On 21st December 2016 the Court of Justice of the EU (CJEU) delivered judgment on the joined cases of Tele2 Sverige from Sweden and the Davis/Watson reference from the UK. The case was discussed yesterday on this site by Dr Gunnar Beck. My own view is that the CJEU’s decision is the most spectacular demonstration to date of the reach of the EU Charter of Fundamental Rights, and one whose ramifications are calamitous.
The focus of the applicants in the UK case was on independent authorisation before access to retained data, but the CJEU based its decision on a wider basis. It held that EU law wholly precludes any national legislation in a member state which:-
(1) requires internet providers on a general basis to retain data as to who, when, where communicated; or
(2) permits access by national authorities to any data which may be held by internet providers unless inter alia,
(a) the objective of access is fighting serious crime; and
(b) the data must be retained within the EU.
Whilst the ruling in form is purely declaratory on preliminary references by the Swedish and UK courts, its likely consequence is that the UK’s domestic courts will feel bound to “disapply”, i.e. hold displaced by the European Communities Act:-
(i) the Data Retention and Investigatory Powers Act 2014; and
(ii) significant parts of the Investigatory Powers Act 2016.
A requirement on internet providers to retain all communications data for a year existed throughout the EU from 2006 to 2014 under the Data Retention Directive. That EU legislation was then held to be invalid by the CJEU in Digital Rights Ireland. The UK Parliament’s response was hastily to pass the 2014 Act which simply restored that basis for data retention, which the EU’s legislature had considered appropriate.
Tele2Sverige is the first occasion on which the Luxembourg Court has held any national primary legislation to be invalid on the ground of incompatibility with the EU Charter.
Although the impact on the 2014 Act is now of little materiality, the impact on the succeeding 2016 Act would terminate an important part of UK counter-terrorism efforts.
Under the UK’s 2014 and now 2016 Acts, internet providers have to retain for a period of 12 months data showing who has communicated by email with whom, when and where – but, importantly, not the content of the communication. In consequence when authorities identify an individual as a suspect they are not limited to surveillance of his future movements, but can also learn something of his location and contacts in the past. The Court’s Advocate-General gave the experience of the French Government as an example of the value of such communications data:-
“The French Government adds that access to the communications data of persons who were involved in the recent terrorist attacks of January and November 2015 in France was extremely useful in helping the investigators discover the authors of those attacks and their accomplices.” [183]
Despite this, and contrary to the advice of Advocate-General Saumandsgaard, the Court’s decision precludes a general requirement for data to be retained by the internet providers. In doing so the Court went further even than sought by the UK applicants.[1] Others whose opinions the Court rejected included the European Commission, the French and German governments, and Lloyd-Jones LJ, who has previously been ready to support the wide applicability of the EU Charter.[2]
The judgment sees the possibility of a requirement for the retention of data only where objective evidence has shown that there is “a high risk of preparation for or commission of [serious] offences” [111], such as a geographical area. It needs little thought to realise how pointless is this suggestion: even supposing that objective evidence could demonstrate such a high risk amongst, say, the residents of Birmingham, it would surely not take long for those planning terrorist attacks to move to Coventry. As the Advocate-General pointed out:-
“A limitation to a particular geographic area or to a particular means of communication could result in the shifting of activities relating to serious crime to a geographic area and/or means of communication not covered by the regime.” [214]
Whilst it is the prohibition of requiring the retention of data on a general basis which is the most serious set-back for security, other features of the decision are not without their drawbacks. The decision that even targeted data can be the subject of a requirement for retention only where serious crime is involved cuts out another valuable use of the resource of data – namely in tracing missing persons, as the UK’s Independent Reviewer of Terrorism Legislation has pointed out this month.
Another worry is the mandatory stipulation that any data which is accessed must remain within the EU. The terms of the judgment would preclude sharing even with non-EU countries in the EEA. Bean LJ and Collins J in the Divisional Court hearing of the Davis and Watson case rejected such a stipulation, observing that it was “obviously important” that information dealing with terrorism or serious crime should be passed on, and should be available to “friendly powers outside the EU”. After 2019 this stipulation will impact on assistance to the UK, when it has ceased to be in the EU, from the French or German authorities, even if the UK has abandoned a requirement for general data retention.
The justification in legal terms for these restrictions is flimsy. In favour of the Luxembourg Court it must be accepted that, unlike cases such as NS, here the Charter is applicable. That is because the EU’s e-Privacy Directive by the express terms of articles 5 and 15(1) read together confines legislative measures for the retention of data to such as are in accordance with the Charter. But this means no more than that they must comply with two Charter articles.
The first is art 7, stating:
“Everyone has the right to respect for his or her private and family life, home and communications”
This wording is effectively identical to that of ECHR art 8(1), which the Strasbourg Court has never held to preclude general retention for a period, nor even always to require judicial authorisation for access to data. Since the Luxembourg Court, in declining to answer the Court of Appeal’s second question, held that it was irrelevant to ask whether it was giving the Charter a wider meaning than the ECHR, one must presume that the principal basis for the decision was the other article, namely Charter art 8. That provides:-
“(1) Everyone has the right to the protection of personal data concerning him or her.
(2) Such data must be processed fairly for specified purposes and on … some other legitimate basis laid down by law.”
As to limb (1) of that article, internet service providers hold data about only those communications which people have chosen to make by email or similar online function, rather than by post or landline telephone. So there is an element of voluntary choice about the information which senders have permitted the service provider to hold. Nobody could assert that there is a lack of protection in the service holder having the data in the first place. Protection may certainly involve independent authorisation on strict criteria if any security authority is to see the data. But that is a separate question from the general retention issue, which is about no more than the length of time for which this data is held.
That just leaves limb (2) of art 8. But here the Charter argument is equally thin. To hold that legislation enacted by the UK and Swedish parliaments does not constitute a legitimate basis laid down by law is surprising.
There are other weaknesses, too, in the reasoning. No explanation is given for rejecting the consideration which the Advocate-General considered decisive, namely that recital 11 of the e-Privacy Directive states that the Directive does not affect the ability of member states to take measures for the lawful interception of electronic communications. No reason is given for ignoring the Court of Appeal’s reading of the CJEU’s earlier Promusicae[3] decision which allowed a wider reading of the objectives which could justify access to retained data. There is silence on the matter which the British judges regarded as “extraordinary”[4] and “a striking feature”,[5] namely the lack of any reference in Digital Rights Ireland to its inconsistency with the Court’s earlier decision in Ireland v Parliament.
Readers may feel that all this will cease to matter after the UK leaves the EU. But that would be to succumb to the fantasy of a glorious British isolation. In December 2016, the House of Lords EU Select Committee reported that the UK had “a vital national interest” in finding a way to sustain data-sharing for law enforcement purposes with the EU-27. It reported a consensus among law enforcement agencies on the desirability of involvement in inter alia the Passenger Name Records, the European Criminal Records Information Systems and the Schengen Information System. The Committee went on to warn that compliance with EU data protection standards was likely to be a necessary pre-condition for exchanging data for law enforcement purposes with EU countries after Brexit.
There is just one possible “get out of jail” card. That is the EU’s lack of competence in security matters. Art 4(2) of the Treaty on European Union states emphatically: “National security remains the sole responsibility of each Member State”. Furthermore, all the data protection directives specifically state that they have no application to security matters. In particular, the e-Privacy Directive, on which the Tele2 judgment is founded, provides in art 1(3) that it does not apply to activities which fall outside the scope of Community law or to operations concerning public security, defence or activities in the area of the criminal law.
Therefore, when the case returns to the Court of Appeal it will be a tenable argument for the British Government to say that whilst the Tele2 judgment must bring an end to access to retained data in missing persons cases, and, perhaps, also in respect of normal crime, it can have no application to law enacted in relation to terrorism. On that basis it is perfectly arguable that the requirement for general retention by service providers of all data for 12 months can continue. The fact that the Luxembourg Court did not acknowledge this limitation on its judgment ought not to be fatal to this argument. For the reasons adumbrated by Lord Mance in HS2 and Pham[6] it is arguable that the European Communities Act confers no effect on EU decisions which are outside EU competence. Indeed, the Court of Appeal already laid the ground for such a submission by commenting that a wider view than the Applicants’ counsel urged – and the CJEU did choose such a wider view – “would trespass into territory which is outside EU law”.
Bearing in mind the importance of continued collaboration with EU-27 authorities, it could be an aim of our diplomacy to persuade the French and German governments, both of which see no fundamental rights objection to a general retention regime, to present equivalent arguments in their domestic courts. In a recent paper co-authored with Stephen Hockman QC we sought to demonstrate that in the domestic jurisdictions of many member states an EU instrument or decision on a matter held by the national court to be outside EU competences would be of no effect.
Anthony Speaight QC is a practising barrister of Pump Court.
[1] See [82] to 85] in the Court of Appeal judgment in R(Davis & Watson) v Secretary of State [2015] EWCA Civ 1185.
[2] For instance, in R(Zagorski) v Secretary of State [2010] EWHC 3110 (Admin).
[3] Productores de Musica v Telefonica de Espana [2008] ECR I-271.
[4] R (Davis & Watson) v Secretary of State [2015] EWHC 2092 (Admin) at [87], Divisional Court.
[5] R (Davis & Watson) v Secretary of State [2015] EWCA Civ 1185 at [58], Court of Appeal.
[6] Pham v Secretary of State [2015] 1 WLR 1591.