On 8 January, the legal service of the European Parliament released an opinion, the purpose of which was to answer 9 questions posed by its LIBE Committee (Civil Liberties, Justice and Home affairs), as regards the effect of the judgment of CJEU in the landmark Digital Ireland (DRI) case of 8 April 2014 on the validity of the data retention Directive (DRD). The opinion clearly identifies the consequences of the judgement, in particular as regards the legality of national EU Member State laws that have been adopted to transpose the now defunct data retention Directive. It is a long opinion of 27 pages… leaked by Access, a civil liberty group, on 7 January.
The legal service first sets out the main aspects of the reasoning of the CJEU in the DRI judgment. It obviously notes the relevance of Article 7 and 8 of the European Charter of Fundamental Rights and then characterises the interference with these rights. Rightly it recalls that the CJEU found the interference with these fundamental rights “wide-ranging” and “particular serious”.
It then looks at the justification for such an interference, recalling that “any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence, and subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.
3 things to note on its account of the reasoning of the CJEU:
- The essence of the fundamental rights protected by Article 7 and 8 of the Charter is not adversely affected.
- The interference satisfies an objective of general interest: to deter serious crime and protect public security. [Notably, the right to security (as per Article 6 of the Charter) is mentioned just like in the DRI judgment at para 42, although strictly speaking this right is meant to protect individuals from arbitrary arrests and imprisonment (“surêté” in French), therefore a fundamental right to security does not exist. But English has only one word where French has 2, which might create some misleading interpretations… although obviously it was King John of England who issued the Magna Carta.]
- The examination of the proportionality of the measure is the “crux of the whole judgement”. The CJEU applies a strict proportionality test and builds a long list of missing safeguards.
On its general legal analysis, 4 things are worth mentioning:
- The legal service recalls that the CJEU’s decision as grounded on the Charter of fundamental Rights, should constrain Member States measures “only when they are implementing Union Law”. The first question to ask in assessing Member State measures, and in particular legislation providing for the retention of data by telecommunications operators, is therefore whether the measure aims to implement EU Law.
- If the Charter is applicable, the standard of review will depend upon the extent of the discretion enjoyed by Member States… [This might be to say that when national security is at stake… the standard of review should be less stringent]. But, as it will be explained further down, in all cases the discretion can be scrutinized either in the light of the Charter or in the light of the European Convention of Human Rights.
- “In effect, the Court of Justice has effectively transposed the existing case-law of the European Court of Human Rights on the need for safeguards and guarantees in the field of privacy and data protection…” And this is not something new! But there is a novel aspect in the judgment: the Court “refers specifically, in the case of the data retention Directive, to a particular body of the case-law of the European Court of Human Rights on the issue of “surveillance”” [Remember Liberty!]. As a result, other “general programmes of surveillance” will most likely be treated in the same way!
- And in order to assess the legality of general programmes of surveillance, the following 4 types of criteria are relevant:
- Personal scope, link with a threat to public security
- Limits on the access of the competent national authorities to the data and their subsequent use
- Data retention period
- Rules on security and protection of data
On its answer to the 9 questions, 8 points can be stressed:
- The judgment does not have any direct consequences for the validity of any other EU act. Each EU act benefits from a presumption of legality, although it is a rebuttable presumption.
- The proposed EU PNR and Entry/Exit System are “general programmes of surveillance”.
- International agreements will be treated in the same way as European measures.
- The judgement “produces a twofold effect as regards Member States’ law”.
- There is no obligation for Member States to make telecommunications operators retain traffic data. “It is therefore possible for a Member State to repeal the existing implementing measures, without any risk of violating Union law”.
- “if a Member State decides to maintain the rules on data retention in the electronic communications sector, such rules need to be in conformity with the Charter, and fulfil the requirements set out by the” CJEU in the DRI judgment. Indeed, national data retention laws are provided for by Article 15 of the e-privacy Directive as an exception to the principle of confidentiality of communications to be found in Article 5…. although Member States do not have an obligation to adopt such laws under this Article.
- The DRI judgement would, however, not necessarily have consequences for “measures, going beyond “retention” of data initially collected by private service providers for business purposes, and concerning rather a subsequent processing of the retained data by public authorities on grounds of public interest, such as, for example, the rules on the access and the use of such data by the law enforcement authorities of the Member States”. These measures might be outside of EU Law.
- This said, the European Convention of human rights will have to be respected. As a result, “National courts will thus continue to review national legislation according to these standards in any event”.
- To sum up, if Member States decide to retain their legislation, their legislation should be examined to see whether they are compatible with the Charter. If they are not they run the risk of being declared invalid as well.
- As regards other general programmes of surveillance such as API (Advance Passenger Information), national measures implementing Directive 2004/82/EC on the obligations of carriers to communicate passenger data should also comply with the Charter. Concerning PNR (Passenger Name Record), the situation is less clear as no EU-PNR scheme exists yet. International agreements implementing EU law should also respect the Charter. “Bilateral agreements concluded by the Member States with third countries requiring mass collection of personal data and exchange of personal data for law enforcement purposes would presumably have been concluded in the exercise of the competence of the Member States. Consequently the Charter would not be applicable”.
This opinion is worth comparing with the report produced by Franziska Boehm and Mark D. Cole entitled Data Retention after the Judgement of the Court of Justice of the European Union on 30 June 2014. “The study (…) tested seven exemplary EU measures on compatibility with the standards set in the DRD Judgment, namely the EU-US PNR Agreement, the EU-PNR proposal, the EU-US TFTP Agreement, the EU TFTS proposal, the LE [Law Enforcement] access to Eurodac, the EES proposal and the draft data protection directive in the LE sector”. The conclusion is quite astonishing: “All analysed measures provide for data retention and affect an enormous amount of (unsuspicious) individuals. Some of the measures seem to be even more infringing than the original DRD.”
Another reason to beg law-makers not to work with too much haste!
Who knows? Maybe the wind is starting to blow… a recent Council document said that the Commission could “be invited to present as soon as possible a new legislative proposal for data retention.” However, a European Commission representative at a 8th January LIBE meeting said that the Commission had not decided on its response yet.
The European Parliament has decided to refer a draft EU-Canada PNR agreement to the CJEU for an opinion in the light of the DRI case.
Sophie Stalla-Bourdillon
Pingback: New Dutch data retention law subject to judicial review | Peep Beep!
Pingback: Weber, DRI and Schrems: so what are “measures of mass surveillance”? And what should we do with them? A tale of 2 Courts | Peep Beep!
Pingback: Weber, DRI and Schrems: so what are “measures of mass surveillance”? And what should we do with them? A tale of two courts – Sophie Stalla-Bourdillon | Inforrm's Blog
Pingback: The Draft IP Bill and data retention obligations: on the irony of the invalidation of the Data Retention Directive | Peep Beep!
Pingback: New UK Decisions on the Data Protection Implications of Information Sharing with Law Enforcement | Peep Beep!
Pingback: New UK Decisions on the Data Protection Implications of Information Sharing with Law Enforcement – Alison Knight | Inforrm's Blog
Pingback: CJEU Advocate General opines on the compatibility of EU-Canada PNR Agreement with EU Charter rights to privacy and personal data protection | Peep Beep!