This week, Advocate General (AG) Henrik Saugmandsgaard Øe, senior advisor to the European Court of Justice (CJEU), dealt new British Prime Minister Theresa May’s plans for increased surveillance powers a serious blow.
In his formal opinion on cases Tele2 Sverige AB v Post- och telestyrelsen (C-203/15) and C-698/15 Davis and Others on national data retention obligations in Sweden and the U.K., respectively, Øe said that while such obligations may be compatible with EU law, they must be subject to a long list of safeguards and are only really justifiable in combating serious crime. Privacy International called the opinion “a serious blow to the U.K.'s Investigatory Powers Bill.”
The key question: What constitutes “serious crime”?
Case C-698/15 was brought by current British Secretary of State for Brexit, David Davis (who has since withdrawn his name), and Deputy Labour Leader Tom Watson against the Data Retention and Investigatory Powers Act (DRIPA).
Under DRIPA, the British Home Secretary can force public telecommunications operators to retain metadata on all communications for up to a year in the interests of:
national security; public safety; public health; prevention or detection of crime; prevention of disorder; the economic well-being of the U.K., if this is also relevant to national security; assessment or collection of tax; investigations into alleged miscarriages of justice; identification of persons who have died or who are unable to identify themselves; regulation of financial services and markets; financial stability; or “any other purpose specified in an order made by the Home Secretary.”
Øe took issue with that effective surveillance carte blanche, saying, “solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.”
Tuesday’s opinion drew significantly on jurisprudence established in the 2014 Digital Rights Ireland case, which ruled the blanket data retention required by the EU Data Retention Directive was illegal because, in the words of the court, “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”
GDPR rapporteur Jan Philipp Albrecht pointed out that Øe’s opinion “doesn’t provide concrete answers in the legal case on blanket data retention provisions in EU member states.” The AG says it is up to the national courts to determine whether sufficient safeguards are in place for data retention. However, he does give a long list of guidelines that should be met before national authorities should impose data retention obligations, given that the “considerable risks” of data retention may “outweigh the benefits.”
“The retention obligation must have a legal basis,” states the opinion. “It must observe the essence of the rights in the European Charter of Fundamental Rights; it must pursue an objective of general interest; it must be appropriate for achieving that objective; it must be necessary in order to achieve that objective; and it must be proportionate, within a democratic society, to the pursuit of that same objective.”
Critics say it is hard to see how the long list of scenarios for retaining data under DRIPA meet those requirements. But much more clarity is needed, as Albrecht points out: “While naming the various high requirements as minimum standards and making clear that even if meeting those data retention laws may still be unproportionate, the AG fails to deliver clear indications whether and when these requirements would not be met by a Member State’s law. We can only hope that the judges of the Court will not allow themselves to be that vague when interpreting the EU fundamental rights vis-à-vis Member States’ laws.”
Øe did say that certain sensitive data should be excluded from retention: “To my mind, it would be desirable, if the technology allowed, to exclude from the retention obligation data that is particularly sensitive in terms of the fundamental rights, such as data that is subject to professional privilege or data which makes it possible to identify a journalist’s source.”
“From a practical point of view, none of the three parties concerned by a request for access is in a position to carry out an effective review in connection with access to the retained data. Competent law enforcement authorities have every interest in requesting the broadest possible access. Service providers, who will be ignorant of the content of any investigation file, are incapable of checking that requests for access are limited to what is strictly necessary, and persons whose data are consulted have no way of knowing that they are under investigation, even if their data is used abusively or unlawfully,” continues the opinion.
Øe’s opinion is not legally binding on the court, which will make its final ruling in the coming months, but in general judges tend to follow the AG’s advice. In the current cases, the court is specifically asked “to pinpoint the correct balance between the obligation which member states are under to ensure the security of individuals within their territory, and observance of the fundamental rights to privacy and the protection of personal data.”
On the issue of defining “serious crime,” several civil liberties organizations have been outspoken.
“The advocate general has stated that data retention should only be used in the fight against serious crime,” said Open Rights' Group Executive Director Jim Killock, “yet in the U.K. there are more than half a million requests for communications data each year. These do not only come from police but also local councils and government departments. It is difficult to see how the government can claim that these organizations are investigating serious crimes.”
Digital Rights Ireland’s TJ McIntyre tweeted that “serious crime must become an autonomous EU concept, then. In Irish law serious crime includes theft of a Mars bar!” Meanwhile Privacy International said it “does not agree that the large-scale collection and retention of innocent people’s data is necessary and proportionate, even in the context of tackling ‘serious crime’.”
“It is time for EU member states to start respecting the law,” said Executive Director of European Digital Rights Joe McNamee, “and for the European Commission to do its job to ensure that the law is respected. How many times does the court need to be asked the same question before member states start listening? Data retention is an extreme measure which can only be implemented if the criteria repeatedly laid down by the court are respected.”
Lawyers in the U.K. were more concerned with what the impact would be on the planned Investigatory Powers Bill, DRIPA’s successor. “The opinion of the AG, whilst non-binding, raises serious questions about U.K. data retention legislation,” said James Blessing, Internet Services Providers' Association (ISPA) chairman. “It calls into question some aspects of the IP Bill, and ISPA therefore calls on the Home Office to ensure the legal framework around data retention is fully compliant with the final court judgment. It is vital to give industry certainty on what the rules are, maintain user confidence in online services and avoid another round of lengthy legal proceedings.”
“The retention of telecoms metadata is an area where the U.K. government has consistently taken a more hawkish approach than Europe,” added Rob Bratby, partner and head of Telecoms at Olswang. “The balance between the rights of individuals to privacy and the state to collect information is often in tension. For now, the decision of the court will be binding on the U.K., but of course some of the scenarios for Brexit would enable the U.K. to go further than the court [may permit] in its ruling,” he said.
Hogan Lovells Partner Eduardo Ustaran also looked at Brexit implications: “First, I think it is important to appreciate the huge importance of this case for data protection in the U.K. post Brexit. The AG’s opinion gives us a glimpse of how the U.K. would fare if it seeks to be deemed adequate to receive data from the EU. From what I am reading, the AG is following the doctrine of the previous CJEU cases: Data retention as such is not unlawful no matter what, but it has to be democratically justifiable. If you apply this thinking to the Privacy Shield, you may be able to conclude that it does meet the necessary standards, providing that all of the government assurances hold water.”
In the end, the AG’s opinion may have raised more questions than it answered. The court’s opinion is now eagerly awaited.
Image provided by the Court of Justice of the European Union.
If you want to comment on this post, you need to login.