Thursday, 15 October 2020

Hard questions about soft limits

The judgments of the Grand Chamber of the EU Court of Justice in Privacy International (C-623/17) and the joined cases of La Quadrature du Net (C-511/18 and C-512/18) and Ordre des barreax francophones et Germanophone (C-520/18) landed with a reverberating thud on the morning of 6 October 2020.

These referrals, from the UK, France and Belgium, posed questions about the compatibility with EU law of state surveillance legislation in each country. Although differing from each other in some respects, the cases all had in common that they concerned retention, processing or transmission to the authorities not of the content of messages, but contextual ‘communications data’ such as sender, recipient, time of sending, length and type of communication, kind of device and its location.


From a UK perspective, the main interest is in the potential effect of these judgments on the expected decision by the European Commission on the adequacy – or not – of the UK’s regime for protection of personal data.  If the UK is to maintain unhindered flows of personal data from the EU post-Brexit, an adequacy decision will ensure that. Although the UK has largely replicated the GDPR, the UK’s communications surveillance regime will still be relevant to an adequacy decision – as the Schrems 2 litigation over the EU-US Privacy Shield has highlighted.

Although none of last week’s CJEU judgments addressed the current UK communications surveillance framework under the Investigatory Powers Act 2016, the judgments will be closely scrutinised and mapped on to that. The UK government has described the current surveillance regime at Section H of its Explanatory Framework for Adequacy Discussions, produced for the purposes of negotiation with the EU.

The CJEU referrals

The three CJEU cases addressed different kinds of activity that the respective national legislation could authorise and require service providers to undertake. Although the judgments have generally been reported as being about mandatory retention of communications data, they are not limited to that. They also address national legislation requiring automated analysis of communications data to detect terrorism, and real-time feeds to security and intelligence authorities. 

The cases also vary between legislation directly imposing blanket obligations on all service providers, and legislation conferring discretionary powers on national authorities enabling them to require individual service providers to engage in stipulated activities. This is now becoming a critical distinction.

The UK reference concerned Section 94 of the Telecommunications Act 1984. This enabling legislation conferred a general power on a Secretary of State to give directions to providers of public electronic communications networks in the interests of national security or of relations with a foreign government. In November 2015 the UK government publicly acknowledged for the first time that this power had been used to require providers to transfer some kinds of communications data in bulk to the security and intelligence agencies (GCHQ and MI5).  (S.94 has since been repealed and, for this purpose, is superseded by the bulk communications data acquisition warrant under the Investigatory Powers Act 2016.)

The Belgian reference concerned mandatory communications data retention.  The Belgian law in question imposed a blanket obligation on all service providers to retain, for 12 months, various kinds of subscriber, traffic and location data (including both origin and destination of communications). The law then stipulated purposes for and conditions under which various kinds of state authority could issue demands for data to be handed over. Data could be used for a wide variety of criminal investigations.

The French reference, as it related to communication data retention, concerned legislation directly imposing a blanket obligation on all service providers for the purpose of investigating, detecting and prosecuting criminal offences. The reference also dealt with a series of discretionary statutory powers enabling the French authorities to instruct providers to carry out a variety of communications data analysis and reporting activities:

-          For the purpose of preventing terrorism, real-time transfer of communications data relating to a person previously identified as potentially having links to a threat, and to associates of such person believed on substantial grounds to be capable of providing relevant information. (L.851-2)

-          For the purpose of preventing terrorism, automated data processing by the service provider designed, within the parameters laid down in the authorisation, to detect links that might constitute a terrorist threat; and where data has been detected as likely to point to the existence of a terrorist threat, a procedure for authorising identification of the person concerned and collection of the related data. (L.851-3)

-          Real-time transmission to the authorities of technical data relating to the location of terminal equipment for a wide variety of, broadly, security-related purposes. (L.851-4)


The CJEU articulated a number of points of principle. Of especial relevance are:

-         The same issues of compliance with EU law and the EU Charter of Fundamental Rights that were discussed (for data retention) in Digital Rights Ireland and Tele2/Watson arise with transmission of data to third parties and access to data with a view to its use. (C-623/17 [61])

-         Information that may be provided by profiling using traffic data and location data is no less sensitive than the actual content of communications. (C-623/17 [71]; C-511/18 et al [117], [184])

-         Transmission of traffic data and location data to persons other than users constitutes interference with fundamental rights, regardless of how that data is subsequently used. (C-623/17 [69] and [70])

-         Transmission to public authorities has the effect of making that data available to them. Legislation which permits general and indiscriminate transmission of data to public authorities entails general access. (C-623/17 [79] and [80])

-         The ePrivacy Directive requires that exceptions to confidentiality of communications remain exceptions. Legislation enabling general and indiscriminate transmission of traffic and location data to the authorities renders the exception the rule. That is not permissible. (C-623/17 [69], C-511/18 et al [111], [142])

-         The Charter requirement that any limitation on the exercise of fundamental rights be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned. (C-623/17 [65], C-511/18 [175]) (citing Schrems 2, [175])

-         General access to all retained data (including by general and indiscriminate transmission), regardless of whether there is any link, at least indirect, with the aim pursued, cannot be regarded as strictly necessary.  (C-623/17 [78], [80], [81])

-         The objective of safeguarding national security is capable of justifying measures entailing more serious interferences with fundamental rights than might be justified by the other objectives set out in Article 15(1) of the ePrivacy Directive. (C-623/17 [75], C-511/18 et al [136])

-         It is not sufficient for legislation to specify the purpose for which powers may be exercised. It must, by means of clear and precise rules, lay down the substantive and procedural conditions governing the use of the data, thereby ensuring that the interference is limited to what is strictly necessary. (C-623/17 [68], [77]; C-511/18 et al [132], [133], [155], [166] to [168], [176])

Applying the principles

How did these and other principles relied upon by the CJEU translate into EU law compatibility (or otherwise) of the powers under consideration?

First, a cautionary note. The CJEU style of judgment tends towards what might be called ‘opaque clarity’: ringing declarations of high principle, the concrete meaning of which is left for another day. The Court of Appeal has observed: “The CJEU is notorious for making pronouncements resembling those of the oracle at Delphi…”.

A classic example in the present field is the prohibition on “general and indiscriminate retention”, contrasted with ‘targeted retention’. The exact position of the boundary between the two has yet to be discovered. Not only that, but what might have appeared from previous CJEU judgments to be a prohibition of general application now turns out to have context-specific exceptions.

This characteristic of CJEU judgments, especially relevant where the EU Charter is concerned, has to be borne in mind when attempting to extrapolate them to different facts and contexts.

Internal service provider activities versus state access

In these judgments the CJEU drew a high-level distinction between retention and processing activities internal to service providers, and access to data by the authorities.

On the service provider side of the boundary, legislation compelling general and indiscriminate activities is generally precluded. However, the Court indicated some limited situations and purposes for which legislation could mandate service providers to engage in general and indiscriminate retention, or limited to some kinds of communications data (source IP addresses and subscriber identity data), or to undertake automated processing of all communications data retained by them.

By contrast, in no circumstances – or at least none considered by the Court – was it permissible for legislation to provide the authorities with general and indiscriminate access to communications data held by the service providers, including (as with the UK’s Section 94) by mandatory transmission to the authorities.

Blanket obligations versus enabling legislation

The CJEU has previously had no hesitation in holding legislation that directly imposes a blanket data retention obligation on all service providers to be incompatible with EU law. It did that in Tele2/Watson for the Swedish legislation in issue in that case. In these latest cases it has done the same for the French and Belgian blanket data retention legislation.

The position is more nuanced with legislation conferring discretionary powers. The CJEU in Tele2/Watson set out a series of principles applicable to data retention legislation, but stopped short of holding that the then UK data retention legislation (DRIPA) was incompatible with EU law.  That assessment was returned to the UK court. 

DRIPA was structured as enabling legislation, empowering the Secretary of State to issue notices to service providers for up to 12 months. DRIPA required the Secretary of State to consider that issuing a data retention notice was necessary and proportionate for one of the purposes enumerated in the Act. The current IP Act is in similar terms, although additionally requiring the Secretary of State to take into account a number of factors set out in the legislation. A retention notice under the IP Act is also subject to prior approval of an independent Judicial Commissioner.

The question then arises whether, as a matter of EU law, it is sufficient for Member State legislation to require the relevant authorities to exercise a discretionary power in accordance with necessity and proportionality principles, accompanied by safeguards aimed at ensuring that this is achieved. Or must the statute itself set out substantive limits on the exercise of the power?

Two distinct points are in play here: first, could the power in question be exercised in a way that strays into requiring the service provider to undertake illegitimate general and indiscriminate activities? Second, does legislation that relies primarily on obligating observance of principles and establishing safeguards, in preference to setting hard limits on the exercise of a power, satisfy the EU law requirement for clear and precise rules?

Taken to the extreme, could an otherwise insufficiently circumscribed general discretionary power be saved by a provision requiring it to be exercised in accordance with the EU Charter on Fundamental Rights? If the answer to that is ‘No’, then how far must the legislation go in setting substantive limits?

The requirement for clear and precise rules is nominally the same as the European Convention on Human Rights ‘prescribed by law’ test. However, there are indications that the CJEU may be open to taking a stricter approach than does the Strasbourg court. The CJEU at paragraph [124] of the La Quadrature decision refers to taking account of the ECHR as establishing a ‘minimum threshold of protection’.

The IP Act in the English courts

By the time the Watson case returned to the English Court of Appeal, DRIPA had been superseded by the IP Act. Separately, Liberty had commenced proceedings challenging the data retention and bulk powers provisions of the IP Act.  The question of compatibility with EU law was therefore left to be determined in the Liberty proceedings.  In April 2018 the Divisional Court held that the IP Act data retention powers were compatible with EU law.

As to the second point (hard limits), the court did not read the Watson decision as requiring detailed factors (as it described them) to be listed in domestic legislation.  It was sufficient if the legislation permitted decisions to be taken that were (a) sufficiently connected with the objective being pursued (b) strictly necessary and (c) proportionate ([124]), coupled with safeguards so as to achieve effective protection against the risk of misuse of personal data. ([125])

The obligation on the Secretary of State to exercise the power only if she considered it both necessary and proportionate for one or more of the purposes listed in the Act “enshrines in the statute the essence of the tests propounded in Watson”. ([128])

The court found that the limits suggested by the CJEU in Watson (by reference to categories of persons and geographical areas) were not exhaustive or prescriptive. The suggested limits were examples of parameters that could be used according to the facts of a particular situation. ([123]) It would be impractical and unnecessary to set out in detail in legislation the range of factors which might fall to be applied according to the circumstances of different cases ([124]).

As to the first point (general and indiscriminate retention), the court said that it was difficult to conceive how a notice encompassing all communications data in the UK could satisfy the statutory necessity and proportionality tests ([129]); and that it could not possibly be said that the legislation required, or even permitted, a general and indiscriminate retention of communications data ([135]).

Must the Member State make a list?

This approach prompts the question: does the fact that the criteria suggested by the CJEU were not prescriptive or exhaustive mean that a Member State does not have to list in its own legislation a set of conditions constraining the exercise of a discretionary power, so that their compliance with strict necessity can be gauged? Is it sufficient to lay down factors to be taken into account when exercising the power? Would the latter enable the scope of the power to be tested objectively against connection with the objective pursued?

Although the CJEU in Watson observed at [110] that the conditions might vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, it referred to “substantive conditions which must be satisfied by national legislation”. It went on that such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.

Schrems 2 appears

At the time of the Divisional Court’s Liberty decision the CJEU had not held any enabling legislation to be incompatible with EU law. That has now changed. First, the Schrems 2 decision, albeit considering essential equivalence of US laws with EU personal data protection rather than compatibility of a Member State’s laws, held that certain US enabling provisions did not provide adequate protection of personal data. The limitations on personal data protection were not: “circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law” ([185]).

Schrems 2 emphasised that:

“the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned…” [175] (emphasis added)

Like previous CJEU judgments it distinguished between the legislation itself and a measure that it empowered:

“the legislation in question which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards … . It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary.” [176] (emphasis added)

These points were repeated in the recent CJEU judgments, emphasising also that the legislation must be legally binding under domestic law (La Quadrature [132]).

The emphasis on clear and precise conditions set out in the legislation itself raises anew the question whether an approach based primarily on safeguards and oversight of a broad discretionary power is compatible with EU law.

If it remains possible for the discretion to be exercised in a way that results in impermissible general and indiscriminate retention, then EU law is not complied with. 

Further, the more is left to discretion, the less likely it would seem that the criterion of practical effect resulting from substantive conditions would be satisfied:

“the substantive conditions which must be satisfied by national legislation … must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.” Tele2/Watson [110]).

This is illustrated by the holdings in Schrems 2 regarding the two specific US surveillance programmes under consideration. The programmes authorised collection of both communications data and content.

The CJEU held that S702 FISA did not itself define the scope of the limitation on the exercise of the right concerned and lay down clear and precise rules governing the scope and application of the measure in question (nor impose minimum safeguards). S702 authorised surveillance programmes rather than individual surveillance measures. The supervisory role of the FISC was designed to verify whether surveillance programmes related to the objective of acquiring foreign intelligence information, not whether individuals were properly targeted to acquire foreign intelligence information.

Similarly it held that PPD‑28, which allowed, in the context of the surveillance programmes based on E.O. 12333, access to data in transit to the United States without that access being subject to any judicial review, did not, in any event, delimit in a sufficiently clear and precise manner the scope of such bulk collection of personal data. It allowed for bulk collection … of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community could not use an identifier associated with a specific target to focus the collection.

In those circumstances, the CJEU held that limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data were not circumscribed in a way that satisfied requirements essentially equivalent to those required under EU law ([185]).

Section 94 - EU law versus ECHR

In the Privacy International case the CJEU's findings appear unavoidably to lead to the conclusion that the UK S.94 enabling legislation was contrary to EU law. Two points are noteworthy:

First, Section 94(2A) stipulated that “The Secretary of State shall not give a direction … unless he believes that the conduct required by the direction is proportionate to what is sought to be achieved by that conduct.” Similar provisions are contained in the IP Act.

Second, the incompatibility ruling applies to S.94 after avowal, publication of Handling Arrangements and commencement of independent oversight in November 2015. For the period following that, the IPT had held that s.94 complied with the ECHR 'provided by law' requirement:

“The ICC concluded … that the relevant agencies had introduced comprehensive procedures, in accordance with the Handling Arrangements, to ensure that they only acquired and retained bulk communications data, and then accessed and undertook analysis of that data, in order to pursue their functions under SSA 1989 or ISA 1994. The essential protection against a potential abuse of power under s.94, namely a requirement that the BCD may only be obtained and used for proper purposes, is thus provided by law, and subject to effective oversight.” [91]

This approach (echoed in the Divisional Court judgment in Liberty discussed above) stands in apparent contrast to the CJEU’s stipulation that:

“legislation cannot confine itself to requiring that authorities’ access to the data be consistent with the objective pursued by that legislation, but must also lay down the substantive and procedural conditions governing that use”. (Privacy International [77], also see La Quadrature [176])

This suggests that legislation should specify the criteria that the authorities must satisfy, and the authorities must decide whether, in a particular situation, the criteria are met – if necessary, backed up by verification and approval by an independent authority.

The CJEU appears to regard the criteria to be met as gateways to be passed through, rather than as factors to be taken into account by the authorities when exercising their discretion. At the least, the judgments appear to lean in the direction of requiring concrete limits to be spelled out in the legislation, rather than left to surrounding safeguards.

It is an open question how far the CJEU’s approach might encompass instruments such as statutory Codes of Practice within ‘legislation’. The answer may depend both on whether they lay down sufficiently clear and precise rules and on whether they pass the ‘legally binding under domestic law’ test. If so, then it would be a question of whether the constraints imposed were sufficient to bring the powers within the relevant substantive limits identified by the CJEU .

The Investigatory Powers Act

How does this approach map on to the Investigatory Powers Act? Looking beyond the end of the Brexit transition period, the significant question will not be compliance with EU law as such, but whether the UK regime provides “essentially equivalent” protection for personal data. However, the two are closely related. Furthermore, the IP Act’s compliance with EU law is one aspect of the pending domestic judicial review by Liberty, which (as regards general and indiscriminate data retention at least) is on its way to the Court of Appeal.

Two aspects of the IP Act that overlap with the CJEU judgments are data retention (Part 4) and the bulk communications data acquisition warrant (Part 6 Chapter 2). The latter is for these purposes the IP Act replacement for Section 94 TA.

However, bulk communications data (known as secondary data) is also collected by means of bulk interception warrants under Part 6 Chapter 1). Even the targeted warrantry regime could be relevant, given the possibility of obtaining ‘thematic’ warrants.

For the sake of simplicity I will focus on two powers: data retention and the bulk communications data acquisition warrant. Both of these are enabling provisions, rather than blanket requirements. 

Hard versus soft limits

Although hedged around with more safeguards than either DRIPA (for data retention) or Section 94 (for bulk communications data acquisition) - including prior approval by a Judicial Commissioner of a notice or warrant respectively - both powers adopt the model of a broad power exercisable for broadly defined purposes.

The data retention power enables the Secretary of State (subject to Judicial Commissioner approval), if she considers the requirement necessary and proportionate for one or more of the purposes set out in the Act, to require a telecommunications operator by notice to retain certain categories of communications data. The notice must not require retention for longer than 12 months. It can specify either a single operator or description of operators, the data to be retained and the retention period.

The power cannot be exercised solely on the basis that the data relates to the activities in the British Islands of a trade union.

The Secretary of State is required to take into account a number of factors before giving a retention notice, including the likely benefits of the notice and the likely number of users (if known) of any telecommunications service to which the notice relates.  

The bulk communications data acquisition power is one of several bulk powers grouped under Part 6 of the IP Act. The Secretary of State may (subject to Judicial Commissioner approval), if she considers it necessary on various national security grounds, issue an intelligence service with a warrant authorising bulk acquisition of communications data. She must consider that the conduct authorised by the warrant is proportionate to what is sought to be achieved by the conduct.

She must also consider that examination of acquitted communications data is or may be necessary for each operational purpose specified in the warrant, in addition to the grounds on which she considered the warrant to be necessary.

Necessity on national security-related grounds cannot be established solely on the basis that the data relates to the activities in the British Islands of a trade union.

A bulk acquisition warrant can be issued for up 6 months, subject to renewal.

A telecommunications operator served with a copy of the warrant is under a duty to take steps to implement the warrant, subject to reasonable practicability.

Various safeguards regarding use of acquired data are stipulated.

The policy of the IP Act

The structure of these powers  reflects an underlying policy to draw the powers widely, then apply safeguards.  David Anderson QC (now Lord Anderson) observed in his August 2016 Bulk Powers Review:

“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path. Technology and terminology will inevitably change faster than the ability of legislators to keep up. The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards.”

If the effect of the CJEU decisions is, as already discussed, that a safeguards-heavy and limitations-light approach is not permissible, so that legislation must spell out concrete conditions for the exercise of the power rather than obligations to observe necessity and proportionality and factors to be taken into account, then the scheme of the IP Act bulk communications data retention and acquisition powers, and the arguments that succeeded in the Divisional Court in Liberty, appear to be at risk. For what it may be worth, in 2016 I suggested some limitations that could be applied to the then Bill’s bulk powers.

Beyond that, it should not be forgotten that the UK bulk powers extend to bulk interception of the content of communications. The CJEU in Digital Rights Ireland suggested that a data retention obligation relating to content might adversely affect the essence of the right of privacy under Article 7 of the Charter. The Schrems 2 decision, on the other hand, drew no distinction between content and communications data.

General and indiscriminate?

Do the IP Act data retention and bulk communications data acquisition powers amount to general and indiscriminate data retention and transmission? A blanket requirement directly imposed by legislation on all providers clearly amounts to that. In the context of a power exercisable case by case, what amounts to ‘general and indiscriminate’?

It is evident from the La Quadrature judgment ([172]) that an instruction to a single service provider is capable of being general and indiscriminate if it involves, at the request of the competent national authorities, screening all the traffic and location data retained by a provider. The same is true of the Privacy International judgment, as regards transmission. Equally, the Court endorses the principle of a power that can be exercised only in a sufficiently targeted manner.

What amounts to indiscriminate? At least, lack of objective criteria establishing a connection between the data to be retained, analysed or transmitted and the objective pursued. (La Quadrature [133])

The CJEU suggests that a geographic criterion is capable of amounting to targeted retention, if there is an objectively justifiable reason for selecting the area:

“The limits on a measure providing for the retention of traffic and location data may also be set using a geographical criterion where the competent national authorities consider, on the basis of objective and non-discriminatory factors, that there exists, in one or more geographical areas, a situation characterised by a high risk of preparation for or commission of serious criminal offences … .

Those areas may include places with a high incidence of serious crime, places that are particularly vulnerable to the commission of serious criminal offences, such as places or infrastructure which regularly receive a very high volume of visitors, or strategic locations, such as airports, stations or tollbooth areas.” La Quadrature [150]

If selecting such an area is objectively justified, then presumably it could in principle be legitimate to require all the communications of a purely local provider within that area to be retained. That would not be true if there were no objectively justifiable reason to select that area, in which case the same retention would presumably be indiscriminate.

Whatever the legitimacy of the overall legislative approach adopted, if a Member State (or the UK) wishes to avail itself of the different kinds of power that the CJEU has now held are permissible in certain situations, for certain purposes, in certain factual situations (see further, below), or for certain kinds of data (such as source IP addresses or user identity data), then it seems unavoidable that the state should legislate separately for each variety of power, setting out the conditions that apply to each one.

For instance, as described below the CJEU has set out different conditions applicable to real-time and non-real-time access to data held by service providers. The UK’s Section 94 (and now the bulk communications data acquisition warrant) appear capable of covering real-time, near-real-time and non-real-time transmission, but do not differentiate between them. The CJEU commented on that in the Privacy International judgment:

“Such a disclosure of data by transmission concerns all users of means of electronic communication, without its being specified whether that transmission must take place in real-time or subsequently.” ([52])

Following the Privacy International and La Quadrature CJEU judgments it appears less likely that such lack of differentiation would pass muster.  

As to the different kinds of power under consideration, the CJEU findings in the French and German references (The UK's Section 94 is discussed above) were as follows.

Mandatory data retention

Permissible general and indiscriminate retention For mandatory data retention, the Court reaffirmed the general rule that legislation providing, as a preventive measure, for general and indiscriminate retention of traffic and location data is impermissible.

However, the Court identified certain exceptions. In each case these measures must ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.

1.       Serious threat instruction for the purposes of safeguarding national security. An instruction for this purpose to retain traffic data and location data generally and indiscriminately is permissible, provided that a situation exists in which the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and either present or foreseeable. The instruction may be given only for a period limited to what is strictly necessary, but which may be extended if that threat persists. The decision imposing such an instruction must be subject to effective review, either by a court or by an independent administrative body whose decision is binding. 

2.      Source IP addresses for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security. Legislation for these purposes providing for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection is permissible, if the retention is limited to a period limited to what is strictly necessary.

3.      Identity data for the purposes of safeguarding national security, combating crime and safeguarding public security. Legislation for these purposes providing for the general and indiscriminate retention of data relating to the civil identity of users is permissible.

Targeted retention The Court also elaborated on its observations in Tele2/Watson regarding permissible mandatory retention, for the purposes of combating serious crime and preventing serious threats to public security, targeted according to categories of persons and geographic criteria.

Targeted preservation It also addressed expedited targeted preservation. For the purposes of combating serious crime and, a fortiori, safeguarding national security it is permissible to allow recourse to an instruction requiring service providers, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in their possession.

As with the permissible categories of general and indiscriminate retention, these targeted measures are subject to the requirement for clear and precise rules and effective safeguards against the risks of abuse.

Automated analysis of traffic and location data

This part of the Court’s judgment relates to French L.851-3, mandating automated processing of traffic data and location data by the service provider for the purpose of detecting links that might constitute a terrorist threat. The Court held that such automated analysis, although general and indiscriminate (see para [172]), is permissible provided that a situation exists in which the Member State concerned is facing a serious threat to national security that is shown to be genuine and either present or foreseeable; and that recourse to automated analysis may be the subject of an effective review, either by a court or by an independent administrative body whose decision is binding.

In the course of its judgment the Court expanded, in the context of the French legislation, on steps that should be taken to ensure that pre-established models, criteria and databases are:

- specific and reliable, making it possible to achieve results identifying individuals who might be under a reasonable suspicion of participation in terrorist offences;

- non-discriminatory;

- not based on sensitive personal data in isolation; and

- subject to regular re-examination to ensure they are reliable and up to date.

Further, any positive result should be subject to individual manual re-examination before being acted upon. 

Real-time access

The French measures L.851-2 and L.851-4 both enabled real-time access to traffic and location data: a variety of data in the case of L.851-2 for prevention of terrorism purposes, and technical device location data in the case of L.851-4 for a wide range of, broadly, security purposes.

The data that could be collected under L.851-2 would enable the authorities to monitor “continuously and in real time, the persons with whom those persons are communicating, the means that they use, the duration of their communications and their places of residence and movements. It may also reveal the type of information consulted online.” [184].

As regards L.851-4, the technical data would appear to allow “the department responsible, at any moment throughout the duration of that authorisation, to locate, continuously and in real time, the terminal equipment used, such as mobile telephones.”

The Court emphasised the seriousness of the interference with privacy involved in real-time collection of traffic and location data:

“It must be emphasised that the interference constituted by the real-time collection of data that allows terminal equipment to be located appears particularly serious, since that data provides the competent national authorities with a means of accurately and permanently tracking the movements of users of mobile telephones. To the extent that that data must therefore be considered to be particularly sensitive, real-time access by the competent authorities to such data must be distinguished from non-real-time access to that data, the first being more intrusive in that it allows for monitoring of those users that is virtually total … . The seriousness of that interference is further aggravated where the real-time collection also extends to the traffic data of the persons concerned.” [187]

The Court therefore distinguished between the limits and safeguards applicable to real-time and non-real time access to data. Real-time collection is not precluded for persons in respect of whom there is a valid reason to suspect that they are involved in one way or another in terrorist activities.  

That must be subject to a prior review carried out either by a court or by an independent administrative body whose decision is binding in order to ensure that such real-time collection is authorised only within the limits of what is strictly necessary. In cases of duly justified urgency, the review must take place within a short time.

In this case the Court used the specific language of ‘prior’ review, as opposed to ‘effective’ review.

The Court also emphasised, in the body of its judgment, that a decision authorising the real-time collection of traffic and location data must be based on objective and non-discriminatory criteria provided for in the national legislation and requiring the court or other independent administrative body carrying out the prior review to satisfy itself, inter alia, that such real-time collection is authorised only within the limits of what is strictly necessary.

Non-real-time access

Although not forming part of the operative part of the judgment, the Court commented on the conditions that should apply to non-real time collection. As described in Tele2/Watson: “access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime”.

However: “in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.”

Thus, the Court in this case observed that non-real-time collection would be permissible for persons not suspected of involvement in one way or another in terrorist activities, but only where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating terrorism.


Back in 2017 (updated in January 2020) I wrote a piece entitled ‘Visions of Adequacy’, in which I suggested that:

“Although concerned with bulk data retention rather than interception or interference, Watson/Tele2 provides pointers to the possible future direction of CJEU decisions. As did Schrems, Watson/Tele2 emphasises the need for differentiation, limitation and exceptions in the light of the objective pursued. This suggests that while appropriately focused and granular bulk powers may be acceptable, blanket bulk powers may not be.

If that is to be the future direction of CJEU caselaw then the IP Act’s bulk powers, which are longer on safeguards than they are on limitations, may be in trouble. …

Statutory bulk powers could be differentiated and limited. Distinctions could be made between, for instance, seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could focus its use on that purpose. Such limitations could prevent it being used for attempts to detect and predict suspicious behaviour in the general population, precrime-style.

Under the Act these distinctions are left to assessments of necessity and proportionality by Ministers and Judicial Commissioners when issuing and approving warrants, buttressed by after the event oversight. These are soft limits, rather than the hard limits that may in future be required for bulk powers to pass muster.”

The latest CJEU decisions reinforce the perception that that is indeed the direction of its caselaw. They raise hard questions about the UK soft limits approach, even before assessing whether the UK powers are substantively compatible with the various categories now articulated by the CJEU.

[Clarificatory amendment to second paragraph of 'Internal service provider activities versus state access', 6 Oct 2020; amendment to clarify that the findings listed in the second half of the post are those in the French and German references, 19 October 2020.]

Monday, 27 July 2020

The penultimate word on copyright intermediary liability?

The 16 July 2020 Opinion of Advocate General Saugmandsgaard Øe in YouTube/Cyando is something of a tour de force, attempting in 256 closely reasoned paragraphs to construct a Grand Unified Theory of how the intermediary liability provisions of the ECommerce Directive 2000 and the communication to the public provisions of the Copyright InfoSoc Directive 2001 can be made to sit comfortably together when applied to platforms to which users can upload and share content: video streams in the case of YouTube, and a private file storage facility with the ability to share download links in the case of Cyando.
The AG’s Opinion will not be the last word on these topics –the CJEU’s judgment in YouTube/Cyando itself will follow, as well as several other pending CJEU references. The judgments may or may not adopt the AG’s approach. However, the Opinion will be difficult to surpass for its thorough analysis of the issues and in its heroic attempt to bring coherence to a fiercely contested and mutable area of the law.
However, for platforms that fall within Article 17 of the new Digital Copyright Directive the Copyright InfoSoc Directive provisions on which the AG has opined will in due course be superseded (albeit not apparently in the UK, which has said that it has no plans to implement the Digital Copyright Directive). Article 17 enacts a sui generis version of the communication to the public right and a corresponding customised liability safe harbour that will, for platforms within Article 17, replace the general Article 14 ECD shield. Notably, the AG rejected an argument that the new Directive merely clarifies what has always been the law under the existing Copyright InfoSoc Directive and the ECommerce Directive.
Article 17, we should also remember, is under challenge in the CJEU by Poland, claiming that the illegal upload prevention provision breaches Article 11 of the Charter. From that perspective, the views of the AG regarding balance of rights under the Charter will be of interest.
Why alignment?
Aligning the two Directives is an exercise peculiar to copyright. Generally speaking, the scope of the ECommerce Directive does not have to be reconciled with that of underlying substantive laws. ECD Articles 12 to 15 are an independent horizontal overlay over an enormous range of substantive civil and criminal liability across all Member States. They provide a uniform liability shield regardless of the scope of the underlying substantive law:
“Article 14(1) of Directive 2000/31 applies, horizontally, to all forms of liability which the providers in question may incur in respect of any kind of information which they store at the request of the users of their services, whatever the source of that liability, the field of law concerned and the characterisation or exact nature of the liability.” [138]

So, if a hosting provider loses the protection of Article 14 through not removing an item of content expeditiously after becoming aware of its illegality, liability does not necessarily ensue. That has to be assessed under the substantive underlying Member State law. As the AG Opinion puts it:
“the purpose of [Article 14] is not to determine positively the liability of a provider. It simply limits negatively the situations in which it can be held liable on that basis.” [134]

Copyright, however, is somewhat different. The ECD and the 2001 Copyright InfoSoc Directive went through the EU legislative process at about the same time and were intended, together, to establish (ECD, Recital 50):
“a clear framework of rules relevant to the issue of liability of intermediaries for copyright and relating [sic] rights infringements at Community level.”

The Copyright InfoSoc Directive noted that liability for activities in the network environment concerned copyright and related rights as well as other areas. The ECD:
“… provides a harmonised framework of principles and provisions relevant inter alia to important parts of this Directive.” (Copyright InfoSoc Directive, Recital 16)

This is the basis on which it is suggested that the scope of the two Directives should be aligned. If so, however, which should be the template? Since the ECD is horizontal and thus of general application, it would be logical that any such interpretative exercise should focus on bringing the Copyright Directive into line with the ECD, not vice versa. Recital 16 of the Copyright Directive explicitly cedes precedence to the ECD: “This Directive is without prejudice to provisions relating to liability in that Directive.”
The AG’s view is that the criteria for communication to the public and the conditions for application Art 14 must and can be interpreted consistently in order to avoid, in practice, any overlap between them.
Fundamental rights compatibility
The AG addresses compatibility with the EU Charter of Fundamental Rights, opining that the ‘high level of protection’ demanded by the Copyright InfoSoc Directive does not necessarily equate to ‘maximum protection’. Although copyright is protected as a fundamental right in the Charter, that right is not absolute and must generally be balanced with other fundamental rights and interests. The Court, he says, seeks a reasonable interpretation to achieve that.
He emphasises that a general monitoring obligation on hosts to seek illegal information and activity was held by the CJEU in SABAM/Netlog to be contrary not only to Article 15 ECD, but also the Charter. It would introduce a serious risk of undermining the fundamental rights involved: platform operators’ freedom to conduct a business (Article 16), users’ freedom of expression (Article 11) and also, in his view, freedom of the arts (Article 13).
For freedom of the arts, an obligated filtering tool might not distinguish adequately between legal and illegal content, leading to the blocking of legal content. That would endanger online creativity, in that maximum protection of some forms of intellectual creativity would be to the detriment of other forms of creativity which are also positive for society.
Approach to alignment
Since the general approach of the AG is to mould communication to the public, in its application to platforms, to fit Article 14 ECD, it is logical to focus primarily on his exposition of Article 14 ECD. The Opinion is also a useful reminder of some aspects of Article 14 that are easily overlooked or misunderstood.
Generally, the AG takes the active/passive distinction to qualify for hosting protection under the ECommerce Directive, then applies it to the contrast drawn in the Copyright InfoSoc Directive between (a) someone who, by providing ‘physical facilities’, acts as an intermediary (Recital 27) and (b) someone who “intervenes actively in the communication to the public of works” ([75]).
He emphasises that the distinction has to be drawn in relation to specific content. (This focus on whether conduct is active or passive in relation to a given item of content contrasts with a common misconception that the active/passive distinction under Article 14 ECD involves an assessment of the overall role of the platform.)
He expresses reservations about the line of CJEU caselaw in GS Media, Filmspeler and Pirate Bay, which he characterises as extending the CTP right into unharmonised areas of secondary liability, founded on facilitation and knowledge of illegality. Nevertheless, he goes on to discuss the application of that reasoning to the instant cases.
For this purpose he applies to communication to the public the knowledge and awareness principles of ECD Article 14 ([111]). As with the active/passive distinction, this focuses on specific activities and information, as opposed to (in this context) consequences flowing from generalised awareness of illegality.
In summary, therefore, the AG equates “primary” communication to the public – intervention in an actual or possible transmission – with the active/passive distinction that determines initial qualification for ECD Art 14 protection; and equates “secondary” communication to the public with the ECD's knowledge-based conditions for losing the liability protection of Article 14.
Article 14 transposed to “primary” communication to the public
The following are some key points in the AG’s discussion of Article 14. References are to paragraph numbers, together with (where relevant) an italicised citation to the closest equivalent point in the AG’s discussion of the communication to the public right.
  • Only a shield The purpose of Article 14 is to act as a liability shield, not to provide a positive determination of liability. [134]
  • Horizontal application The Article 14 exemption applies horizontally, independently of the characterisation of the liability by the underlying substantive law.  It therefore covers both primary and secondary liability for information provided and activities initiated by users. [138]
  • Additional activities Activities additional to storage provided as part of the service do not prevent applicability of Art 14. [145] Nevertheless, the exemption concerns only liability that may result from information provided by users. It does not cover any other aspect of the provider’s activity. [146]
  • Active/passive hosting As regards the active/passive hosting distinction established by the CJEU:
    • Inherent control The capacity for control inherent in any hosting activity cannot amount to an active role. [151] (cf CTP [73]: being an important, or even crucial, link in the chain does not amount to an essential role.)
    • Specific content An active role must relate to specific content, where by the nature of its activity the intermediary is deemed to acquire intellectual control of that content. [152] (cf CTP [75]: intentional decision to communicate a given work.)
    • A distinction should be made between controlling the conditions for display of user information and controlling the content of that information.  [160], [162] (cf CTP [75]: determines the content in some other way.)
  • Examples of an active role include:
    • Selecting stored information. [152] (CTP: [75])
    • Active involvement in the content of stored information in some other way. [152] (CTP: [75] (“determines it in some other way”)).
    • Presenting stored information to the public in such a way that it appears to be the host’s own. [152] (CTP: [75]) As to that, in the Advocate General’s view YouTube does not do so because it indicates which user uploaded the video. [156] (CTP: [83]); and Cyando does not do so because the average, reasonably informed, internet user knows that files stored by a file hosting/sharing platform do not, as a rule, come from the operator. [156]
  • Examples that are not an active role include:
    • Automatic uploading without prior viewing or selection [154] (CTP: [78])
    • Providing access to content or the ability to download, by purely technical and automatic processes. [155]
    • Structuring the way in which videos are presented and integrating into a standard viewing interface [157] - [159] (CTP: [81], [82])
    • Processing of search results and indexing under different categories [157] (CTP: [81], [82])
    • Integrated search function [157], [160] (CTP: [81])
    • Automated recommendation of videos similar to those previously viewed [161], [162] (CTP: [84])
    • Remuneration by advertising [163] (CTP: [86])
    • Proactively carrying out checks for illegal content [166] (CTP: [78])

Points specific to communication to the public

For communication to the public, the AG also rejected arguments that grant of a licence by users to the platform amounted to active intervention. That would be different if the platform re-used content under the licence. [85]

Generally, profit was not a relevant criterion for the existence of communication to the public, but at most was an indicator. Revenue models related to attractiveness of content are a less useful indicator where the provision of physical facilities is generally carried on for profit. [86] to [88]

“Secondary” communication to the public and Article 14 knowledge and awareness

As to knowledge and awareness of illegality under the “secondary liability” interpretation of the communication to the public right, the AG suggested that they should be determined on the same principles as for Article 14 ECD. In other words, the conditions for loss of protection for a host under Article 14 should also found liability under the “secondary” communication to the public right as applicable to platforms such as YouTube and Cyando. 

In the AG's view knowledge of whether files are legal or illegal should not be presumed merely because the operator pursues a profit-making purpose. The GS Media presumption (aside from the fact that the CJEU seemed to have applied it only to hyperlinks [113]) should not be applied where the platform did not itself upload the content. That would contradict the Article 15 prohibition on imposing a general monitoring obligation. [115]

Further, the fact that an intermediary profits from illegal use should not be decisive. Any provider of goods or services that might be subject to both kinds of use will inevitably derive some of its profits from users who purchase or utilise them for illegal purposes. Other facts must therefore be demonstrated. [118]

The AG incorporated by reference ([111]) his discussion of the Article 14 knowledge and awareness provisions at [169] to [196]:
  • The knowledge of illegality required for the protection of Article 14 to be removed relates to specific illegal information. [172], [196]. That reflects the legislative purpose that Article 14 is intended to form the basis of notice and takedown procedures, when specific illegal information is brought to the attention of the service provider. [176]
  • Loss of protection based on general awareness is not compatible with the requirement of actual knowledge in Art 14(1)(a). [179]
  • As to awareness of facts and circumstances from which illegality is apparent:
    • the diligent economic operator referred to in L’Oreal v eBay is assumed, on the basis of objective factors of which it has actual knowledge relating to specific information on its servers, to perform sufficient diligence to realise the illegality of that information. It has no obligation to seek facts or circumstances in general. [182], [184], [185].
    • Since many situations regarding copyright infringement are ambiguous in the absence of context, a general obligation would create a risk of systematic over-removal in order to avoid risk of liability, posing an obvious problem in terms of freedom of expression. [189]
    • In order to be apparent, illegality must be manifest. This requirement seeks, in the AG’s view, to avoid forcing the operator itself to come to decisions on legally complex questions and, in doing so, turn itself into a judge of online legality. [187]
    • In order for illegality to be apparent, a notification must provide evidence that would allow a diligent economic operator in its situation to establish that character without difficulty and without conducting a detailed legal or factual examination. [190]
Bad faith

By way of exception to his propositions regarding specific knowledge, the Advocate General went on to discuss deliberate facilitation of illegal uses, for which general awareness of illegality would suffice to found liability. The AG discusses this bad faith exception in detail under communication to the public ([120] to [131]), incorporated by reference into his discussion of Article 14 [191].
The AG suggests that general and abstract knowledge of illegality should be sufficient to disapply Article 14 protection where the operator deliberately facilitates carrying out of illegal acts by users of its service. Where objective elements demonstrate the bad faith of the provider, then it should lose the benefit of the exemption.
The AG suggests the following principles for determining bad faith:
  • Intent to facilitate third party infringements should suffice [120]
  • The mere fact of enabling users to publish content by an automatic process and not carrying out a general pre-upload check cannot be tantamount to wilful blindness or negligence. [122]
  • Subject to notice of a specific infringement, mere negligence of a provider is (by definition) not sufficient to show that that provider is intervening ‘deliberately’ to facilitate copyright infringements committed by users. [122] 
  • The way in which a provider organises its service can, in some circumstances, show the ‘deliberate nature’ of its intervention in illegal acts of ‘communication to the public’ committed by users. [123] 
  • Characteristics of the service may demonstrate the bad faith of the provider in question, which may take the form of an intention to incite or wilful blindness towards such copyright infringements. [123] 
  • It is appropriate to check whether the characteristics of service (a) have an objective explanation and offer added value for lawful uses and (b) whether provider has taken reasonable steps to prevent unlawful use of the service. [124] 
  • But the service provider cannot be expected to check, in general, all user files before upload (cf ECD Art 15). Therefore reasonable steps should be a defence. Good faith will tend to be shown where the provider diligently fulfils ECD Art 14 withdrawal obligations [sic] or complies with any injunction obligations, or takes other voluntary measures. [124] 

It seems, therefore, that the AG is saying that the question of reasonable steps should be relevant only to rebut a presumption of bad faith that may arise if there are aspects of the service that do not, on the face of them, have an objective explanation and offer added value for lawful uses.
By way of guidance (although it would be a matter for the national court) the AG suggested that indexing and search functions [126], inserting advertisements into videos [121] (YouTube), and anonymity [129] and allowing users to generate download links [130] (Cyando) had an objective explanation and offered added value for lawful uses. On the other hand, the AG had doubts about Cyando’s practice of remunerating certain users based on the number of their downloaded files [131].
Stay-down arises in two separate contexts. The first is the argument that a host who is aware of the illegality of specific information on the platform should also be regarded as being aware of the illegality of further uploads of the same or equivalent information, and thus should not benefit from the Article 14 liability shield in respect of such future information.

The second question is whether, and if so how far, an injunction against an intermediary can require it proactively to prevent future uploads of the same or equivalent information to that specified in the injunction.
  • No imputed awareness of future uploads of the same information. As to the first issue, the AG considered that such a ‘stay-down’ interpretation of Article 14 would significantly alter its scope. It would require upload filtering not only of the same file as that notified, but of any file with equivalent content. Such an obligation would apply not only to providers that have such technology, but also those who do not have the resources to implement it. [194]
  • The AG went on to contrast that with the position in relation to injunctions against intermediaries. The CJEU has held that where a national court has determined content to be illegal, it is not contrary to the Article 15 prohibition on general monitoring obligations to grant an injunction in respect of equivalent files (i.e., in the AG’s understanding, those that use the protected work in the same way).  [220], [221] 
  • In that situation the measures must still be proportionate. It does not mean that rightsholders should be able to apply for any injunction against any intermediary service provider. In some cases a provider might be too far removed from the infringements for it to be proportionate to grant an injunction. That was not the case with YouTube and Cyando in the instant cases. [215] 
Proportionality also means that the injunction must not create obstacles to legal use of the service. Its purpose or effect cannot be to prevent users uploading legal content and making legal use of the work (such as, in the case of copyright, criticism, review or parody). [222]

[Amended 28 July 2020 to correct the number of paragraphs in the AG Opinion from 255 to 256. Unaccountably I didn't count the Conclusion...; and 29 July 2020 to eliminate a repetitious sentence.]