The European Parliament’s legal advisors have issued a report into the repercussions of last year’s ruling by the Court of Justice of the European Union, in which the CJEU struck down the E.U. Data Retention Directive. And the lawyers’ opinions suggest that surviving national data retention laws are on shaky ground.
The Directive forced E.U. member states to have a data retention regime in which telecommunications and internet service providers had to maintain records of their customers’ communications – metadata about who contacted whom and when, as opposed to the contents of those communications. After the CJEU judgement in April 2014, countries including Austria, Slovenia and Romania scrapped their national data retention laws (a couple others, notably Germany, had already rolled theirs back on constitutional grounds).
However, some countries have continued or – in the case of the U.K. with its DRIPA surveillance law — even expanded their national data retention regimes. Here’s a breakdown of what the Legal Service department said about the ruling’s implications in that regard (a copy of the opinion was obtained and published by the digital rights group Access).
- The CJEU ruling was specific to the Data Retention Directive, which had been challenged by Digital Rights Ireland (DRI), so it did not have a direct effect on national data retention laws, apart from saying that it’s now okay by the E.U. for countries to repeal them.
- With the Data Retention Directive now out of the picture, the continuing national laws are now governed by the earlier e-Privacy Directive of 2002, which allows member states to implement data retention regimes “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.”
- Because member states’ national data retention laws are therefore still in the realm of E.U. law, they have to be compatible with the E.U.’s Charter of Fundamental Rights, specifically Articles 7 and 8, which set out the rights to privacy and personal data protection respectively, and Article 52(1), which says any limitations to rights must be proportionate.
- The Charter is what informed the CJEU judgement striking down the Data Retention Directive – the court said the directive was not proportionate and didn’t provide “clear and precise rules” to limit the interference to what is “strictly necessary” and provide “minimum safeguards”.
- Therefore, countries maintaining national data retention laws must re-examine those laws to check whether they fulfil the requirements “as interpreted by the Court of Justice in the DRI judgement”, and fix them if they’re not. What’s more, anyone who wants to challenge those national laws can now point to the CJEU judgement as a guideline, even though it doesn’t have a direct effect.
- The same goes for existing E.U.–level data retention programs such as the Terrorist Finance Tracking Programme (TFTP) and the Union’s international passenger name record (PNR) agreements – they’re still valid, but if someone wants to challenge the legality of those, they can also point to the CJEU’s DRI judgement. The CJEU ruling should also be heeded when formulating any new E.U. data retention legislation. As it happens, TFTP and the international PNR agreements are about to be renegotiated.
This is particularly good news for the two British members of Parliament that are challenging DRIPA in the U.K. High Court. DRIPA was fast-tracked as an “emergency” law because the Data Retention Directive had been implemented in the U.K. as secondary rather than primary legislation, so the government feared that the CJEU judgement left it without a proper legal justification for continuing to demand that ISPs and web service providers keep retaining communications data.
DRIPA is temporary, time-limited to the end of 2016, but the underlying primary legislation that it expands on – the Regulation of Investigatory Powers Act (RIPA) – is not. RIPA is however up for review, as the government will want to make the DRIPA powers permanent before the end of 2016, so those conducting the review will now also need to take the E.U. legal advice into account.
RIPA was designed as anti-terrorist legislation but it’s widely used by local authorities in the U.K. to spy on citizens, in order to see whether they’re putting their trash out in the prescribed manner or trying to cheat their kids into schools in a different neighborhood. It’s also used to spy on lawyers and journalists. Around half a million RIPA requests for communications data are made each year.
The CJEU ruling will make it hard to justify the continuation of this situation, and even in the case of terrorism and more serious crime, the British government may have a struggle proving the proportionality of its mass surveillance regime. Proper reviews of data retention laws in other countries such as Sweden may uncover similar problems.