08 April 2014

EU Data Retention Directive

In Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others the European Court of Justice has declared the Data Retention Directive to be invalid, stating that the Directive "entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary".

The decision comes at a time when mandatory data retention (and easy access to that data by a wide range of government and nongovernment bodies)  is again being considered by Australia's national parliament.

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (aka the Data Retention Directive) is meant to harmonise the law of EU states  concerning the retention of traffic data generated or processed by providers of publicly available electronic communications services or of public communications networks. It accordingly seeks to ensure that the data is available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism. Service providers must retain traffic and location data (and related data necessary to identify the subscriber or user), i.e. metadata. The Directive does not permit the retention of the content of the communication or of information consulted.

Ireland's High Court and Austria's Constitutional Court (the Verfassungsgerichtshof) asked the Court of Justice - the whole of EU body - to examine the Directive's validity, particularly in relation to rights under the Charter of Fundamental Rights of the EU (i.e. the fundamental right to respect for private life and the fundamental right to the protection of personal data).

The referral reflects the High Court's consideration of the dispute between Digital Rights Ireland and the Irish government regarding the legality of Ireland's regime regarding data retention. The Verfassungsgerichtshof is considering several constitutional actions brought by the Kärntner Landesregierung (i.e. the Carinthian provincial government), Mr Seitlinger, Mr Tschohl and 11,128 other applicants seeking annulment of the national provision which transposes the Directive into Austrian law.

The ECJ has declared that the Directive is invalid.

In its judgment it indicates that the data make it possible to
  • know the identity of the person with whom a subscriber or registered user has communicated and by what means, 
  • identify the time of the communication as well as the place from which that communication took place and 
  • know the frequency of the communications of the subscriber or registered user with certain persons during a given period. 
That may provide very precise information on the private lives of the persons whose data is retained, "such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented".

The Court considers that requiring the retention of the data and allowing national agencies to access those data, the Directive "interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data". Moreover the fact that data is retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

The Court considered whether such interference with the fundamental rights is justified. In essence, the Directive is disproportionate.

The Court indicates that retention does not "adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data", given that -
  • the Directive does not permit acquisition of knowledge of the content of the electronic communications as such
  • the Directive provides that service or network providers must respect certain principles of data protection and data security
  • retention of data for the purpose of their possible transmission to the national agencies genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security. 
However, the Court indicated that by adopting the Data Retention Directive the EU legislature has "exceeded the limits imposed by compliance with the principle of proportionality". In view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by the directive, the EU legislature’s discretion is reduced. Review of that discretion must accordingly be strict. The Directive's "wide-ranging and particularly serious interference" with the fundamental rights is insufficiently circumscribed to ensure that the interference is actually limited to what is strictly necessary.

The Court notes [at 72-80] that
the fact remains that the collection and, above all, the retention,  in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period. 
In that regard, it is first of all necessary to take into account the fact that the effects of that interference are multiplied by the importance acquired in modern societies by electronic means of communication, whether digital mobile networks or the Internet, and their massive and intensive use by a very significant proportion of European citizens in all areas of their private or professional activities. 
The data in question, it must be emphasised once again, are not personal data in the traditional sense of the term, relating to specific information concerning the identity of individuals, but ‘special’ personal data, the use of which may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity. 
The intensity of that interference is exacerbated by factors which increase the risk that, notwithstanding the obligations imposed by Directive 2006/24 both on the Member States themselves and on providers of electronic communications services, the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious. 
Indeed, the data are not retained by the public authorities themselves, or even under their direct control, but by the providers of electronic communications services themselves, upon which most of the obligations guaranteeing data protection and security are imposed. 
It is true that Directive 2006/24 requires (the Member States to ensure that data are retained in accordance with that directive. It is interesting to note though that it is required to carry this out only in such a way that those data and any other necessary information relating to them ‘can be transmitted upon request to the competent authorities without undue delay’. Directive 2006/24 provides, moreover, that the Member States must ensure that providers of electronic communications services observe minimum principles concerning the protection and security of the data retained. 
However, no provision of Directive 2006/24 lays down the requirement for those service providers themselves to store the data to be retained in the territory of a Member State, under the jurisdiction of a Member State, a fact which considerably increases the risk that such data may be accessible or disclosed in infringement of that legislation. 
That ‘outsourcing’ of data retention admittedly allows the retained data to be distanced from the public authorities of the Member States and thus to be placed beyond their direct grip and any control,  but by that very fact it simultaneously increases the risk of use which is incompatible with the requirements resulting from the right to privacy. 
Directive 2006/24 therefore constitutes, as is clear from the foregoing reasoning, a particularly serious interference with the right to privacy and it is in the light of the requirements resulting from that fundamental right that its validity, and in particular its proportionality, must primarily be examined.
The Court goes on to comment [at 145-152] that
The period of retention which may be considered permissible in light of the principle of proportionality cannot be determined without according some discretion to the legislature. Nevertheless, this does mean that all review of proportionality, albeit difficult, is to be precluded in that respect. 
In that regard, I think that it may be helpful to point out that a human being lives out his existence over a period which is by definition limited where the past, his own history and in the final analysis his memory, and the present, the more or less immediate lived experience, the awareness of what he is in the process of living through, converge.  Although it is difficult to define, a line, which is certainly different for each person, separates the past from the present. What appears unquestionable is the possibility of distinguishing between the perception of present time and the perception of the past. In each of those perceptions, an individual’s awareness of his own life, his ‘private life’ particularly, as a ‘recorded’ life may play a part. Further, there is a difference according to whether that ‘recorded life’ is the one which is perceived as his present or the one which is experienced as his own history. 
I am of the view that those considerations can be applied to the analysis of the proportionality of Article 6 of Directive 2006/24. If the principle of retaining all that personal documentation for a certain period of time is considered lawful, it remains to ask whether it is inevitable, that is to say, necessary, for it to be imposed on individuals over a period which covers not only ‘the present time’ but also ‘historical time’. 
In that regard, and with full awareness of the subjectivity which this entails, it may be considered that a retention period for personal data ‘which is measured in months’ is to be clearly distinguished from a period ‘which is measured in years’. The first period would correspond to that falling within what is perceived as present life and the second to that falling within life perceived as memory. The interference with the right to privacy is, from that perspective, different in each case and the necessity of both types of interference must be capable of being justified. 
Although the necessity of the interference in the dimension of present time seems to be sufficiently justified, I have found no justification for an interference extending to historical time. Expressed more directly, and without denying that there are criminal activities which are prepared well in advance, I have not found, in the various views defending the proportionality of Article 6 of Directive 2006/24, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year. In other words, and with all the caution that this aspect of the review of proportionality always requires, no argument was able to convince me of the need to extend data retention beyond one year. 
Finally, it must also be pointed out that Directive 2006/24 itself provides an additional argument in the form of the system it contains for extending the maximum period of data retention. Article 12 of that directive allows Member States facing particular circumstances, which in this instance are not defined, to extend the maximum retention period established under Article 6 thereof. However, such an extension is possible only for a limited period, the grounds for introducing it must be stated and it must be notified to the Commission, which has a period of six months to reach a decision on the planned measures, that is to say, to determine whether they are a means of arbitrary discrimination or a disguised restriction of trade between Member States and whether they constitute an obstacle to the functioning of the internal market. 
Even though the Commission may, in accordance with Article 12(2) of Directive 2006/24, reject those measures only on limited grounds, the existence of that system of extension supports my view that the determination, by Article 6 of that directive, of a maximum data retention period of up to two years in the absence of exceptional circumstances is not necessary and that it must be regarded as incompatible with the requirements under Articles 7 and 52(1) of the Charter. 
It follows that Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter in so far as it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period of up to two years
The Court highlighted that -
  • the Directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. 
  • the Directive fails to provide any objective criterion which would ensure that the governments have access to the data and can use the data only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference. 
  • the Directive simply refers in a general manner to ‘serious crime’ as defined by each EU state in its national law. 
  • the Directive does not lay down substantive and procedural conditions under which the governments may have access to and use the data. In particular, access is not made dependent on the prior review by a court or by an independent administrative body. 
  • as concerns the data retention period, the Directive imposes a period of at least six months, without making any distinction between categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued. Furthermore, that period is set at between a minimum of six months and a maximum of 24 months, but the Directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary. 
  • the Directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. 
  • the Directive does not require that the data be retained within the EU and accordingly does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.
The Court notes that the Directive permits service providers to have regard to economic considerations when determining the level of security which they apply (particularly as regards the costs of implementing security measures). The Directive does not ensure the irreversible destruction of the data at the end of the retention period.