in both of the cases under review is whether Digital Rights Ireland has created specific requirements under EU law to be adhered to by Member States that enact national provisions on data retention in the absence of any EU Directive requiring them to do so. In other words, does Digital Rights Ireland prevent Sweden and the UK from maintaining a general retention obligation under national law? After, all, the Directive was invalidated, amongst other reasons, because it contained an overly broad scope allowing the general blanket retention of all metadata[24] relating to electronic communications. Nonetheless, it remains unclear if this has the effect of prohibiting a Member State from autonomously introducing or maintaining a general obligation to retain communications data. The referring court in case C-698/15 additionally wonders whether the Court’s rejection of the Directive’s access regime because of the lack of objective criteria delineating the limits of such access has the effect of imposing certain requirements on UK legislation relating to subsequent access of the retained data.[25]

C. The Advocate General’s Answer

Despite the formulation by the UK court of its question, the AG only addresses the retention portion of the issue, namely the question whether “in the light of Digital Rights Ireland, Article 15(1) of Directive 2002/58 and Articles 7, 8 and 52(1) of the Charter are to be interpreted as precluding Member States from imposing on service providers a general obligation to retain data such as that at issue in [the cases under review], regardless of any safeguards that might accompany such an obligation”.[26] Such an approach can be understood, given the fact that only retention of data is still regulated on the EU level after the Court’s annulment of the Data Retention Directive. One could argue that the AG should have given reasons for seemingly ignoring the access issue raised by the referring court in C-698/15. However, as will become clear further on, the AG’s opinion provides an answer to this part of the question as well.

In his answer, the AG first considers that general data retention obligations fall within the scope of the E-Privacy Directive[27] and are allowed under it, provided the conditions of Art. 15 of that Directive have been fulfilled. The AG specifies that although Art. 11 of the Data Retention Directive inserted an Art. 15(1a) in the E-Privacy Directive, preventing the data retention obligations under the Data Retention Directive from being derogated from under national law, this does not indicate that general data retention obligations are as such incompatible with the regime of the E-Privacy Directive, but rather attests to the EU legislator’s will at the time to attain exhaustive harmonisation on the topic.[28] Art. 15(1a) of the E-Privacy Directive and Art. 11 of the Data Retention Directive, inserting said article in the E-Privacy Directive, have retroactively been nullified by the Court in Digital Rights Ireland, together with the rest of the Data Retention Directive. Nonetheless, the AG makes a valid point. Art. 15(1a) of the E-Privacy Directive prohibiting derogation through national law from the rules of the Data Retention Directive, including the Data Retention Directive’s broad general retention obligation, indeed does not hint at such an obligation being irreconcilable with the E-Privacy Directive, but rather points to the opposite conclusion.

Next, the AG addresses the question whether the provisions of the Charter apply to the matter.[29] In as far as retention is concerned, the AG states that since Member States are still bound to implement the provisions of the E-Privacy Directive, the Charter binds them as well, following Art. 51(1), first sentence of the Charter.[30] In other words, in the AG’s view, Member States introducing a general data retention obligation such as those at issue are implementing EU law. While it might seem questionable whether MS introducing or maintaining a general data retention obligation are actually implementing EU law, the AG is correct in his assessment in as far as article 15 of the E-Privacy Directive allows for a general data retention obligation to be introduced by the national law of the MS’s. Although implementing said obligation would be deviating from the substantive law of the E-Privacy Directive, it is the Directive and therefore EU law itself, which allows for the deviation. As such the MS’s would still be implementing EU law when introducing or maintaining a general data retention obligation, even in the absence of specific EU law requiring such an obligation to be present in national law, as the former Data Retention Directive did.[31]

However, national provisions governing the access to retained data for the purpose of fighting serious crime fall outside the scope of the E-Privacy Directive in any case,[32] and as such the Charter does not apply to them. Nonetheless, as the AG points out, “the raison d’être of a data retention obligation is to enable law enforcement authorities to access the data retained, and so the issue of the retention of data cannot be entirely separated from the issue of access to that data”.[33] Moreover, “provisions governing access are of decisive importance when assessing the compatibility with the Charter of provisions introducing a general data retention obligation in implementation of Article 15(1) of Directive 2002/58. More precisely, provisions governing access must be taken into account in the assessment of the necessity and proportionality of such an obligation.”[34]

Lastly, the AG ponders the question of the compatibility of a general data retention obligation. First the AG succinctly concludes that it is clear from Digital Rights Ireland that general data retention obligations are a serious interference with both the right to privacy and data protection as guaranteed under Arts. 7 and 8 of the Charter, and with several of the rights contained in the E-Privacy Directive.[35] Having established this, the AG moves on to assessing whether such an interference can be justified, under the cumulative conditions of Art. 15 of the E-Privacy Directive and Art. 52(1) of the Charter.

Six conditions are identified: “the retention obligation must have a legal basis, it must observe the essence of the rights enshrined in the Charter; it must pursue an objective of general interest; it must be appropriate for achieving that objective; it must be necessary in order to achieve that objective; [and] it must be proportionate, within a democratic society, to the pursuit of that same objective.”[36] Although several of those grounds were already mentioned in the Digital Rights Ireland case, the AG revisits each of them separately.

With regards to the first condition, the AG concludes that a general data retention obligation “must be established in legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference”. However, whether this is the case for Sweden and the UK is left up to the national court to determine, being in a privileged position to assess their national regimes.[37]

In assessing the second condition, the AG concludes that a general data retention obligation is capable of respecting the essence of the right enshrined in Arts. 7 and 8 of the EU Charter, in as far as sufficient safeguards are put in place, effectively protecting personal against abuse, specifically unlawful access and use. It remains for the referring Courts to verify the existence of such safeguards.[38]

In relation to the third condition, requiring the existence of a genuine objective of general interest, the AG finds that combating serious crime could qualify as such an objective. Combating ordinary offences or ensuring the “smooth conduct of proceedings other than criminal proceedings“, however, cannot in itself justify the adoption or maintenance of a general data retention obligation.[39]

In light of the foregoing, the next conditions considered by the AG are the appropriateness (4th condition) and the necessity (5th condition) of a general data retention obligation for supporting the fight against serious crime. The AG finds that such an obligation is liable to contribute to the fight against serious crime[40], but in order to be limited to what is strictly necessary to attain the set objective, certain safeguards must be observed, including at least all the guarantees described by the Court of Justice in paragraphs 60-68 of Digital Rights Ireland. With this the AG confirms the mandatory nature of the requirements set out in Digital Rights Ireland. As for the preceding conditions, it remains up to the referring courts to assess whether the national regimes in question fulfill these conditions.[41]

Finally, the AG stresses that any general data retention obligation must be proportionate within a democratic society, taking into account both “ the advantages associated with giving the authorities whose task it is to fight serious crime a certain ability to examine the past” and  “the serious risks which, in a democratic society, arise from the power to catalogue the private lives of individuals and to catalogue a population in its entirety.” In making this assessment the referring courts have to take account of all relevant circumstances. Additionally, the AG emphasizes that the mandatory requirements laid down in Digital Rights Ireland are no more than minimum safeguards and “consequently, a national regime which includes all of those safeguards may nevertheless be considered disproportionate, within a democratic society, as a result of a lack of proportion between the serious risks engendered by such an obligation, in a democratic society, and the advantages it offers in the fight against serious crime.”[42]

In light of the above reasoning, the AG concludes that Member States are not precluded under EU law “from imposing on providers of electronic communications services an obligation to retain all data relating to communications effected by the users of their services”, in as far as the mandatory conditions laid down in Digital Rights Ireland are observed and all other conditions specified in the opinion have been observed.[43]

D. Conclusion

The AG’s opinion provides a pragmatic solution, allowing for a status quo of national legislation on data retention within the EU, in so far as sufficient safeguards are in place or put in place. The AG’s pragmatism can further be illustrated by his approach to the issue of access to retained data for the purpose of combating serious crime. Although the AG admits that strictly speaking, EU law does not regulate this topic, he takes the view that national provisions governing access should nonetheless be taken into account when assessing the data retention that precedes it because it would be artificial to entirely separate data retention from the subsequent use of that data and the rules regulating access.[44]

Notwithstanding this attractive pragmatism, the question remains whether the Court will follow the same reasoning. Throughout the opinion, the AG seems to assume that each of the Court’s objections in Digital Rights Ireland to the broad and unspecified scope of the Data Retention Directive were to be read only in conjunction with all its other objections. Following that reasoning, it was the cumulative effect of all the Directive’s shortcomings that convinced the Court to annul the Data Retention Directive, without any of the constitutive elements having decisive influence. Undoubtedly, the cumulative effect of a broad scope, a lack of limitation and objectivism relating to access and a lack of differentiation in retention duration made the Retention Directive extremely problematic, each shortcoming reinforcing the negative impact of the others. As the AG points out, in Digital Rights Ireland, the Court only came to the conclusion that the EU legislature had exceeded the limits imposed on it by the principle of proportionality after making all its objections, without explicitly stating that the broad scope of the data retention regime as such went beyond what was necessary.[45]

However, when reading paragraphs 57-59 of Digital Rights Ireland carefully, one could also conclude that the Court hints at the conclusion that the scope of the Data Retention Directive went beyond what was necessary and at the very least had clear objections to the broad scope of the Directive in and by itself. Especially problematic is the absence of any linking factors to an involvement, even extremely indirectly, of the user in serious crime and the lack of exceptions for communications falling under professional secrecy. Therefore, the assumption that a general data retention obligation is no longer possible under EU law and that only pre-identified communications can be retained, with special provisions for communications that are subject to obligations of professional secrecy is not far-fetched.

Nonetheless, I would tend to agree with the AG. It is not the retention of all metadata in itself that is problematic, although the potential of this data to catalogue entire populations is unquestionable.[46] As the AG puts it: “a general data retention obligation need not invariably be regarded as, in itself, going beyond the bounds of what is strictly necessary for the purposes of fighting serious crime. However, such an obligation will invariably go beyond the bounds of what is strictly necessary if it is not accompanied by safeguards concerning access to the data, the retention period and the protection and security of the data.”[47] Indeed, it is arguable that the mere retention of the metadata, notwithstanding its enormous potential, is quite harmless. It is only the subsequent access and (ab)use that is potentially harmful to the data subjects. As such, in order to maximize the potential of the tools for fighting serious crime, and to minimize the risks of abuse, the focus should be on providing sufficient safeguards relating to retention duration and conditions of access and subsequent use.

The Court’s verdict will be awaited eagerly.

————————————————

*Pieter Gryffroy was a research assistant at the Jean-Monnet-Chair of Prof. Dr. Giegerich for European Law and European Integration. He studied law in Leuven (LLB and LLM at the KU Leuven) and in Saarbrücken (Europa-Institut).

[1] CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, ECLI:EU:C:2014:238.

[2] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC,OJ L 105, p. 54-63.

[3] CJEU, Digital Rights Ireland, paras. 57-59.

[4] CJEU, Digital Rights Ireland, paras. 60-62.

[5] CJEU, Digital Rights Ireland, paras. 63-65.

[6] CJEU, Digital Rights Ireland, para. 44.

[7] CJEU, Digital Rights Ireland, paras. 45-69.

[8] See e.g. http://www.reuters.com/article/us-eu-data-telecommunications-idUSKBN0M82CO20150312 (last accessed 22/08/2016).

[9] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 (Tele2 Sverige AB v Post-och telestyrelsen) and C-698/15 (Secretary of State for Home Department v Watson and others), ECLI:EU:C:2016:572; hereinafter: Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15.

[10] Notably, in the UK the rules had been enacted after Digital Rights Ireland, although not without protest. In Sweden, the applicable national law was still unaltered and thus modeled after the provision of the Directive (see Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 8-49).

[11] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 50.

[12] Nonetheless relating only to metadata and not to the content of the communications.

[13] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 10-33.

[14] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 51.

[15] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 52.

[16] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 53-55.

[17] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, p. 37-47.

[18] See e.g. http://www.bbc.co.uk/news/uk-28305309 (last accessed 23/08/2016); http://www.bbc.com/news/uk-politics-28237111 (last accessed 23/08/2016); http://www.dimt.it/2015/01/21/striking-a-balance-among-security-privacy-and-competition-the-data-retention-and-investigatory-powers-act-2014-drip/ (last accessed 23/08/2016).

[19] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 56; again, all data relates to all metadata and does not concern the content of the communications.

[20] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 58.

[21] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 59.

[22] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 60.

[23] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 65.

[24] Metadata is used in this article to signify the information that relates to a certain electronic communication, but excluding the actual content of the message. Included are e.g. date, time and duration; source and destination; location; type of communication and type of equipment used.

[25] See the formulation “including, in particular, paragraphs 60 to 62 thereof”, referring to the Court’s view on access rules in Digital Rights Ireland; Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 60, first question.

[26] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 67.

[27] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 87-97.

[28] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 98-116.

[29] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 117-125.

[30] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 121-122.

[31] In the opposite case, if one were to take the opinion that Art. 15 of the E-Privacy Directive does not allow for a general data retention obligation in national law, the MS would still be legislating within an area covered by EU law, albeit then contrary to its provisions (such as Art. 6 and 9 of the E-Privacy Directive concerning traffic data and location data other than traffic data).

[32] See Art. 1(3) of Directive 2002/58; see also Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 123-124.

[33] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 125.

[34] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 125.

[35] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 126-127.

[36] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 132.

[37] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 134-154.

[38] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 155-160.

[39] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 161-174.

[40] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 175-184.

[41] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 185-245.

[42] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 246-262.

[43] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 263.

[44] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 125.

[45] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, paras. 197-200.

[46] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 259.

[47] Opinion of AG Saugmandsgaard Øe to CJEU, Joined Cases C-203/15 and C-698/15, para. 205.

Copyright of the image: Defense Advanced Research Projects Agency (DARPA), https://commons.wikimedia.org/wiki/File:DARPA_Big_Data.jpg?uselang=de.

Suggested Citation: Gryffroy, Pieter, Two years after Digital Rights Ireland: general data retention obligations might still be compatible with EU law, jean-monnet-saar 2016, DOI: 10.17176/20220422-155501-0