Case note Digital Rights Ireland, Joined Cases C-293/12 and C-594/12, 8 April 2014
‘The modern dream of the totalitarian police , with its modern techniques, is incomparably more terrible. Now the police dreams that one look at the gigantic map on the office wall should suffice at any given moment to establish who is related to whom and in what degree of intimacy’1
Facts
Joined Cases C-293/12 and 594/12 in which the applicants consisted of private as well as public parties ranging from Digital Rights Ireland Ltd (DRI) to the Kärnter Landesregierung and some 11 128 others. The defendants were made up of the Minister for Communications, Marine and Natural Resources, the Minister for Justice, Equality and Law Reform, the Commissioner of the Garda Síochána.
The High Court of Ireland and the Constitutional Court of Austria (Verfassungsgericht) both made preliminary references respectively regarding the legality and compatibility of the implementations and amendments made pursuant to Directive 2006/24/EC, also known as the Data Retention Directive. This directive is controversial because it imposes the duty on member states to adopt measures that aim to harmonize the rules for telephone companies and internet service providers alike to ensure the indiscriminate retention of traffic and location data (metadata) for a minimum of half and a maximum of two years. The aim of these measures is to ensure their availability for the purpose of the investigation, detection and prosecution of serious crime. In his opinion the Advocate General concluded that the Directive is incompatible with Article 52(1) CFR because it lacked
necessary principles to govern safeguards regulating access and use of the data retained and
specifically article 6 of the Directive was incompatible with Article 7 and 52(1) CFR, because it lacked necessary principles to govern safeguards regulating access and use of the data retained.
Judgment
In examining all the questions of the referring courts together the Court found that the question asked was essentially whether Directive 2006/24 was valid in the light of Articles 7, 8 and 11 CFR [23].
The focal point of the directive is the obligation under Article 3 on providers of publicly available electronic communications services or of public communications networks to retain the data listed in Article 5 with the purpose of making them accessible, if necessary, to the competent national
authorities [25]. These data do not involve content data, but all data related to the process of communication: source, destination, date, time, duration, type of communication equipment, calling telephone number, number called, IP address etc. They allow very precise conclusions to be drawn about the private lives of the persons concerned such as habits, places of residence, movements, activities, social relationships and social environments frequented [26,27]. The Court furthermore notes that this might have an effect on the use of these devices and subsequently on the freedom of expression [28]. The retention of data constitutes the processing of personal data [29]. The
references raise the question of principle if these data may be retained in the light of Article 7 CFR and if the directive meets the requirements for the protection of personal data that follow from Article 8 CFR [30].
1 H. Arendt, The Origins of Totalitarianism, USA, World Publishing Company , p. 434.
The Court continues to examine the interferences with Article 7 and 8 CFR. The retention and subsequent access to data constitutes a derogation from the system of protection of the right to privacy established by Directive 95/46 and 2002/58 with regard to the processing of personal data in the electronic communications sector, which see to the confidentiality of communications and traffic data as well as the obligation to erase those data or make them anonymous when they are no longer needed [32]. Whether the data is sensitive or the subjects have been inconvenienced does not matter for the question whether an interference can be established [33]. The mere obligation for providers of publicly available electronic communication services and of public communication networks to retain the data mentioned in Article 5 of the directive constitutes an interference with the rights under article 7 CFR [34]. The subsequent access constitutes a further interference [35]. The Court holds that the directive constitutes an interference with the right to the protection of personal data because it provides for processing [36].
In the next step the Court questions the justification of the interference. For an interference to be justified it must be provided for by law, respect the essence of the rights and, subject to the principle of proportionality, limitations can be made if they are necessary and genuinely meet objectives of general interest [38]. First the Court establishes that even though the interference is particularly serious, there is no adverse effect to the essence of the rights protected by Article 7 CFR, because the directive does not permit the acquisitions of knowledge of the content of the communications [39].
The essence of the right to the protection of personal data is also not considered to be adversely affected, because Article 7 of the directive provides that certain principles are adopted that ensure that appropriate technical and organizational measures are adopted against accentual or unlawful destruction, accidental loss or alteration of the data [40]. After the Court establishes that the material objective of the directive is the fight against serious crime and therefore genuinely satisfies an objective of general interest [44], it engages in verifying the proportionality of the interference [45]. It first establishes that acts of the EU institutions should not exceed the limits of what is appropriate and necessary in order to achieve legitimate objectives. The nature and seriousness of the
interference with the right to private life caused by the directive reduces the discretion of the EU legislature which should be strictly reviewed [48]. Although the Court holds that the retention is appropriate for attaining the objective [49], it does not find that this objective justifies the retention measure established by the directive [51]. The Court repeatedly emphasizes the importance of the right to the protection of personal data for the right to respect for private life [48, 53]. It holds that the right to respect for private life requires that derogations and limitations in relation to the
protection of personal data must apply only in so far as is strictly necessary [52]. The directive should entail clear and precise rules governing the scope and application of the measure and impose minimum safeguards in order to provide sufficient guarantees against unlawful access and use of that data. The Court then continues to enumerate the all-encompassing nature of the retention measure:
the directive applies to all means of electronic communications which entails an interference with the fundamental rights of practically the entire European population [56], it concerns all persons using electronic communications services no matter the relation to the threat to public security [59]. In relation to the limits to access to the data the Court establishes that the directive lacks an objective criterion by which to determine these and only refers in a general manner to ‘serious crime’ [60].
There are not substantive and procedural conditions relating to the access by the competent national authorities, only that it should be in accordance with necessity and proportionality requirement [61].
Furthermore there is no objective criterion to limit the number of persons authorised to access and subsequently use the data [62], nor for the determination of the retention period which is set at a minimum of 6 and a maximum of 24 months [64]. From all this it follows that the directive does not lay down clear and precise rules that limit the interference to what is strictly necessary [65]. With regard to the security and protection of data the Court notes that the directive does not lay down rules nor obligations for member states to establish rules regarding the effective protection of retained data against the risk of abuse and against any unlawful access and use of this data [66]. The directive does not ensure a particularly high level of protection and security from the providers and does not ensure the irreversible destruction of the data at the end of the data retention period [67].
Furthermore, it does not require the data to be retained within the EU, resulting in the potential loss of control from the independent data protection authority (Article 8(3) CFR). The Court concludes that having regard to the foregoing considerations, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Article 7, 8 and 52(1) CFR [69].
Comment
This judgment of the ECJ offers enough food for thought. I pick some of the Court’s considerations to elaborate a bit further on some issues of interest. The referring courts asked among others whether Directive 2006/24 was compatible with the right to privacy as laid down in Article 7 CFR and 8 ECHR and whether the directive was compatible with the right to protection of personal data as protected under Article 8 CFR. The Court therefore had a unique opportunity to elaborate on the relationship between the scope and limitation mechanism of these rights in the context of surveillance measures that exist of the retention and access to data.
The first indication that the two rights differ in scope is when the Court reasons that the preliminary ruling in the present case raise ‘the question of principle as to whether or not, in the light of Article 7 of the Charter, the data of subscribers and registered users may be retained, they also2 concern the question of principle as to whether Directive 2006/24 meets the requirements for the protection of personal data arising from Article 8 of the Charter’ [30]. The Court is clear in stating that the mere obligation to retain the data constitutes an interference with the rights under article 7 CFR [34] and the access to these data results in a further interference with these rights [35]. Then it takes a shortcut and states that ‘likewise, Directive 2006/24 constitutes an interference with the
fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of data’ [36]. It is not clear what the Court means by this, but it seems to indicate that the scope of the two rights overlap when it comes to the protection offered against interferences with the right to private life which consist in the processing of personal data. Although not new in the Court´s considerations, I would like to highlight the Court´s phrase that according to its
´ case law the protection of the right to respect for private life requires ´derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Case C- 473/12 IPI EU:C:2013:715, paragraph 39 and the case-law cited)´ [52]. This consideration suggests that the proportionality of an interference with the right to private life can be tested by assessing whether the limitation of the right to personal data protection is strictly necessary. Remarkably, it replaces the right to respect for private life in the proportionality test for the right to the protection of personal data. It is unclear why the Court does this. There must be an underlying assumption that
2 Added by the author.
the two rights are mutually interchangeable. This assumption is wrong. Although the scope of the two rights can overlap, their substance is different. Inherent to the right to data protection is a limitation of the right to privacy. Data protection is a two-pronged right which does not only serve the data subject, but also the data controller. In fact, the main rationale for the adoption of Directive 95/463, which Article 8 Charter was partly inspired on, was the completion of the single market. The Court’s conflation of the right to privacy and the right to protection of personal data neglects the fact that the latter is a two-pronged right that serves the person whose data is processed as well as the processor of this data. There is a balancing exercise inherent to the right to data protection, between the free movement of personal data and the protection of private life.4By replacing the right to private life for the right to personal data protection the Court executes a balancing exercise with a right that is a balancing exercise in itself.
The differences between the two rights is supported by the conclusion of the AG in which he considers the following:
‘Since the “private sphere” forms the core of the “personal sphere”, it cannot be ruled out that legislation limiting the right to the protection of personal data in compliance with Article 8 of the Charter may nevertheless be regarded as constituting a disproportionate interference with Article 7 of the Charter’ [61 Opinion].
This indicates that the AG holds that the right to the protection of personal data offers less protection than the right to privacy. Consequently, an interference with these rights can be compliant with Article 8 CFR, yet result in a disproportionate interference with Article 7 CFR. Although the relevance to this particular case is minimal, it does expose a flaw in the Court’s execution of the proportionality test. The AG reasoning is that when personal data are involved that ‘relate essentially to private life’
and ‘the confidentiality of private life’ [65], ‘they raise an issue which essentially precedes that of their processing, relating primarily to the privacy guaranteed by Article 7 of the Charter and only secondarily to the guarantees concerning the processing of personal data referred to in Article 8 of the Charter’[66]. So before questions concerning the protection of personal data are asked, first the necessity of the interference i.e. the initial collection itself should be reviewed for compliance. In line with the AG’s thoughts it is fair to conclude that the Court’s emphasis on the importance of the protection of personal data for the right to respect for private life [53] results in omitting to question the necessity of the initial collection of metadata.
Besides the recognition that the fight against terrorism and organized crime is indeed a legitimate general interest, the rest of the judgment came down to the conclusion that all provisions regarding the retention and subsequent access to data adopted in the directive were essentially flawed. The Court observes that the mere retention of all traffic data constitutes an interference with the 'fundamental rights of practically the entire European population' (56), 'without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime' (57), without the persons whose data is retained being 'in a situation which is liable to give rise to criminal prosecutions' (58), nor requiring a relationship between the data retained and a threat to public security (59) and concludes that there is a general absence of limits with regard to the retention (60).
This is even further aggravated by the lack of limits regarding the access to this data [61, 62] and the indiscriminate minimum retention period [63, 64]. It is hard to understand the judgment of the Court different than a general ‘no’ to blanket data retention. Therefore it is all the more surprising that the 3 Directive 1995 on the protection of individuals with regard to the automatic processing of personal data.
4 CJEU, Lindqvist, C-101/01, 6 November 2003, § 97.
Court held that the directive did not adversely affect the essence of the right protected under Article 7 CFR, based on the consideration that it does not retain content data. Especially since the Court itself expresses that the data retained allow very precise conclusions to be drawn about people their private lives [27] which in effect has a chilling effect on the freedom of expression5 [28] for practically the entire European population [56]. This interference is the direct result of vaguely described powers attributed to member states by the EU legislature which render it impossible for citizens to
understand when and under what circumstances their data retained by default may be accessed and by whom. I might have misread my dystopian novels in highschool, but to me this does sound like a disturbing cross-over between a Kafkaesk and Orwellian society. In my view the Court could have used this opportunity to state that blanket data retention is irreconcilable with the rule of law. The Court’s distinction between content data and metadata reminds of the initial attempts of the legislature to justify this mass surveillance measure.6 However, the separation of metadata and content data is increasingly irrelevant. This view is even supported by persons in high executive positions in the intelligence community. NSA General Counsel Stewart Baker stated that ‘metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.’7 When David Cole confronted his opponent, General Michael Hayden (former director of the NSA and the CIA), with this quote he replied ‘absolutely correct’ and raised the stakes: ‘We kill people based on metadata.’8
The Court’s choice to execute a more formal proportionality test, i.e. on the missing safeguards and lack of procedural and substantive conditions, is essentially equal to finding that the directive does not meet the requirement of being provided for by law. From the established absence of limits with regard to retention of as well as the lack of an objective criterion to regulate access to data, the Court could have easily concluded that the directive fails to meet the requirement of foreseeability, instead of moving to the proportionality test which should be secondary. The European Court of Human Rights held in several cases that for the law to be foreseeable it should be formulated with sufficient precision to enable the individual to regulate his conduct and that detailed rules are especially important in the light of the continuing development of more sophisticated technology.9 Furthermore the ECtHR held that the law must provide an adequate indication in which circumstances in general and under which conditions public authorities are allowed to resort to "this secret and potentially dangerous interference with the right to respect for private life and correspondence".10 Under blanket data retention, which lacks an operational rationale, the individual’s only certainty is that all of his electronic communications are retained and made available for potential access. Therefore blanket data retention seems inherently contradictory to the requirement of foreseeability. Moreover, the ECtHR has held on several occasions that the essential object of the right to private life is to protect the individual from arbitrary interference by public authorities. The initial collection of personal data that the directive prescribed constituted the first interference with the right to private life and the
5 This is due to the interference with confidentiality of communications. Privacy is constitutive to the exercise of the right to freedom of expression.
6 In a footnote of the proposal of the draft framework decision on the directive it is written that the Presidency proposed to replace ‘data’ by ‘communication data’ in Article 1 to prevent confusion about the kind of data that is meant and ‘in particular to make it apparent that content data is not included’. Clearly, the thought behind this is that this type of data is less personal and this justifies the retention.
7 See http://www.nybooks.com/articles/archives/2013/nov/21/snowden-leaks-and-public/, last seen 17th of June 2014.
8 See http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-people-based-metadata/, last seen 17th of June 2014.
9 ECtHR, Huvig v. France, application no. 11105/84, 24 April 1990, § 32.
10 ECtHR, Malone v. The United Kingdom, application no. 8691/79, 2 August 1984, § 67.
lack of limits on this collection in itself is arbitrary. Blanket data retention is the codification of arbitrariness and therefore irreconcilable with the essence of the right to private life.
