The ECJ has today delivered its judgment in the Watson/Tele2 cases, in which Swedish and UK communications data retention laws are being challenged as contrary to the privacy and data protection guarantees of the EU Charter. The Court has followed closely its decision in the Digital Rights Ireland case, that only under certain very strict circumstances are data retention obligations and access to that data permissible under EU law. The Court stated that EU law precludes a general and indiscriminate retention of traffic data and location data, and that Member States may only adopt legislation, as a preventive measure, for targeted retention of that data and solely for the purpose of fighting serious crime. Access to retained data must be subject to safeguards including prior independent review.

Background – Data retention in the EU following the invalid Data Retention Directive

The questions referred to the ECJ by both the UK and Swedish national courts arose following the ECJ's judgment in Digital Rights Ireland. The ECJ held the EU Data Retention Directive (2006/24/EC) invalid as violating Articles 7 (privacy), 8 (personal data) and 52 (1) (proportionality) of the EU Charter. This was because the data retention requirements under the Directive were not strictly necessary and not accompanied by stringent safeguards concerning access to data, the period of retention and the protection of the security of the data.

The ruling in Digital Rights Ireland created legal uncertainty with regard to national data retention legislation, and resulted even in the termination or limitation of such legislation in some Member States.

In Sweden, the telecoms operator Tele2 refused to comply with the Swedish data retention obligation following Digital Rights Ireland and informed the local NRA (Post-och telestyrelsen) that it would no longer retain data and of its proposal to delete existing retained data. Tele2 was then subject to enforcement proceedings by the NRA, which it challenged in court. In the UK the High Court found that S.1 of the Data Retention and Investigatory Powers Act 2014 (the UK data retention legislation, DRIPA) was incompatible with EU law. The UK government appealed that decision. Both the Swedish and UK cases resulted in referrals to the ECJ.

The Court's Ruling – EU law precludes national legislation providing for a general and indiscriminate retention of all traffic and location data

Firstly, the Court confirms that national data retention laws falls within the scope of EU law.

Article 1(3) of the E-Privacy Directive (2002/58) excludes from its scope 'activities of the state' (including in the areas of criminal law, public security, defence and state security).

Article 15(1) of the directive governs the possibility for restricting the scope of the rights and obligations in the E-privacy Directive, when necessary to safeguard national security.

Even though the objectives, which data retention measures must pursue, thereby heavily overlap with the objectives stated in Article 1(3), the processing of personal data by providers of electronic communications services falls within the scope of the E-Privacy Directive for the following reasons:

  1. The Directive applies to the processing of personal data by providers of electronic communications services pursuant to Article 3 of the E-Privacy Directive.
  2. The Directive authorises Member States to grant national authorities access to the data retained by those providers, under particular conditions.
  3. Article 15(1) would be deprived of any purpose, if the directive did not apply in the situation in question.

The E-Privacy Directive therefore both applies with regard to national legislation concerning data retention and national legislation concerning the access to such retained data (thus rejecting the UK argument that 'access to the data' does not fall within the scope of the Directive).

Secondly, the Court has ruled that the national legislation such as that at issue (UK and Swedish data retention legislation) exceeds the limits imposed by the rights and guarantees of the EU Charter.

The legislation thereby exceeds the limits of what is strictly necessary and cannot be considered justified pursuant to Article 52(1) of the Charter, which lays down conditions for when an interference of the rights can be deemed justified.

In general, the Court rules that the following must be satisfied in order to justify the existence of data retention legislation:

1) The data retention purpose must be limited to serious crime only

Given the serious interference in the fundamental rights to privacy and data protection, only the objective of fighting serious crime is capable of justifying such interference, thereby rejecting the UK government's argument that "crime" includes the fight against ordinary crime, or civil wrongs such as copyright enforcement.

2) Member States may only allow targeted retention

For the purpose of fighting serious crime, Member States may, as a preventative measure, adopt legislation permitting targeted retention of traffic and location data, provided that the retention is limited, with respect to 1) the categories of data to be retained, 2) the means of communication affected, 3) the persons concerned and 4) the retention period adopted, to what is strictly necessary.

In this context, the national legislation must lay down clear and precise rules governing when such data retention measures are permissible, and in particular indicate in what circumstances and under which conditions a data retention measure can be adopted.

3) The targeted retention must be limited to what is strictly necessary

  • a. National legislation must lay down objective criteria with regard to when data is retained and when public authorities may access that data

In order to ensure that a data retention measure is limited to what is strictly necessary; the retention of data must meet objective criteria that establish a connection between the data to be retained and the objective pursued.

Accordingly, the national legislation must be based on objective evidence which makes it possible to identify persons whose data is likely to reveal a link (direct or at least indirect) with serious crime, to contribute to fighting serious crime or preventing a serious risk to public security.

In this connection, the Court refers to the example of use of a geographical criterion to determine whether there exists a high risk of preparation or commission of serious crime.

  • b. Access may only be granted to retained data of individuals suspected of planning, committing or having committed a serious crime or of being implicated on one way or another in such a crime

As general access to all retained data, regardless of whether there is any link (at least indirect) with the purpose of fighting serious crime, cannot be regarded as limited to what is strictly necessary, access may, as a general rule, be granted only to the retained data of individuals suspected of planning, committing or having committed a serious crime or of being implicated on one way or another in such a crime.

However, where vital national security, defence or public security interests are threatened by terrorist activities, the Court is open to allowing access to the data of other persons, where the data could make an effective contribution to combating terrorist activities.

  • c. Access to retained data must be subject to prior review by a court or independent administrative body

In order to ensure, that the abovementioned conditions are fully respected, it is essential that access to retained data is subject to independent prior review except in urgent situations, where there is no time to put forward the request by public authorities.

4) Persons, whose data has been accessed, must be notified as soon as the notification is no longer liable to jeopardise the investigation

In order to secure the right to a legal remedy, the individuals whose data has been granted access to must be notified as soon as the notification is no longer liable to jeopardise the investigation.

5) Providers of electronic communications must guarantee a high level of protection and security by means of appropriate technical and organisational measures

This is the case given the quantity of the retained data, the sensitivity of the data and the risk of unlawful access to the data.

Furthermore, the Member States must ensure an independent review by national data protection authorities.

6) The retained data must be retained within the EU, and destroyed at end of the retention period

Commentary

The court thereby rules that only in cases where all the above mentioned requirements are met, certain targeted data retention obligations are permissible under Article 15(1) of the E-Privacy Directive read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter.

The Court further emphasizes what it initially stated in the Digital Rights Ireland case, that only under certain very strict circumstances are data retention obligations and access to that data permissible under EU law.

It is hereafter up to the individual national Member States to asses, whether their current or future data retention obligations comply with the EU law as interpreted by the ECJ in Digital Rights Ireland and the Tele2/Watson case.

We have below outlined a short preview of the impact in some of the EU jurisdictions that Bird & Bird covers. We will follow up on this newsletter with a more in-depth description of the local impact of the Tele2/Watson case.

Potential impact in the UK

The UK case will now go back to the Court of Appeal, which will have to decide on the validity of DRIPA in the light of the CJEU ruling. The CJEU has laid down a series of requirements, at least some of which are clearly not present in DRIPA.

The future UK significance of the CJEU judgment lies in its effect on the data retention provisions of the Investigatory Powers Act 2016 (IP Act), which will replace DRIPA on 30 December. Some of the CJEU's requirements may be addressed relatively easily by changes to the IP Act, but others may cause the UK government serious difficulties.

The IP Act also extends compulsory communications data retention to so-called internet connection records (site-level web browsing histories). ICRs are more intrusive than ordinary communications data. They are likely to raise further issues about the implications of the CJEU judgment.

Serious disagreements are likely over where the boundary lies between targeted and general data retention. There may be debate over the extent to which clear, precise and objective rules must be set out in the legislation, or how far targeting can be left to the government when deciding what kind of data retention notices to give to which operators.

Additionally:

  • The purposes set out in both the existing DRIPA legislation and the IP Act are wider than fighting serious crime or preventing a serious risk to public security.
  • While the IP Act introduces prior approval by a Judicial Commissioner of most warrants and notices, it does not do so for ordinary communications data demands.
  • The purposes for which access can ordinarily be obtained under both the existing DRIPA legislation and the IP Act are wider than data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in such a crime. The IP Act also provides warrants for bulk acquisition of communications data, which could include mandatorily retained data.
  • There is no notification of persons whose data has been accessed, either under DRIPA or the IP Act.
  • It is not a requirement under DRIPA or the IP Act that retained communications data must be kept within the EU.

Should the UK become a data protection 3rd country (like the USA) post-Brexit, then it may seek an 'adequacy' decision from the European Commission that the UK's protections for personal data are essentially equivalent to those in the EU, so as to enable personal data to be transferred from the EU to the UK. The UK's surveillance and data retention legislation would be relevant to an adequacy decision.

Potential impact in Sweden

In Sweden, the outcome of the Tele2/Watson case has been highly anticipated. Many a project, e.g. discussions on technical specifications between CSPs and law enforcement, has come to a standstill pending the decision.

The case will now return to the Administrative Court of Appeal in Stockholm for a final ruling, which - in light of the decision and the general and indiscriminate nature of the Swedish data retention obligation- in all likelihood ought to result in NRA's order being dismissed.

Most likely, the immediate effect of the decision will be an appointment of an investigative committee, commissioned to perform a thorough review and examination of the rules on retention of and access to data proposing and prescribing amendments to the current legislation in line with the requirements established in the decision. It remains to be seen which state institution, a court or an independent agency, will be given the task to perform review of the retained data prior to granting any access to it.

Interestingly, the conformity of the Swedish rules with the EU law has already once been examined by a special governmental investigator, i.e. in light of the ECJ judgment in Digital Rights Ireland in the spring 2014. The investigator then pronounced the data retention rules to be – on the whole - in compliance with the fundamental rights enshrined in the EU law, suggesting, nonetheless, that the rules on protection of private life and personal integrity ought to be further inspected and strengthened. This was looked into by another governmental committee that presented the results of its investigation, i.e. proposed measures to strengthen protection of personal integrity, in the spring 2015.

Potential Impact in Denmark:

The current Danish Executive Order no. 988 of 2006 on data retention (Data Retention Order) was amended following Digital Rights Ireland, as a special Danish requirement on internet session logging was repealed. The Data Retention Order nevertheless in its current form does not live up to the recent Tele2/Watson ruling. This is the case, as Denmark has a general data retention obligation for CSPs, without any limitation to geographical areas or the group of registered persons or data. Also, the registered persons are not notified of the registration.

Denmark plans to introduce new legislation replacing the Data Retention Order in January 2017, and consequently the recent Tele2/Watson case is highly relevant in Denmark. It will be interesting to follow, whether the Data Retention Order is repealed all together, whether new legislation similar to legal interception is introduced, or if Denmark maintains its right to a general data retention obligation in spite of the Tele2/Watson ruling.