21 December 2016 – A major data retention ruling was issued today by the European Court of Justice and it will have major implications for U.K. law in the context of Brexit. I have written about the case before to my TMT (technology, media, and telecommunications) list under “Tele2 Sverige”, but I am widening the distribution to my entire reader list.
It is actually two joined cases relating to the data retention regimes in Sweden and the U.K. The cases concern the impact on national laws of the ECJ’s April 2014 invalidation of the EU Data Retention Directive (2006/24/EC).
Telecommunications and internet service providers (ISPs) required to retain certain data to answer law enforcement and national security requests have bee particularly interested in how the court would rule.
The Data Retention Directive required telecoms and ISPs to retain certain customer personal data and communications data for up to two years and provide it to law enforcement agencies on request. The ECJ invalidated the law on the basis that it contained insufficient safeguards against indiscriminate bulk data collection.
The U.K. case before the ECJ concerns the predecessor to the Investigatory Powers Act, the U.K. Data Retention and Investigatory Powers Act 2014 (DRIPA), which is subject to a sunset clause and expires Dec. 31.
As I noted in a previous post, the repercussions of the case had the potential to be far-reaching for the new U.K.’s Investigatory Powers Act. The law, finalized by the U.K. 29 November of this year permits the U.K. government to issue notices requiring telecommunications operators to retain user data, including their web browsing histories, and to disclose it to law enforcement agencies. In the light of the invalidation of the EU Data Retention Directive, the U.K. High Court in July 2015 found that DRIPA was out of step with privacy protections in EU law, in particular by failing to provide “clear and precise rules” on when internet and telecommunications data could be accessed by law enforcement agencies.
The British government had appealed the ruling and the case was referred to the ECJ for a judgment on whether DRIPA is consistent with EU privacy rights.
In parallel, the Stockholm Administrative Appeals Court in Sweden asked the ECJ in May 2015 for a preliminary ruling in a case concerning Stockholm-based telecommunications carrier Tele2 Sverige AB, which said it would delete customer data it had been required to retain under the Swedish law implementing the EU Data Retention Directive.
I had noted that in a July 2016 advisory opinion on these cases ECJ Advocate General Henrik Saugmandsgaardoe said that despite the invalidation of the Data Retention Directive, EU countries could in principle adopt data retention laws, as long as they are in line with data protection and privacy rights. This would mean that retained data should only be accessed to combat serious crime, that it should only be used when strictly necessary and when other measures had proved ineffective. In addition, use of data should be proportionate and respect privacy safeguards on retention periods and access rules, according to the advisory ruling.
So an ECJ judgment that broadly followed the advisory opinion might mean someone might have grounds for a judicial review action against the U.K. Investigatory Powers Act. That act requires the collection and retention of pretty much everything. Here is a good summary (click here).
The ECJ isn’t bound to follow the advisory opinion, although in most cases ECJ judgments echo Advocate General opinions. This time it did follow the opinion. And it is hard to see how the Investigatory Powers Act will not withstand a proportionality challenge.
Or it might push the U.K. government to review the Investigatory Powers Act in terms of the grounds on which data access requests would be allowed, and the procedures on independent prior authorization for access to retained data.
And if the U.K. were to continue to apply the provisions of the Investigatory Powers Act against a negative judgment from the ECJ, the U.K. could be in exactly the same position post-Brexit as the U.S. was over the invalidated EU-U.S. Safe Harbor data transfer framework.
It is a long opinion … I skimmed the French version, and I am just now reading the full English version; I have a link to the decision below … but in a nutshell what the Court said was:
- EU law precludes national legislation that prescribes general and indiscriminate retention of data
- The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures taken by all persons other than users, whether by private persons or bodies, or by State bodies.
- While that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in particular to the prohibition on storage of data laid down by that directive, becoming the rule.
- The retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.
- The money shot vis-à-vis the UK Investigatory Powers Act: “the interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference”
- The Court makes clear that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data to be retained, the “means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse”.
My big take-away: a Member State simply cannot impose upon providers a general duty to keep all data. Legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that the scope of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is likely to reveal a link with serious criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.
Here is a link to the decision (in all languages) : click here
