The EU Charter of Fundamental Rights precludes the “general and indiscriminate retention of traffic data and location data” and “the Member States may not impose a general obligation to retain data on providers of electronic communications services.” This is clear following the Court of Justice of the European Union’s judgment of 21 December 2016 in Tele2 Sverige[1] which affirms that Court’s previous judgment in Digital Rights Ireland,[2] from 2014. In that judgment the CJEU held that the EU’s Data Retention Directive[3] was invalid. Some EU member states, such as Sweden and the U.K., then continued to oblige telecommunications providers to generally retain data under their national laws. Shortly before Christmas, in Tele2 Sverige, the CJEU held that such national laws must similarly comply with the Charter’s data protection rules and may thus be similarly invalid.
The Significance of Tele 2 Sverige
The Tele2 Sverige judgment is of great significance for a number of reasons. First, the CJEU made clear that the data retention laws of member states must comply with EU data protection rules. Some member states thought that the derogations provided by EU Directive 2002/58 allowed them to introduce national laws governing the general retention of personal data by private companies outside the scope of EU data protection law and the judgment of the CJEU in Digital Rights Ireland in particular.
Second, the CJEU reiterated its judgment, in Digital Rights Ireland and Schrems, that generalised and indiscriminate surveillance is not permissible under EU law. Every phone call, text or internet connection that is made generates data about the location, time and duration of that communication. As the CJEU held, this “retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.”
Third, the CJEU accepted that it may be necessary to retain data in some circumstances, such as in respect of “a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offenses, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security.” Data retention might be lawful if limited on the basis of geography, such as a city centre, where there exists a high risk of preparation for or commission of such offences.
Fourth, the CJEU outlined the criteria a national data retention law needs to satisfy in order to comply with EU data protection law. Such a law must lay down clear and precise rules and impose minimum safeguards; it must indicate the circumstances and conditions under which data retention may be adopted as a preventative measure. This is to limit such retention to what the CJEU underlines as “strictly necessary.” Where data is retained, such retention must “meet objective criteria, that establish a connection between the data to be retained and the objective pursued.” These objective criteria must be assessed against objective evidence. While the CJEU allows that member states may require that data to be retained, such requirements will not be easily or lightly imposed.
Fifth, the CJEU stated unequivocally that “the data concerned should be retained within the European Union.” This statement appears to preclude, or imply the need for further legislation authorising, the transfer of personal data outside the EU including the EEA.
In contrast to many of the CJEU’s recent judgments in the areas of monetary policy and EU citizenship law, the Tele2 Sverige judgment is commendable by the standards of traditional judicial reasoning. Articles 7 and 8 EU Charter guarantee the right to private life and to the protection of personal data in broad terms and so warrant a generous interpretation of the individual rights under both provisions. Moreover, there is no restrictive directly effective provision of equal or indeterminate normative status in the EU Treaties which mandates a restrictive interpretation of the scope of either right in relation to the field of electronic communications data retention. The CJEU in Tele2 Sverige further rightly notes that exceptions and derogations to fundamental rights guaranteed by EU law must be interpreted narrowly and not go beyond what is strictly necessary to achieve countervailing public policy objectives, although it should not be forgotten that the principle of the narrow construction of all derogations from treaty provisions was itself established by the CJEU in the absence of a clear basis in the Treaties. Finally, the CJEU’s approach in Tele2 Sverige closely follows the reasoning in the earlier Digital Rights Ireland case in which the CJEU had declared the Data Retention Directive invalid on the grounds that the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) EU Charter.
Six Further Observations on Tele2 Sverige
The Tele2 Sverige decision further merits the following observations. First, the respondent member states argued that the national legislation in question concerned the ‘retention’ and not the ‘processing’ of personal data. At first sight, this argument might appeal on literal grounds. However, as the ‘processing’ of such data requires their prior ‘retention’, the Court’s ruling may be defended on the grounds that if ‘data processing’ is covered by EU legislation which is subject to judicial review by the CJEU, so must national legislation governing the prior ‘retention’ of such data as there can be no ‘processing’ without ‘retention’, with the risk of unlawful processing inevitably magnified if the prior indiscriminate detention were exempted from the need for compliance with the EU Charter. Article 3 of Directive 2002/58 further makes clear that the Directive applies to all “processing of personal data in connection with the provision of publicly available electronic communications services in public communications.” It is not unconvincing to conclude, as the CJEU does, that the term “data processing … in connection with” provisions of electronic communications also covers the intermediate retention of such data of the relevant communications. Second, the Court’s Judgment may also be defended against criticisms that Article 1(3) of Directive 2002/58 expressly excludes state “activities concerning public security, defence, State security.” The offending national legislation in Tele2 Sverige governs the retention of data by commercial electronic communication providers, not state activities. Third, the Court’s emerging and so far expansive interpretation of data protection guarantees under EU law follows on from the Court’s strict adherence to established procedural rights guarantees in the area of EU sanctions law. In both areas the CJEU has not shirked away from questioning EU as well as implementing national legislation on the grounds of their non-compliance with applicable rights guarantees under EU law. This is so notwithstanding the obvious political dimension of its rulings, and despite the overt contrary political preferences of many member states and their willingness to intervene alongside the respondent EU institution or member state in key proceedings.
Fourth, the Court’s refusal, at least to date, to compromise broadly phrased rights guarantees in the age of terrorism may be viewed as judicial obstruction hindering the implementation of strong anti-terrorism measures. In the author’s submission, however, such criticism is misplaced. At least in theory, the EU courts are charged with upholding the natural meaning of the EU Treaties (including the Charter) and of EU legislation against transgressions by the lawmaker and executive at both EU and national level. All too often the EU courts have failed in this respect, just as the European Commission all too often ignores its role as guardian of the Treaties when political convenience or the demands of further integration dictate otherwise. However, it is not the function of courts to defer to political convenience and to adjust or vary the natural meaning of legal provisions in accordance with the exigencies of the time or the requirements of the ideological commitment to ‘ever closer union’. If the lawmaker adopted or agreed treaties or legislation that was ill-thought out, ill-worded or simply ill-suited to the times, the courts should give effect to it and it is the lawmaker, not the courts, which should bear the blame for any ensuing inconvenience or deleterious consequences.
Fifth, while the Court’s reasoning may be commended for its consistency in recent cases in holding both EU member states and the EU law-making institutions to the same standard of rights protection, the EU courts all too often hold the member states to a higher standard of compliance than the EU institutions. It is therefore apt to be somewhat cautious in lavishing too much praise on the CJEU for its apparently even-handed commitment to rights protection. In both the fields of data protection and EU sanctions, the expansive interpretation of rights guarantees under EU law also meant that the court consolidated its own expansive human rights jurisdiction vis-à-vis the highest national courts and extended the EU’s ever expanding human rights regime into areas of law that have nothing to do with the EU’s classical internal market economic governance competences. The apparent disinterested concern for individual rights, the demands of “ever closer union” and the Court’s institutional self-interest in expanding its own jurisdiction thus all pull in the same direction, and it is difficult to say which of these factors is the determining motive and which are simply collateral side effects.
Finally, the Court’s decision in Tele2 Sveridge is ultimately based on a proportionality assessment weighing the respecting weight of the right to data protection versus the demands of public security concerns. By hinting that measures which stop short of all-out retention such as targeted measuring collating data of well-defined groups of people may in certain circumstances be compliant with the EU Charter, the Court implicitly opened the door to further legal uncertainties and future litigation. It is rather doubtful that the question of data retention for the benefit of anti-terrorist agencies has been settled for good, or even for long. And when it may be reopened, the Court may finally yield to many of the political pressures that it has so far – generally rightly – resisted.
Dr Gunnar Beck is an EU lawyer and legal theorist. He practises at Essex Court, Chambers of The Rt Hon Sir Tony Baldry, and is Reader in Law at SOAS, University of London.
[1] Joined Cases C – 203/15 Tele2 Sverige AB v Post-och telestyrelsen and C – 698/15 Secretary of State for the Home Department v Tom Watson and Others
[2] Joined Cases C‑293/12 and C‑594/12)
[3] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.