Tuesday, 19 July 2016

Data retention - the Advocate General opines

The long-running court battles over compelling internet service providers to retain data about their users’ internet communications for the benefit of law enforcement took another turn today, with the publication of the Advocate General’s Opinion in the Watson/Tele2 references to the EU Court of Justice.

The litigation has implications both for existing data retention laws in the UK, Sweden and elsewhere in the EU and for the UK Investigatory Powers Bill currently going through Parliament, which significantly expands the government’s data retention powers.

The Advocate General's view is that generalised data retention may be permissible, but only subject to a series of conditions:

  • The general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference. (This articulates the well-known rule of law requirement of legality.
  • The obligation must respect the essence of the rights to private life and data protection under the Charter. (The reference to the 'essence' of the right is significant. If the essence of a right is violated then the interference is unlawful, regardless of necessity or proportionality.)
  • The only general interest that is capable of justifying a general obligation to retain data is the fight against serious crime. Ordinary offences and the smooth conduct of proceedings other than criminal proceedings would not be capable of justifying a general retention obligation. (This potentially has implications for the Investigatory Powers Bill, which specifies 11 different purposes for which communications data, including mandatorily retained data, can be accessed, as well as access via bulk acquisition warrants.)
  • The general obligation must be strictly necessary to the fight against serious crime. The conditions set out in the CJEU case of Digital Rights Ireland regarding access to the data, the retention period and protection and security of the data must all be respected.
  • The general retention obligation must be proportionate, so that the serious risks engendered by the obligation must not be disproportionate to the advantages offered in the fight against serious crime.
Implications for the Investigatory Powers Bill

What may the case mean for the Investigatory Powers Bill? This stage is only an Advocate General's Opinion, which does not bind the Court. There is no guarantee that the Court of Justice will come to the same conclusion, although more often than not it does so. 

The most obvious potential issues for the Bill would be:

(1) the restriction of a general data retention obligation to combating serious crime (which according to the Advocate General would apply to both the purpose for which the data is required to be retained and access to the data). The Bill would allow access to mandatorily retained communications data for a variety of purposes, which are not limited to serious crime. 

(2) A requirement for independent prior review of access to mandatorily retained communications data. For most access to communications data the Bill would not require prior independent review.

(3) The emphasis on binding legislative measures. This could put in doubt the extent to which the Bill relies on Codes of Practice. Although the government contends that Codes of Practice have statutory force, they do so only to the extent of the status conferred by Schedule 7 para 6 of the Bill. Codes of Practice do not have the same force as statute.

The Bill also extends mandatory data retention into site-level web browsing histories, so-called internet connection records. These are not specifically addressed in the current litigation. The government acknowledges that these are more intrusive than ordinary communications data. This expansion may provide further grounds of challenge, whatever the final decision of the Court in Watson/Tele2.

Further grounds could include not only privacy and data protection issues, but also intrusion into freedom of expression. It might be argued that to the extent that internet connection records mandate the logging of reading habits (the equivalent of lists of book titles) the Bill strays from communications data into content; that doing so interferes with the very essence of freedom of expression and is thus per se unlawful with no need to consider necessity or proportionality.

Background

In the Watson case former claimant David Davis MP (now withdrawn from the case on account of becoming Brexit Minister) and Tom Watson MP (now Deputy Leader of the Labour Party), with co-claimants Peter Brice and Geoffrey Lewis, sued the Home Secretary, challenging the Data Retention and Investigatory Powers Act (DRIPA) which the government pushed through Parliament in four days in July 2014.

DRIPA sought to re-enact in primary legislation the 2009 Data Retention Regulations. These implemented the EU Data Retention Directive and were vulnerable to challenge following the April 2014 CJEU decision in Digital Rights Ireland, invalidating the Directive as contrary to Articles 7 (privacy) and 8 (data protection) of the EU Charter of Fundamental Rights.

The Tele2 case challenges existing Swedish data retention legislation following the DRI decision.

The Swedish and UK cases have been joined and heard together. The Tele2 reference asks broadly whether generalised traffic data retention laws are compatible with EU law and follows up with questions about the specifics of the Swedish legislation. The Watson reference asks two specific questions: first whether the DRI judgment laid down requirements applicable to a national regime for retention of and access to communications data; and second whether Articles 7 and 8 of the Charter lay down stricter requirements than Article 8 of the European Convention on Human Rights.

The Advocate General's Opinion in detail

In the Advocate General's view the second Watson question should be rejected as inadmissible.: "The fact that [the DRI] judgment may possibly have extended the scope of Articles 7 and/or Article 8 of the Charter beyond that of Article 8 of the ECHR is not in itself relevant to the resolution of those disputes… EU law does not preclude Articles 7 and 8 of the Charter from providing more extensive protection than that provided for in the ECHR."  

As to compatibility of the Swedish and UK regimes with EU law, the Advocate General's view is:

- Data retention obligations are within scope of the Privacy and Electronic Communications Directive (PECR), so must be considered within the regime established by that Directive, in particular the exception provided by Article 15(1). [97]

- The EU Charter of Fundamental Rights is applicable to general data retention obligations since they implement the Article 15(1) exception, even though national provisions governing access to retained data do not fall within the Charter. [122], [123]. The AG goes on:

"124. Admittedly, to the extent that they concern ‘activities of the State in areas of criminal law’, national provisions governing the access of police and judicial authorities to retained data for the purpose of fighting serious crime fall, in my opinion, within the scope of the exclusion laid down in Article 1(3) of Directive 2002/58. Consequently, national provisions of that kind do not implement EU law and the Charter therefore does not apply to them.
125. Nevertheless, the raison d’être of a data retention obligation is to enable law enforcement authorities to access the data retained, and so the issue of the retention of data cannot be entirely separated from the issue of access to that data. As the Commission has rightly emphasised, provisions governing access are of decisive importance when assessing the compatibility with the Charter of provisions introducing a general data retention obligation in implementation of Article 15(1) of Directive 2002/58. More precisely, provisions governing access must be taken into account in the assessment of the necessity and proportionality of such an obligation."
- General data retention obligations are consistent with the PECR regime, but only if compliant with strict requirements which flow from Article 15(1) and from the Charter read in the light of DRI. [116] The Article 15(1) exception permits restrictive "legislative measures" that constitute:
"a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system… To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law…".
As to the requirements flowing from Article 15(1) and the Charter read in the light of DRI:

- The requirements of PECR Article 15(1) and the Charter are cumulative: "Compliance with the requirements laid down in Article 15(1) of Directive 2002/58 does not in itself mean that the requirements laid down in Article 52(1) of the Charter are also satisfied, and vice versa." [131]

- 'Legislative measures' in Article 15(1) must have the characteristics of accessibility, foreseeability and providing adequate protection against arbitrary interference. The measures must therefore be binding on the national authorities upon which the power to access the retained data is conferred [150]:
"It would not be sufficient, for example, if the safeguards surrounding access to data were provided for in codes of practice or internal guidelines having no binding effect, as the Law Society of England and Wales has rightly pointed out. [150]
Moreover, the words ‘Member States may adopt … measures’, which are common to all the language versions of the first sentence of Article 15(1) of Directive 2002/58, seem to me to exclude the possibility of national caselaw, even settled caselaw, providing a sufficient legal basis for the implementation of that provision. I would emphasise that, in this respect, the provision is more stringent than the requirements arising from the caselaw of the European Court of Human Rights. [151]"
- General data retention obligations are capable of being justified by the objective of fighting serious crime, but not combating ordinary crime or the smooth conduct of non-criminal proceedings. [164], [173] Appropriateness, necessity and proportionality of such obligations have to be assessed with reference to that objective [174].

- General data retention obligations do not of themselves go beyond what is strictly necessary for the purposes of fighting serious crime. Necessity is to be assessed in conjunction with the safeguards concerning access to the data, period of retention and the protection and security of the data. [194], [205]

- It is imperative that national courts, when assessing necessity, do not "simply verify the mere utility of general data retention obligations, but rigorously verify that no other measure or combination of measures, such as a targeted data retention obligation accompanied by other investigatory tools, can be as effectiveness in the fight against serious crime." [209] National courts should also determine whether an effective alternative measure would interfere with fundamental rights to a lesser extent than a general data retention obligation [210]; and should consider whether the substantive scope of a retention obligation can be limited while preserving its effectiveness in the fight against serious crime. [211]

- All the safeguards described by the CJEU in paras [60] to [68] of DRI are mandatory. They are not merely illustrative. [221], [226]

In particular:

- "access to and the subsequent use of the retained data must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto." [229] (This is much more limited than the access permitted under either DRIPA or the Investigatory Powers Bill.)

- Access to the retained data should, other than in cases of extreme urgency, be made dependent on a prior independent review by a court or independent administrative body. [232] et seq. The current (RIPA) and proposed (IP Bill) regimes for access to retained communications data for the most part do not comply with this.

When discussing proportionality (a matter to be assessed by the national court) the Advocate General emphasised that:

"the risks associated with access to communications data (or ‘metadata’) may be as great or even greater than those arising from access to the content of communications, as has been pointed out by Open Rights Group, Privacy International and the Law Society of England and Wales, as well as in a recent report by the United Nations High Commissioner for Human Rights. In particular, as the examples I have given demonstrate, ‘metadata’ facilitate the almost instantaneous cataloguing of entire populations, something which the content of communications does not." [259]
 He also emphasised that compliance with the mandatory DRI safeguards does not guarantee proportionality:
"I would emphasise, in this connection, that the mandatory safeguards described by the Court in paragraphs 60 to 68 of Digital Rights Ireland are no more than minimum safeguards aimed at limiting the interference with the rights enshrined in Directive 2002/58 and Articles 7 and 8 of the Charter to what is strictly necessary. Consequently, a national regime which includes all of those safeguards may nevertheless be considered disproportionate, within a democratic society, as a result of a lack of proportion between the serious risks engendered by such an obligation, in a democratic society, and the advantages it offers in the fight against serious crime."