What happened today?
The Grand Chamber of the EU’s Court of Justice (CJEU) gave judgment this morning in the case brought in 2014 by David Davis MP and Tom Watson MP, from which David Davis withdrew on his appointment to Government.¬†¬†They¬†challenged the¬†powers to require the¬†retention of certain types of communications data – not the content, but the “who, where and when” of communications –¬† in the Data Protection and Investigatory Powers Act 2014 (DRIPA 2014).
The Court spelled out the requirements of EU law, specifically, the privacy protections of the EU Charter of Fundamental Rights, in a manner which makes it plain that DRIPA 2014 is incompatible with those requirements.¬† In doing so, it went further than the more¬†pragmatic opinion of its own Advocate General and¬†further also than the existing case law of its sister court, the (non-EU) European Court of Human Rights.
The CJEU¬†considered that¬†DRIPA 2014 “exceeds¬†the limit of what is strictly necessary and cannot be considered to be justified, within a democratic society“: para 107.¬† But it¬†referred the case back to the English Court of Appeal for a decision on the extent to which UK law¬†is consistent with EU requirements¬†(para 124).¬† The¬† battle will resume there in the New Year.
The case (Case C-698/15) was joined with a Swedish case brought by Tele2 Sverige AB (Case C-203/15).¬† The judgment is here¬†watson-judgment, and the Court’s own press release is here watson-press-release.¬† A previous post in which I set out the background is here.
What are the powers in issue?
The power of chief concern to the Court was the¬†power to require¬†communications service providers to retain¬†fixed and mobile call logs (“traffic data”) and mobile phone location data for up to 12 months.
Those powers have been exercised in the UK for many years.¬† The EU’s own Data Retention Directive of 2006, a measure supported by the UK Government which¬†required¬†such powers¬†to be exercised EU-wide, was itself struck down by the Court in 2014 (Digital Rights Ireland).¬† Many Member States have continued to exercise such powers under their own national law, and a number of them (Czech Republic, Cyprus, Estonia, Finland, France, Germany, Ireland, Poland) joined the UK in arguing in this case¬†that the principles set out in¬†Digital Rights Ireland should not be¬†treated as mandatory requirements in these circumstances.
What are the powers used for?
The¬†DRIPA 2014 power at issue in Watson is¬†a relatively familiar and low-tech¬†one: contrast some of the bulk collection powers used by security and intelligence agencies in the UK and other countries whose utility I reviewed in this report of August 2016.¬† (The Treaty on European Union states at Article 4(2) that “national security remains the sole responsibility of each Member State“: the scope of that carve-out remains to be definitively¬†determined.)
Access to retained traffic and location data is however extremely useful to the police and other law enforcement authorities, in the investigation not only of serious crime but e.g.¬†of¬†reported disappearances where examination of¬†the phone records of the missing person may offer clues as to their contacts and so help locate them.¬† During my investigatory powers review of 2014-15,¬†I was¬†left in no doubt as to its value.
Some specific examples of the utility of retained communications data in investigating both missing persons and serious crimes (sexual offences, supply of drugs, trafficking, homicide, terrorism)¬† are at Annex 10 to my June 2015 report, A Question of Trust.¬† Similar examples were provided to the European Commission from a variety of Member States.¬† See further A Question of Trust at 7.47-7.51, 9.21-9.32 and 9.43-9.47.¬† As I wrote at 9.45, retained data may be particularly useful because:
- Conspirators become more guarded in their use of communications as the moment of a crime approaches.¬† Older data may therefore be the best evidence against them.
- It may be relatively easy to arrest the minor players in a drugs importation or smuggling ring.¬† But by going through their historic communications data, it may become possible to trace the bigger players who have taken care to remain in the background.
- A time lapse between the incident and the identification of a suspect will mean that old data is needed.
Law enforcement figures cited at 7.50(c) showed that over a two-week period in 2012, 27% of requests for communications data in terrorism cases and 37% of requests in sexual offence cases were for data more than six months old.
I also quoted Rob Wainwright, the (British) Director of Europol, who gave the following evidence to the European Parliament in late 2014:
“Ask yourself what the end of data retention would mean in concrete terms?¬† It would mean that communications data that could have solved a murder or exonerate a suspect is simply deleted and no longer available.”
The European Commission has been a strong supporter of universal retention of communications data, noting in 2014:
“Data retention enables the construction of trails of evidence leading up to an offence. It also helps to discern or corroborate other forms of evidence on the activities of and links between suspects and victims.¬† In the absence of forensic or eye witness evidence, data retention is often the only way to start a criminal investigation.¬† Generally, data retention appears to play a central role in criminal investigation even if it is not always possible to isolate and quantify the impact of a particular form of evidence in a given case.”
Precisely because suspects¬†are often not¬†known in advance, data retention which is not universal in its scope¬†is bound to be less effective as a crime reduction measure.¬†¬†In addition, a¬†person whose data has not been retained cannot be exonerated by use of that data (e.g. by using location data to show that the person was elsewhere).
The judgment: minimum safeguards
The Court followed its Advocate General (the member of the court entrusted with preparation of a preliminary opinion) in requiring that access to stored data should be restricted to serious crime purposes (para 119) and subject to prior independent authorisation (para 120).¬†¬†Those points¬†were anticipated also by the English High Court in its ruling of July 2015, though on grounds which were doubted by the Court of Appeal in November 2015.
The judgment also¬†introduced a¬†requirement to notify persons affected when such notification is no longer liable to jeopardise an investigation (para 121).¬† It further¬†requires that data must be retained in the EU (para 122: this is not currently the case for all data).
The judgment: principle of general data retention
The¬†wider significance of the Grand Chamber’s judgment is in its ruling that the whole principle of¬†what it called “general and indiscriminate retention” (para 97)¬†is¬†contrary to EU law – specifically the Charter of Fundamental Rights.¬† Though¬†some¬†saw this bold conclusion prefigured¬†in Digital Rights Ireland,¬†the High Court, the Court of Appeal¬†and the CJEU’s own Advocate General all chose to avoid it in Watson.¬† Indeed as Open Rights Group reminds us, even Tom Watson’s advocate, Dinah Rose QC,¬†submitted that the position¬†later¬†taken by the CJEU¬†was “wholly impracticable“.¬† Her¬†case was, rather, that a general retention obligation could be lawful¬†so long as accompanied by an access regime with sufficiently stringent safeguards.
The judgment of the CJEU was thus a genuinely radical one.¬† The proven utility of existing data retention powers, and the limitations now placed on those powers,¬†is likely to mean that¬†it¬†will be of¬†serious concern¬†to law enforcement both in the UK and in other Member States.¬†¬†On the other side of the balance, not everyone will agree¬†with the Court’s¬†view that these powers constitute a “particularly serious” interference with privacy rights,¬†or that they¬†are “likely to cause the persons concerned to feel¬†that their private lives are the subject¬†of constant surveillance” (para 100).¬†¬†A more rigorous analysis of proportionality¬†would¬†have¬†focussed on¬†any actual harm that¬†this useful power might¬†be shown to have caused over its years of operation,¬†and sought to avoid¬†assertions¬†based on theory or on¬†informal predictions of popular feeling.
It must be acknowledged, however, that feelings on these matters¬†do vary¬†at least to some extent across Europe.¬† Thus:
- The comments of the CJEU in relation to the seriousness of the interference with privacy¬†find no real¬†echo¬†in the three parliamentary and expert reports which led to the introduction of the Investigatory Powers Bill, nor in the regular reports of the Interception of¬† Communications Commissioner, the senior former Judge who conducts detailed oversight of this activity in the UK.
- But in the eastern part of Europe and in Germany,¬†historic¬†experience, coupled with a relative lack of exposure (until recently) to terrorism have induced greater circumspection.¬† National data retention rules have proved controversial and were annulled¬†even before Digital Rights Ireland in Bulgaria, Romania, Germany, Cyprus and the Czech Republic.
This may reflect what I have previously described as “marked and consistent differences of opinion between the European Courts and the British judges … which owe something at least to varying perceptions of police and security forces and to different (but equally legitimate) conclusions that are drawn from 20th century history in different parts of Europe” (A Question of Trust, 2.24).
The qualms expressed by the Court¬†in relation to the principle of universal data retention did not¬†extend to a retention obligation “based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences …“.¬† Indeed the CJEU advised that:
“Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences” (para 111).
Did¬†the Court¬†mean by this that it could be acceptable to¬†perform “general and indiscriminate retention” of data¬†generated¬†by¬†persons living in a particular town, or housing estate, whereas it would not be acceptable to retain the data of persons living elsewhere?¬†¬†Such geographical profiling¬†could prove “wholly impracticable“,¬†in the phrase of¬†Dinah Rose QC.¬† If attempted, it would¬†certainly raise¬†extremely sensitive¬†legal and ethical issues.¬† Those issues were¬†not touched upon¬†in the judgment.
Impact¬†on the Investigatory Powers Act 2016
DRIPA 2014 expires anyway at the end of 2016: but the judgment¬†has significance¬†for the Investigatory Powers Act 2016, which¬†received Royal Assent on 29 November and provides for¬†data retention powers similar to (indeed in some respects more extensive than) those contained in DRIPA 2014.
The precise impact of the judgment will have to be worked out over the weeks and months ahead, with the assistance of the Court of Appeal which referred questions to the CJEU for a preliminary ruling and to which the answers have now been returned (para 124).¬† But its consequences¬†are likely to¬†have to include the amendment of the Investigatory Powers Act 2016, either by further primary legislation or by a statutory instrument (secondary legislation) under the European Communities Act 1972.
And after Brexit?
The UK remains bound by decisions of the CJEU, including this one,¬†until such time as it has left the EU.
But even after Brexit, it will not be possible to ignore¬†its data protection judgments¬†altogether.¬† The sharing of personal data with non-EU countries, in particular, is subject to certification by the EU that their data protection standards are adequate.¬† In the¬†2014 case of Schrems,¬†the CJEU held that this required the non-EU country to provide for “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order“.¬† The implications of this for countries such as the USA and Canada (and in due course, no doubt, the UK) were explored with admirable clarity by Jemima Stratford QC and Graham Smith in this recent seminar.¬† See, to similar effect, para 118 of last week’s House of Lords EU Committee Report.
This important judgment is bound to feature in law exams across Europe this summer.¬† If I were setting a question,¬†it would be this one:
“Lives are ruined by crime, not by the properly safeguarded use of general data retention¬†to fight crime.¬† Discuss.”
That question¬†will¬†continue to be debated in many forms and for many years.¬†¬†It is to be hoped that¬†those debates¬†will generate light¬†as well as¬†heat.¬†¬†For this to happen, the participants – legislators, courts, NGOs, academics¬†and students – need to avoid trading prejudices,¬†and instead make productive use of¬†the increasing evidence¬†base relating to¬†both the harm and the utility of bulk data retention.
[amended¬†23 Dec 2016, 2300]