AG Saugmandsgaard Øe on Mass Data Retention: No Clear Victory for Privacy Rights

Yesterday, Attorney General Henrik Saugmandsgaard Øe issued his opinion in the joined cases of Tele2 Sverige AB v Post-och telestyrelsen (C-203/15) and Secretary of State for the Home Office v Watson et al. (C-698/15). This judgement has been long awaited by anyone interested in privacy rights, and more generally the relationship between states and their citizens during this period of an extended “war on terror”.

The cases both emerged from the aftermath of the outcome of the CJEU decision in joined Cases C-293/12 and 594/12 Digital Rights Ireland Ltd and Seitlinger and others. That decision had ruled the EU Data Retention Directive 2006/24/EC to be incompatible with EU Law, in particular that it “exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter” at [69]. Tele2 originated in Sweden and arose as they were ordered by the court to retain data under the Swedish Law (Law 2012:278) which Tele2 believed was no longer legal at EU Law following Digital Rights Ireland. Watson et al originated in the UK and followed a judicial review challenge to the passing of the Data Retention and Investigatory Powers Act 2014 (DRIPA), a piece of domestic legislation passed under emergency procedure to replace the provisions of the Data Retention Directive. Both were referred to the CJEU.

They key questions for the CJEU were (1) were domestic provisions which replicated the effects of the Data Retention Directive possibly legal following Digital Rights Ireland? And (2) if the answer to (1) was in the affirmative, were these provisions subject to the safeguards described by the Court in paragraphs 60 to 68 of Digital Rights Ireland?

The Advocate General has now given his opinion on these (and other) matters. The opinion is, of course, not binding, and it is possible the full court will come to an alternative opinion. The opinions of AGs though are highly influential and normally provide a good guide as to the forthcoming decision of the Court which will be issued in autumn 2016.

First to address the question of whether mass data retention regimes could be legal at EU Law AG Saugmandsgaard Øe began by examining whether a general data retention provision would be incompatible with Art.15(1) of the E-Privacy Directive 2002/58/EC. The argument made by several interveners was that following Digital Rights Ireland “a domestic obligation, such as the ones in issue, would be inconsistent with the harmonised regime established by the Directive regardless of whether or not it meets the requirements which arise from Article 15(1), since it would completely undermine the substance of the rights and the regime established by that directive” (at [85]). A number of governments, including the UK Government, argued that domestic data retention provisions fell within the exclusion found in Art.1(3) of the same Directive. The AG though followed a middle ground in finding data retention provisions were not exempted but could still be legal.

He found that “the wording of Article 15(1) confirms that retention obligations imposed by the Member States fall within the scope of the directive.” And that “In reality, as Messrs Watson, Brice and Lewis, the Belgian, Danish, German and Finnish Governments and the Commission have argued, a general data retention obligation, such as those at issue in the main proceedings, is a measure implementing Article 15(1).” However this was not fatal to the domestic provisions as had been argued by the interveners as “the wording of Article 15(1) refers to the Member States’ entitlement to adopt ‘legislative measures providing for the retention of data for a limited period’. That express reference to data retention obligations confirms that such obligations are not in themselves inconsistent with the regime established by Directive 2002/58.” Thus the answer to the first question is that such regimes may be legal.

This does not though dispose of the original question from Digital Rights Ireland; can such regimes be compatible with Articles 7, 8 and 52(1) of the Charter? Again as part of his lengthy opinion the AG addresses this question. Taking together Art.15(1) of Dir.2002/58/EC and Art.52(1) of the Charter he finds that there are six requirements a data retention obligation must meet to have a legal basis:

• the retention obligation must have a legal basis;
• it must observe the essence of the rights enshrined in the Charter;
• it must pursue an objective of general interest;
• it must be appropriate for achieving that objective;
• it must be necessary in order to achieve that objective; and
• it must be proportionate, within a democratic society, to the pursuit of that same objective.

This carries with it a number of responsibilities for member states. Any data retention provision must be adequately accessible and foreseeable and must provide adequate protection against arbitrary interference; the requirement of proportionality means that they must be targeted in the AG’s words on only “serious crime” and not ordinary offences and; proportionality requires that assessments must be carried out in the specific context of each national regime providing for a general data retention obligation, requiring a comparison to be made between the effectiveness of such an obligation and that of any other possible national measure.

With the first question disposed of, the AG turned to the second, were paragraphs 60 to 68 of Digital Rights Ireland applicable to these domestic provisions or were they examples or “communicating vessels” applied by the court in that case alone? This was quickly disposed of by AG Saugmandsgaard Øe: “I am convinced that this ‘communicating vessels’ argument must be rejected and that all the safeguards described by the Court in paragraphs 60 to 68 of Digital Rights Ireland must be regarded as mandatory” (at [221]). The effect of this is that in domestic legislation governments would need to ensure compliance with the requirements of Digital Rights Ireland:

1. That access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto;
2. Access by the competent national authorities to the data retained is made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued;
3. The data be retained for no longer than is required, with precise rules n retention;
4. Sufficient safeguards are required to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data;
5. A high level of protection and security should be required from providers [of data retention] by means of technical and organisational measures; and
6. The data should be retained within the European Union.

From a UK perspective the timing of the AG’s opinion was essential. The Investigatory Powers Bill, the UK’s new comprehensive surveillance and retention law, is currently being debated in the House of Lords, the upper house of the UK Parliament. The Bill includes a series of provisions designed to replace the Data Retention and Investigatory Powers Act (DRIPA) which has a sunset clause of 31 December 2016. These provisions (Part IV, Clauses 83-92 currently) substantially repeat the provisions of DRIPA and therefore the outcome of Tele2/Watson was vitally important to the UK Government.

Views on the outcome in the UK are mixed. Many civil rights groups are claiming victory however many news services are reporting, perhaps more even-headedly, that neither side can claim complete success. There is no doubt that the requirement that data retention laws can only be used to fight serious crime, if so ruled by the CJEU, would be a serious headache to the UK government where data retention provisions are used extensively in the fight against more mundane criminal offences such as illegal dumping of waste. Also the requirement that access to retained data should be dependent on a prior review carried out by a court or by an independent administrative body will be another headache given the current authorisation system operated by a senior officer. However these will be seen to be minor headaches by PM Theresa May who piloted the Investigatory Powers Bill into Parliament, and by her new Home Secretary Amber Rudd. The opinion of the AG gives considerable discretion to member states to enact data retention provisions providing they meet the Digital Rights Ireland standard. This will be the major take-away by the UK Government.

Of course all of this means little until the decision of the CJEU comes out in the autumn. Until then we will no doubt see all sides press on as before.