The Advocate-General of the Court of Justice of the European Union (CJEU) has issued an Opinion concerning the legitimacy of data retention laws in EU member states. Two cases have been referred to the court concerning the legitimacy of the data retention laws in the UK (the Watson/Davis case) and Sweden following the 2014 Digital Rights Ireland case in which the CJEU ruled that the EU Data Retention Directive was incompatible with EU law.
The Opinion, which is not binding on the CJEU but does inform its deliberations, confirmed that general data retention obligations are not prohibited by EU law. However, it also held that the tests set out in the Digital Rights Ireland ruling – the case which led to the invalidation of the Data Retention Directive – do apply to national legislation, an opinion which would imply that the High Court was right to declare DRIPA unlawful in 2015.
The Advocate-General also held that the prevention of “serious crime” is the only “objective in the general interest that is capable of justifying a general obligation to retain data”, bringing into question the current draft of the Investigatory Powers Bill, which lists no less than 11 purposes for which communications data can be accessed.
The Advocate-General re-confirmed that general data retention obligations can, in principle, be consistent with EU law. However, such an obligation is only compatible with EU law when it is used for the objective of fighting against “serious crime.” It is not permissible to use general data retention obligations for combating “ordinary offences” or for other public purposes.
Further, these obligations “must be established in legislative or regulatory measures” and must include adequate safeguards surrounding access to the data. According to the Advocate-General, it would not be sufficient for these safeguards to be provided in codes of practice or internal guidelines which have no binding effect.
Before data retention obligations can be used for this purpose, however, they must be shown to be appropriate, necessary and proportionate. The Advocate-General accepts that general data retention obligations are liable to contribute to the fight against serious crime and can therefore be considered appropriate.
In terms of necessity, the Advocate-General opines that a general data retention obligation can only be considered necessary for the purposes of fighting serious crime if it is accompanied by safeguards concerning access to the data, the retention period and the protection and security of the data. In applying the necessity requirement, national courts must “rigorously verify” that no other measure or combination of measures, such as a targeted data retention obligation accompanied by other investigatory tools, can be as effective in the fight against serious crime. The Advocate-General states that several studies have been brought to the Court’s attention that “call into question the necessity of this type of obligation in the fight against serious crime” given that communications metadata analysis can be used to “catalogue entire populations".
The Advocate-General further considers that all the guarantees described by the CJEU in the Digital Rights Ireland case concerning access to the data, the period of retention and the protection and security of the data are mandatory and consequently must accompany any general data retention obligation. In particular, the Advocate-General opines that it is “imperative” that competent authorities are required to apply to an independent body before they are allowed to access retained data. In cases where the extreme urgency of the situation means that this is not possible, there must be an ex post facto review by that body of access to and use of the data as soon as possible.
The final test that a general data retention obligation must meet is proportionality. To assess this, national courts must weigh the risks posed by such obligations against the advantages they offer. The Advocate-General emphasises that the safeguards set out in the Digital Rights Ireland case referred to above are no more than the minimum and that, consequently, a national regime that includes all of those safeguards “may nevertheless be considered disproportionate” if “the serious risks engendered by such an obligation” outweigh “the advantages it offers in the fight against serious crime.”
Implications for the Investigatory Powers Bill
The Advocate-General’s opinion, if followed or extended by the CJEU, could have important implications for the Investigatory Powers Bill currently making its way through Parliament.
The Bill as it stands would probably not satisfy a requirement for prior review of requests for access to communications data by an independent body.
Section 58 of the Bill currently lists eleven purposes for which communications data may be obtained, with a scope that goes far beyond “serious crime”, including, for example, “public health” and “regulation of financial services”.
The requirement for safeguards to be legally binding could also cause problems for a bill that relies heavily on external codes of practice. The UK government takes the view that Investigatory Powers Bill codes of practice are given statutory effect under the terms of the Bill. However, as leading telecoms law expert Graham Smith points out, “they do so only to the extent of the status conferred by Schedule 7 para 6 of the Bill”. This requires persons acting under the Bill only to “have regard” to the codes of practice.
The Advocate-General’s use of the term “cataloguing entire populations” to characterise the intrusive nature of meta-data analysis does appear to suggest that he thinks the old data retention regime, implemented in DRIPA, is at the margins of what the CJEU would consider proportionate. This leaves a question mark over whether the even more intrusive and controversial measures in the IP Bill, such as bulk surveillance and the filtering obligations, would be capable of withstanding a future legal challenge that used this case as a precedential basis.
The Opinion of the Advocate-General is not binding but is often followed in spirit by the court. In the Digital Rights Ireland case, the CJEU actually went further than the Advocate-General’s opinion in nullifying the Data Retention Directive.
At this stage it cannot be guessed whether any future litigation against the Investigatory Powers Bill based on this case would reach the CJEU before Brexit occurred. It is also possible that the terms of any Brexit might still require the UK to abide by the same principles of European law.
The court’s final judgment will be delivered in the next few months.
For more information, see: