The Court of Justice of the European Union (the "CJEU") has ruled that EU Member States cannot pass laws that require communications service providers to carry out general and indiscriminate retention of communications data and location data. Moreover, the CJEU stated that where such data are retained, they can only be accessed by national law enforcement agencies in limited circumstances. The ruling casts the UK's new Investigatory Powers Act 2016 into doubt.
On 21 December 2016, the CJEU issued its judgment in joined cases C‑203/15 and C‑698/15 ("Home office v Watson") which had been referred by the Administrative Court of Appeal of Stockholm and the Court of Appeal of England and Wales, respectively. The CJEU analysed Article 15(1) of Directive 2002/58/EC (the "ePrivacy Directive") and Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union (the "CFEU") and held that those provisions impose strict limits on: (i) the extent to which EU Member States may collect communications data; and (ii) the purposes for which those data may be used.
In 2006, the EU issued the Data Retention Directive (2006/24/EC) which obliged EU member states to require communications service providers to retain communications data for between 6 and 24 months. The validity of the Data Retention Directive was challenged in a case called Digital Rights Ireland (Case C-293/12). In April 2014, the CJEU held that certain provisions of the Data Retention Directive violated Articles 7 and 8 of the CFEU. Consequently, the CJEU invalidated the Data Retention Directive. However, it was unclear whether this simply meant that the Data Retention Directive was unlawful, or whether it also meant that all national laws of EU Member States that have the same effect as the Data Retention Directive are also unlawful.
In July 2014, in response to the Digital Rights Ireland judgment, the UK implemented the Data Retention and Investigatory Powers Act 2014 ("DRIPA") to allow the UK's security services to continue to have access to phone and internet records of individuals. DRIPA is set to expire on 31 December 2016. Meanwhile, two Members of Parliament, Tom Watson and David Davis, brought a legal challenge against DRIPA. That challenge was heard in the Court of Appeal, which decided in November 2015 to refer two questions to the CJEU, regarding the impact of the decision in Digital Rights Ireland on DRIPA. In parallel proceedings, a Swedish court decided to refer similar questions to the CJEU. The CJEU joined the two cases, published its judgment on 21 December 2016. In the interim, as we previously reported, the UK has passed the Investigatory Powers Act 2016 (the "Act"), to replace DRIPA from 1 January 2017. As set out below, CJEU's decision in Home Office v Watson casts the position of the Act into doubt.
The CJEU's decision in Home Office v Watson
In response to the questions raised by the referring courts, the CJEU ruled that Article 15(1) of the ePrivacy Directive, read in light of Articles 7, 8 and 52(1) of the CFEU, must be interpreted as meaning that:
(1) EU Member States cannot pass national legislation requiring general and indiscriminate retention of communications data or location data; and
(2) Where communications or location data are retained:
- access by national authorities in EU Member States to such data must be limited to purposes that are necessary in order to fight serious crime (which appears to include the fight against terrorism, but would appear to exclude, for example, access by the Food Standards Agency, which the Act currently permits);
- access by national authorities in EU Member States to such data must also be subject to prior approval from a court or independent administrative authority (i.e., it appears that a warrant will be required in all cases before retained data can be accessed by law enforcement agencies); and
- national law should require that those data are kept within the EU (i.e., the routine transfer of retained communications data from EU law enforcement agencies to their counterparts in the US and elsewhere appears to be unlawful).
Impact on the Investigatory Powers Act 2016
First, it seems clear that the Act cannot be used to require providers of communications services to conduct general and indiscriminate retention of communications data. However, the CJEU made clear in its judgment that EU Member States are not prevented from adopting legislation that permits, as a preventive measure, the targeted retention of communications data for the purpose of fighting serious crime, provided that such retention is limited with respect to: (i) the categories of data to be retained; (ii) the means of communication affected (e.g., emails, SMS messages, faxes, etc.); (iii) the persons concerned (i.e., the measures are targeted against specific individuals or groups); and (iv) the retention period, which must be limited to what is strictly necessary. It now appears that the Act will need to be interpreted in light of these limitations.
Second, the Act is not compliant with any of the three requirements given in the CJEU's response (2) above:
- The Act currently allows access to retained communications data by a number of government bodies, such as the Food Standards Agency, for purposes other than fighting serious crime. It appears that, following the CJEU's ruling, the list of law enforcement agencies with access to these data will need to be narrowed to those involved in fighting serious crime.
- While the Act does provide for warrants to be issued upon review by the newly created Investigatory Powers Commissioner, together with one of a number of appointed judicial commissioners, it also allows, in urgent cases, for warrants to be issued without judicial approval subject to review by a judicial commissioner within five working days. This seems inconsistent with the CJEU's insistence that there must be prior review by a court or an independent administrative authority.
- It is highly likely that any data retained under the Act was intended to be shared with non-EU security agencies (such as the United States' National Security Agency) but this would now appear to be in contravention of the limb (c) of the CJEU's response (2) above
Consequences for businesses
The Act, in its present form, imposes significant obligations on providers of electronic communications services to retain communications data, and exposes such data to interception, decryption and analysis by numerous UK law enforcement agencies. The CJEU's decision in Home Office v Watson appears to materially curtail the application of the Act, and may prevent UK law enforcement agencies from accessing data in some circumstances. This is likely to trigger further litigation in the UK, regarding the balance between the need for surveillance to combat crime and terrorism on the one hand, and the right to privacy on the other. Meanwhile, all businesses that either provide or use electronic communications services (which is almost all businesses in the UK) should keep a close eye on future developments in light of this case, in anticipation of the Court of Appeal's response to the CJEU's ruling.
Chris Ewing, a Trainee Solicitor at White & Case, assisted in the development of this publication.