On 8 April 2014 the European Court of Justice (“ECJ”) in the “Digital Rights Ireland case” declared the Data Retention Directive 2006/24/EC (the “Directive”) invalid, creating uncertainty for providers of public communications networks and publicly available electronic communications services (“Communications Providers”) as well as reviving the age old debate in respect of individuals’ rights to privacy versus national security.
The Directive was passed in 2006 amidst growing concerns in respect of counter-terrorism and crime prevention. It amended EU Directive 2002/58/EC (on privacy and electronic communications) and aimed to harmonise national measures across the EU relating to the retention of communications data. The Directive requires Communications Providers to retain certain data in relation to users’ communications in order to detect, investigate and prosecute serious crime. Such data includes “personal data” such as traffic and location data (such as phone numbers dialled, email addresses sent to and the location of the device from which the communication was sent, depending on the communications technology used) but not the content of the communications themselves.
The implementation of the Directive proved controversial in a number of Member States not least because it failed to set clear criteria on how Member States were to apply a number of its provisions and safeguard individual rights. The Irish and Austrian courts proceeded to refer questions to the ECJ in respect of whether the Directive was compatible with the fundamental rights guaranteed to citizens by the Charter of Fundamental Rights of the EU (“Charter Rights”).
In a detailed judgment the ECJ declared that although the Directive pursued a legitimate aim (the prevention, detection and investigation of serious crime) it disproportionately restricted individuals’ Charter Rights under Article 7 (respect for private and family life) and Article 8 (protection of personal data). Consequently, the ECJ ruled the Directive invalid. In essence the ECJ:
- found that the Directive covered in a generalised manner all means of electronic communications, without any differentiation, limitation or exception and therefore affected all persons using electronic communications services without providing for rules relating to professional secrecy;
- stated that not only was there a general absence of limits in the directive, it also failed to set out objective criteria to determine the limit of access of the competent national authority to the data and its subsequent use. Nor did the Directive contain any substantive or procedural conditions relating to the access and use by the competent authorities of the retained data or any form of prior review by a court or independent body to ensure access was strictly necessary for the purposes to be achieved; and
- it also criticised the Directive’s requirement for communications data to be retained for periods of between 6 months and 2 years (as determined by individual Member States) without any distinction being drawn between the categories of data and their possible usefulness in relation to the objective to be achieved.
In summary, the ECJ considered that the Directive did not provide for sufficiently clear and precise rules governing the extent to which the fundamental freedoms in Articles 7 and 8 of the Charter could be interfered with and to ensure that such interferences were strictly necessary.
In addition to the privacy concerns set out above, the ECJ’s decision also raised concerns around the security of retained data. It considered that the Directive did not ensure, as required by Article 8 of the charter, that effective protections were put in place to prevent the abuse and unlawful access and use of the retained data nor requiring it to be retained within the European Union. In particular it felt that the nature of the data being retained needed to be taken into consideration when putting in place security and procedural safeguards, including the large amounts of data to be stored, the sensitivity of the data and the risk of unlawful access to it.
Whilst the Directive has been ruled invalid, with the ECJ’s decision applying from the day that the Directive came into force, the national implementing laws of Member States remain intact although they may be subject to challenge. The decision of the ECJ is therefore likely to have a range of different consequences for the various stakeholders that are covered by the Directive, as well as potentially other areas of law in the UK. We have examined some of these areas below:
The Regulation of Investigatory Powers Act
The ECJ’s decision could lead to further questions being asked, not only about the approach to retaining data, but also to accessing it. Whilst the comments made by the ECJ were directed at the provisions of the Directive they could equally apply to other measures providing access to retained data, for instance under RIPA. At present RIPA provides a broad range of “designated persons” with potential access to communications data. Following the decision in the Digital Rights Ireland case we would question whether further concerns could be raised as to the scope of, and the rights granted to, such designated persons under RIPA.
As with the Data Retention Directive, RIPA has been subject to intense scrutiny since it came into force (especially in relation to balancing the rights of privacy and the requirements of law enforcement). In “Freedom from suspicion: surveillance reform for a Digital Age”, dated October 2011 JUSTICE stated that “RIPA has not only failed to check a great deal of plainly excessive surveillance by public bodies over the last decade but, in many cases, inadvertently encouraged it. Its poor drafting has allowed councils to snoop, phone hacking to flourish, privileged conversations to be illegally recorded, and CCTV to spread.” The Bar Council of England and Wales in its response to the proposed Communications Data Bill in January 2012 has also raised the concern that RIPA fails to recognise privileged communications. Following the decision in the Digital Rights Case and the express reference to ensuring that rules are put in place to ensure professional secrecy this, and the scope of the access to data, is likely to be something that will need to be addressed either in the new provisions for the retention of data or under RIPA itself.
Security and Protection of Data
From a data protection standpoint, the ECJ’s decision has further highlighted the longstanding tug of war between the rights of individuals’ privacy and protection of personal data and the importance of ensuring national security. The ECJ’s judgment in the Digital Rights Ireland case is littered with privacy-centric themes and although the legal question to be answered was one of “proportionality”, it hinged on the seriousness of the Directive’s interference with individuals’ personal data.
The decision also coincided with the Interception of Communications Commissioner’s 2013 annual report which, the Prime Minister stated, found that “interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion” and aptly underlines the other side of the privacy coin.
In addition EU-wide legal reforms have been proposed in respect of the processing of personal data by all organisations generally (General Data Protection Regulation) as well as by public bodies or ‘competent authorities’ (proposed directive COM 2012/010). The ECJ’s decision is therefore likely to impact on the content, interpretation and/or timing of the reforms.
The current quandary facing individual Member States is whether to reflect the ECJ’s decision in their national laws now or to wait and see what approach the European Commission adopts going forward. This decision is further complicated as discussed above by the potential overlap with other areas of law that might be impacted by the Digital Rights Ireland decision.
The ECJ in its judgment clearly set out a number of concerns that will need to be addressed by the European Commission in reformulating any future legislation relating to the retention and access to communications. The question that arises from this is in what form will such changes take? A new Directive would appear to be the most obvious course, although the time that it may take to finalise such a measure could prove to be problematic, especially considering the current uncertainty facing Communications Providers. The European Commission may as a result prefer to implement any new measures in the form of a regulation. There would be a number of potential benefits in using a regulation, including avoiding potential problems with the implementation of its requirements by Member States as it will have direct effect.
As discussed above the resulting conflict between national and European positions has created uncertainty in respect of what and how Communications Providers should retain communications data covered by the Directive whilst ensuring compliance with national implementing measures. It also makes planning for future resourcing and storage requirements for their networks extremely difficult at a time when providers may be investing in future roll-outs.
In Sweden there have been reports of Swedish Communications Providers declaring that they are no longer retaining the relevant data off the back of guidance from national authorities. However, currently, no such guidance has been provided in the UK and therefore Communications Providers may be unclear as to how to proceed. In our view until such time as guidance is provided in the UK Communications Providers should continue to retain communications data in accordance with the Data Retention Regulations so as not to be found to be in breach of their current legal requirements.
At a practical level Communications Providers might also want to consider, in addition to the data protection measures discussed earlier, revisiting the security measures they have in place to protect any personal data which they retain to ensure that the personal data is: (i) adequate, relevant and not excessive in relation to; and (ii) not kept for longer than is necessary for, the purpose(s) for which it is retained.