The fundamentals of EU Data Protection Law are clear. Article 8 of the EU Charter of Fundamental Rights provides that “Everyone has the right to the protection of personal data.” Whilst the fundamentals may be clear, the application of EU Data Protection Law is complicated. One complication is that EU Data Protection law applies at an EU level. Each EU Member State must implement their own national data protection law (the EU’s new General Data Protection Regulation will change this somewhat, but not by as much as once thought). Deciding where the dividing line is between EU and national laws is the complication evident in Tele2 and Watson.These cases have been joined together and were heard by the Court of Justice of the EU back in April. The opinion of the ECJ’s Advocate General Henrik Saugmandsgaard Øe was given yesterday.
Both of these cases raise questions about the interpretation of a previous judgment of the ECJ in Digital Rights Ireland. The ECJ had held in that case that the retention of telecommunications data under the EU’s Data Retention Directive was invalid as it amounted to “ … a wide-ranging and particularly serious interference with those fundamental rights … without being precisely circumscribed … to ensure that it is actually limited to what is strictly necessary." The Data Retention Directive had provided for the retention of communications meta-data such as the source and destination of communications, dates, times and other information other than content. EU Member States would have implemented this EU Directive through their own national data retention laws. Some EU Member States repealed or amended their national laws following Digital Rights Ireland; others did not. This has led to the ECJ being asked to clarify whether EU data protection laws should apply to the data retention of data under such nation law in Tele2 and Watson. These applications ask two substantive questions of the ECJ.
The first question asked is whether such national data retention laws are in fact outside the scope of EU law and so outside the jurisdiction of the ECJ. It is the opinion of Advocate General Saugmandsgaard Øe that they are not. The Czech, French, Polish and U.K. Governments argued that “ … access to the data (retained) and its use by the police and judicial authorities of the Member States relate to public security, defence and State security, or at least fall within the ambit of criminal law." If this were so, then EU data protection law would not apply to this data retention. Advocate General Saugmandsgaard Øe disagreed, as the obligation to retain data was not itself an obligation of criminal law. And so in his opinion the creation of national data retention regimes is subject to EU data protection law in general and the EU’s ePrivacy Directive 2002/58 in particular.
The second question asked is whether Member States can create their own national data retention regimes requiring the retention of “ … data relating to all communications effected within the national territory." Advocate General Saugmandsgaard Øe is of the opinion they can, though any such national laws would have to comply with EU data protection law. This would require national laws that provide for “ … accessibility, foreseeability and adequate protection against arbitrary interference” and other safeguards. This national law would have to respect the essence of the EU rights to privacy and data protection, be proportionate and “ …strictly necessary in the fight against serious crime.”
Even if all such protections are present, national courts will still have to assess, as Saugmandsgaard said in his opinion, “ …whether the disadvantages caused by the general data retention obligations … are not disproportionate, within a democratic society, to the objectives pursued.” In carrying out that assessment a nation court should “ … weigh the risks posed by such obligations against the advantages they offer." The risk being “ … the power to catalogue the private lives of individuals and to catalogue a population in its entirety.” The advantage being “ … giving the authorities whose task it is to fight serious crime a certain ability to examine the past.”
This challenge is one more illustration of how the U.K. is becoming disengaged from the EU. David Davis was one of the members of the U.K. Parliament who brought this challenge to the UK’s data retention laws. These laws are within the remit of Theresa May, then the U.K. Home Secretary, now Prime Minister. Theresa May appointed David Davis as her Minister for Brexit last week and he has now “removed his name from the case." This case will now go forward under the name of Tom Watson, one of the remaining co-respondents.
The opinion of Advocate General Saugmandsgaard Øe is not a judgment. Often the ECJ will follow the opinion of its Advocate General; sometimes it will not. It will be interesting to see what the ECJ does on this occasion. If the ECJ agrees that national data retention laws can, subject to the appropriate controls, comply with EU data protection law, this may then suggest that the data retention regimes of third countries, such as the U.S., can also comply with EU law (again subject to the appropriate controls). This might make it more likely that the EU/U.S. Privacy Shield would survive referral to the ECJ. But this is just speculation. We cannot know what the judgment of the ECJ will be until that judgment is given, probably before the end of this year.
Top image courtesy of European Commission