In a judgment that will be of interest to electronic communication service providers, the European Union Court of Justice (CJEU) held that national legislation requiring the general and indiscriminate retention of electronic communication is unlawful. The CJEU stipulated that national legislation should only require data surveillance where it is strictly necessary in order to combat serious crime.
In 2014, the Advocate General Saugmandsgaard Øe1 declared that national legislation providing for the general and indiscriminate retention of traffic and location data of all subscribers and registered users of electronic communication services was incompatible with the e-Privacy Directive.2 It was stated that interference with individuals’ fundamental right to privacy and protection of personal data should be limited to what is strictly necessary. Further, the opinion stated that the Directive’s data retention requirements were not accompanied by sufficient safeguards concerning data protection, access to data, and the period of retention.
Following this opinion, the telecommunications company, Tele2 Sverige, informed the Swedish Post and Telecom Authority that it was erasing all previously recorded data. This proposed action was in direct contravention of the Swedish law requiring providers of electronic communications services to systematically and continuously retain the traffic and location data of all of their subscribers and registered users.
At the same time, three individuals (Tom Watson, Peter Brice and Geoffrey Lewis) commenced proceedings in England challenging the UK’s surveillance laws. Their claim sought to dispute the legality of GCHQ’s bulk interception of call records and online messages. As part of their claim, they contested the rules permitting the Secretary of State for the Home Department to require electronic communication operators and public communication networks to retain all data relating to communications for up to 12 months.
A reference was made to the CJEU in respect of these cases. At issue was whether there are EU standards on data retention that need to be reflected by domestic legislation. In particular, the CJEU was asked whether the following would be compatible with any such EU standards:
1. the imposition of a general and indiscriminate obligation on providers of electronic communication services to retain customers’ traffic and location data; and
2. the provision for competent authorities to access this data in situations where the objective pursued was not for the sole purpose of combatting serious crime.
The CJEU followed the principles set out in the 2014 opinion of the Advocate General Saugmandsgaard Øe3, and held that legislation permitting the general and indiscriminate retention of all traffic and location data is incompatible with EU law. The court stated that electronic communications allow “very precise conclusions to be drawn concerning the private lives of persons whose data has been retained”. Given the serious implications of this, legislation permitting the general and indiscriminate retention of data would exceed the limits of what is strictly necessary and justifiable within a democratic society.
Consequently, the court held that only targeted interception of traffic and location data for the objective of combatting serious crime was justified. In its ruling, the court stipulated that national surveillance legislation should be clear, precise and provide sufficient guarantees of the protection of data against misuse. In particular, legislation must be clear on the categories of data that may be collected, the type of communication which may be monitored, the categories of persons affected and the maximum retention period.
The ruling is especially significant for the United Kingdom’s Investigatory Powers Act 2016 (which replaces the Data Retention and Investigatory Powers Act 2014). It makes the Act vulnerable to further legal challenges on the basis that it does not ensure adequate protection to personal data, including against mass surveillance by public authorities.
Any such legal challenge might have consequences similar to that witnessed in 2015 in relation to the EU-US Safe Harbor framework, where an initial challenge before the Irish data protection regulator, led to the framework being held invalid for not providing sufficient protection to personal data, as required under EU law.
The case will now return to the Court of Appeal who will have to determine whether, in light of this ruling, the Investigatory Powers Act 2016 violates the right to private life and the right to the protection of personal data.