Yesterday, the EU’s highest court issued a major judgment that effectively invalidates a significant portion of the UK’s recently-passed Investigatory Powers Act (aka the “Snooper’s Charter”). The European Court of Justice (CJEU) judgment holds that “general and indiscriminate” data retention laws are inconsistent with the EU’s privacy directives.
If, like me, you generally shrug at newsflashes announcing the latest wrinkle in the tangle of EU privacy directives, take note: this case matters. It matters first for any state, like the UK, that has passed or considered passing legislation that calls for general data retention. Second, the ruling matters for service providers that are constantly trying to determine how (much) to comply with retention demands like those in question – demands that do not always come under the authority of national legislation. Third, the ruling matters for citizens who may or may not agree with the court that the privacy concerns implicated by the retention at issue in the ruling are greater than the security concerns they are meant to address. Fourth, and perhaps most importantly, the ruling matters because it may signal where the EU is headed.
How did this case come about?
The CJEU judgment actually arises out of two distinct cases. The first case, Watson and others, was brought by British petitioners challenging the use of bulk data collection authorized under Section 1 of the Data Protection and Investigatory Powers Act 2014 (DRIPA) – a piece of soon-to-expire legislation that informed the creation of the recent Investigatory Powers Act. The second case, Tele2 Sverige, was the result of a dispute between Swedish service providers who resisted a data retention order from the Swedish Post and Telecom Authority. The two cases are distinct in important ways, but yesterday’s ruling has implications that reach far beyond the resolution of each case.
What exactly did the court rule?
The court ruled on two separate matters: (1) data retention, and (2) law enforcement access to retained data. On the first matter, the court ruled that EU privacy law precludes national legislation that provides for “general and indiscriminate retention of all traffic and location data of all subscribers and registered users.” On the second matter, the court held that national legislation cannot grant law enforcement unfettered access to retained data. In particular, the court said that data retention legislation is inconsistent with EU law where: (1) the legislation allows law enforcement access to retained data in order to fight general crime, rather than “serious crime”; (2) where that access is not subject to prior review by a court or independent authority; and (3) where there is no localization rule requiring that the data in question be stored in the EU.
What EU law are we talking about?
The court’s ruling draws primarily from three sources of EU law:
- The E-Privacy Directive (in particular Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002), which informs:
- The Data Protection Directive (Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995] which will eventually be superseded by the General Data Protection Regulation) and which seeks to develop the privacy protections provided by:
- The Charter of Fundamental Rights of the European Union (in particular Articles 7, 8, and 52(1)).
So what kinds of data collection and access rules are allowed under EU law?
The court doesn’t exactly say, but it suggests that retention must be limited to serious crimes, must be targeted, and must be limited to “what is strictly necessary”:
However, Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. (Para 108)
The court does not say much about how states should divine, or define, what is “strictly necessary,” except that national legislation must set down “minimum safeguards” against the risk of misuse (Para 109). (The court notes, in a regrettably circular passage, that data retention legislation must “indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary.”)
The court is more clear about what isn’t allowed: blanket, one-year retention requirements that grant access for non-serious crimes without judicial review. The two cases will now go back to their countries of origin, Sweden and the UK, for their courts’ interpretations of the ruling’s impact on national legislation.
If indiscriminate data retention is not allowed, is discriminate retention OK?
It would seem so. In an odd passage, the court says that it has a preference for targeted collection of data about certain populations whose location makes national authorities suspicious:
“As regard the setting of limits on such a measure with respect to the public and the situations that may potentially be affected, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.” (Para 111)
My first thought, reading this passage, was to the banlieues outside of Paris, but one can imagine any number of places – minority communities, low-income neighborhoods, housing projects – where we might be especially worried about law enforcement singling them out as a source of data collection. The way this judgment is written, there appears to be a tension between a preference for targeted data collection on the one hand and a preference for nondiscriminatory collection on the other.
When can a state mandate data retention?
The court says that a state may only mandate data retention in order: “to safeguard national security — that is, State security — defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.” (Para 90). The court notes that this list is exhaustive. This is striking, since one can easily imagine other sensible reasons for such a mandate besides crime fighting, such as public health research, consumer protection, and more.
So companies cannot maintain communications records for a year or more?
Yes, they can. The ruling is a rebuke of national mandates that providers maintain communications data for a year, but the ruling does not – besides a few passing comments – touch the companies themselves. The decision does not affect service providers’ ability to collect whatever data they need and to store it for as long as they need, consistent with their terms of service. One can read this ruling as implicitly stating a preference for private (corporate) data retention policies over those mandated by a national government.
What about Brexit?
This case will be especially significant for the United Kingdom, which of course is on its way out of the EU. Until the UK fully exits the union, however, it must comply with EU law and CJEU rulings like this one. Even after Brexit, though, UK companies seeking access to the common market will need to comply with EU data laws. This means that the Investigatory Powers Act will need to be revised, perhaps significantly. (For a nice summary of the CJEU ruling and its implications for the UK, see this analysis by David Anderson, one of the Independent Reviewers of Terrorism Legislation in the UK.)
What about Privacy Shield?
The bigger question going forward is what this decision portends about Privacy Shield – which is designed to replace the now-defunct Safe Harbor arrangement that allows companies to move data across the Atlantic. Privacy Shield is already being challenged by a number of privacy groups in Europe. Yesterday’s CJEU opinion does not discuss cross-border data transfers, so it is not directly on point. But it is hard to read this opinion and not worry that the CJEU will invalidate any program that allows for data transfers outside of the EU – especially because the court notes that one indication that a data retention law violates EU privacy directives is if that law does not require that the data remain within the EU.