Advocate General Saugmandsgaard Øe has opined that a general obligation to retain data imposed by a member state on providers of electronic communication services may be compatible with EU law but that it is imperative that such an obligation be circumscribed by strict safeguards.
The Advocate General's advice has been given in relation to the joined cases C-698/15 R (Davis, Watson, Brice & Lewis) v Secretary of State for the Home Department and C-203/15 Tele 2 Sverige AB v Post- och Telestyrelsen. Both were referred to the ECJ following the Court's ruling in Digital Rights Ireland, requesting an indication on whether a general obligation to retain data is compatible with EU law.
In references for a preliminary ruling made by the Kammarrätten i Stockholm (Administrative court of Appeal, Stockholm, Sweden) and the Court of Appeal (England and Wales) (Civil Division), the Court was requested to indicate whether a general obligation to retain data is compatible with EU law (in particular the Directive on privacy and electronic communications and certain provisions of the EU Charter of Fundamental Rights).
In its judgment in Digital Rights Ireland and Seitlinger and others (joined Cases C-293/12 and 594/12) of 2014, the Court of Justice invalidated the Data Retention Directive (Directive 2006/24/EC), on the grounds that:
- The general obligation to retain certain data imposed by that directive constituted serious interference with the fundamental rights to respect for private life and to the protection of personal data; and
- The rules accordingly established were not limited to what was strictly necessary for the purpose of the fight against serious crime.
The day following the delivery of the judgment, the telecommunications undertaking Tele2 Sverige notified the Swedish telecoms authority of its decision to cease retaining the data and of its proposal to delete the data already stored. Swedish law requires providers of electronic communication services to retain certain personal data of their subscribers.
In the UK, Tom Watson MP and David Davis MP brought actions against the British data retention rules, which authorise the Home Secretary to require public telecommunications operators to retain all communications data for a maximum period of 12 months, with it being understood that the retention of the content of those communications is excluded.
Detail of the Opinion
In his Opinion, the Advocate General stressed the need to find a balance between a nation's need to effectively fight serious crime, such as terrorism, and individuals' fundamental rights. He found that a general obligation to retain data may be compatible with EU law, although any action by an EU Member State against the possibility of imposing such an obligation is subject to satisfying strict requirements. The national courts should determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied. The Advocate General set out the following interpretations of the requirements:
- The general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures;
- The obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the European Charter for Human Rights;
- Any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considered that the fight against serious crime alone is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not;
- The general obligation to retain data must be strictly necessary to the fight against serious crime;
- The general obligation to retain data must be proportionate.
The Advocate General's Opinion, if followed or extended by the CJEU, could have important implications for the Investigatory Powers Bill currently making its way through Parliament. The Bill as it stands would probably not satisfy a requirement for prior review of requests for access to communications data by an independent body. The Bill currently lists eleven purposes for which communications data may be obtained, with a scope that goes far beyond "serious crime", including, for example, "public health" and "regulation of financial services".
The Advocate General’s use of the term "cataloguing entire populations" to characterise the intrusive nature of meta-data analysis appears to suggest that he thinks the old data retention regime, implemented in the Data Retention and Investigatory Powers Act 2014 (DRIPA), is at the margins of what the CJEU would consider proportionate. This leaves an open question as to whether the even more intrusive and controversial measures in the Investigatory Powers Bill, such as bulk surveillance and the filtering obligations, would be capable of withstanding a future legal challenge that used this case as a precedential basis.
While the Advocate General's Opinion is not binding on the CJEU, the court's judgments have historically tended to follow the Advocate General's stated views.