Wednesday, April 30, 2014

ECJ invalidate data retention directive

ECJ Invalidates data retention

On 8 April2014 the Grand Chamber of the European Court of Justice, (ECJ) in joined cases C-293/12 and C-594/12, issued a landmark decision declaring the 2006 data retention directive invalid.

The data retention directive was the instrument through which the EU required communications service providers, both fixed line and mobile, to store details of everything everyone does on the telephone or internet; for a period of between 6 months and two years. The details of what was required to be collected were laid out in article 5 of the directive and the only thing not permitted was recording of the content of calls or messages.

The ECJ decided that mass indiscriminate data retention interferes disproportionately and in a particularly serious manner with the fundamental rights to privacy and the protection of personal data.

The challengers

Digital Rights Ireland (DRI) and 11,130 Austrian citizens whose case was joined to that of DRI challenged the directive, ostensibly arguing it constituted an unlawful and unacceptable interference with fundamental rights to privacy and free speech. The Court focused on the effects of the data retention directive on articles 7 and 8 of the Charter of Fundamental Rights of the European Union - respect for private and family life and protection of personal data.

The Grand Chamber of the court proceeded to declare the directive invalid and effectively condemned pre-emptive, suspicionless, warrantless mass surveillance and consequent "interference with the fundamental rights of practically the entire European population".

Introduction and legal context

The Court opens by explaining Digital Rights Ireland challenged the implementation of the data retention directive into Irish law and the Austrian Constitutional Court, Verfassungsgerichtshof, was asked to consider the constitutionality of the Austrian implementation of the directive. They then set out the legal context.

The objective of the data protection directive, directive 95/46/EC, is to protect people's privacy. The aim of the directive on privacy and electronic communications, directive 2002/58/EC, is to harmonise privacy rights and allow sharing of data within and across the EU. Both these directives require appropriate technical and organisational measures to protect the security of personal data.  The 2002 directive prohibits surveillance without user consent, in theory. It has,however, the enormous loophole of article 15 which states any necessary, appropriate and proportionate measure can be used to bypass obligations to respect fundamental rights, when those measures are for national security or crime fighting reasons. Article 15 also specifically appears to approve of the retention of data.

The data retention directive itself obliged communications service providers to retain data. Under article 3, EU member state were required to adopt measures mandating data retention of categories of data specified in article 5. (Take a look at the list of information retained. It's almost unbelievable). Under article 4, access to this retained data would only be available to "competent national authorities" in specific cases and in accordance with national law. Article 6 specified the data should be retained for between 6 months and 2 years. Article 11 basically says when it comes to data retention the need to respect a basic level of fundamental rights theoretically noted in article 1 of the 2002 e-privacy directive could be ignored.

DRI and Austrian cases

The Court then outlines the Digital Rights Ireland and Austrian cases in paragraphs 17 to 22. DRI argued the directive constituted a disproportionate interference with fundamental rights to respect for privacy and family life, data protection and freedom of expression & information, guaranteed under articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union. Austrian citizens Mr Seitlinger, Mr Tschol et al sought the annulment of the Austrian law implementing data retention. The Austrian Court, took the view that data retention, because of the indiscriminate nature and scale of it, almost exclusively affects innocent people. The Verfassungsgerichtshof also felt data retention could not achieve its objectives and was disproportionate, so they also asked the European Court of Justice to review whether data retention constituted a disproportionate interference with fundamental rights guaranteed under articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union. Additionally the Verfassungsgerichtshof suggested the data protection directive and articles 52 and 53 of the Charter of Fundamental Rights presented barriers or at least limitations to data retention.

Next the ECJ considers the substance of the questions before them. They acknowledge (para 27) that the data mandated for retention taken as a whole provides a very rich picture of people's lives. Also that people might well adjust their behaviour and self censor due to the chilling effect of the knowledge of the mass data gathering (para 28). So there is a clear acceptance by the ECJ that freedom of expression protected by article 11 of the Charter could be on the line. They do not however pursue this to any solid conclusion and focus instead of matters of privacy and data protection, relating to articles 7 & 8 of the Charter.

Interference with privacy and data protection

The heavy lifting in the decision is then laid out from paragraph 32 to 71.
"32. ... Directive 2006/24... derogates from the system of protection of the right to privacy established by Directives 95/46 and 2002/58"
The data collected does not have to be sensitive or to inconvenience people in any way to establish the existence of an interference with the fundamental right to privacy. (Para 33). Data retention
"constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter." (para 34). Access to the data retained by competent national authorities is an interference with the rights guaranteed by Article 7 of the Charter. (para 35). Likewise because the directive provides for the processing of personal data it is an interference with the fundamental right to data protection covered by article 8 of the Charter. (para 36). Paragraph 37 merits quotation in full:
"37.  It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance."
Justification for interference with fundamental rights

Having declared the interference with the fundamental rights to privacy and data protection particularly serious, the Court then must look at the justification for and proportionality of this interference. It finds the 2006 directive wanting on both counts.

Article 52(1) of the Charter of Fundamental Rights of the EU states that any circumvention of those rights must be proportionate, strictly limited and necessary to meet objectives of general interest or to protect the freedoms of others.

In paragraphs 39 and 40, the Court then makes a rather fuzzy attempt to step back from the absolutist stance it appears to have be shaping up to take against data retention.
"39... it must be held that, even though the retention of data required by Directive 2006/24 constitutes a particularly serious interference with those rights, it is not such as to adversely affect the essence of those rights given that, as follows from Article 1(2) of the directive, the directive does not permit the acquisition of knowledge of the content of the electronic communications as such."
This does not sit logically with the earlier acceptance in paragraphs 27 & 28 that metadata provides a very comprehensive picture of peoples' lives which could have a chilling affect on freedom of expression. It also seems something of a non sequitur - how must it be held that data retention constitutes a particularly serious interference with fundamental rights, yet not be such as to adversely affect the essence of those rights?

Paragraph 40 says the essence of article 8 data protection rights are not adversely affected because the text of data retention directive includes a note that says data protection must be respected. On that basis you could stick a token 'respect data protection' clause in every liberty bashing regulatory instrument and not "adversely affect" data protection.

The object of the the data retention is to fight serious crime and article 6 of the Charter of rights lays down the fundamental right to security. So fighting serious crime is a legitimate 'objective of general interest.' And communications technology is an important crime fighting tool. So
"44.  It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest."
Disproportionate nature of the data retention directive

The objective of data retention is acceptable. But is data retention a proportionate way to achieve that crime fighting objective? Proportionality requires acts of EU institutions to "not exceed the limits of what is appropriate and necessary in order to achieve" the objective in hand, in this case fighting serious crime.

The ECJ takes guidance from the European Court of Human Rights decision in 2008, S and Marper v UK, on the retention of DNA and fingerprints.
"47. ... the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., S. and Marper v. the United Kingdom [GC], nos. 30562/04 and 30566/04, § 102, ECHR 2008-V)."
Privacy and data protection are fundamental and so the discretion of EU legislature to interfere with them is reduced and any review of that discretion should be strict. (para 48). Data retention may be appropriate for crime fighting. (Para 49). The fight against serious crime requires modern techniques but that doesn't mean the kind of mass data retention required by the directive is necessary. (Para 51). Data protection is especially important for privacy.
"54. Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99)."
Data retention should have clear rule on scope and application and minimum safeguards against unlawful access. The unstated critique is that the directive fails on all counts.
"55.  The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35)."
Safeguards are particularly important with respect to the automatic large scale processing of data. Again the 2006 directive fails.
56. ... Directive 2006/24... entails an interference with the fundamental rights of practically the entire European population. [My emphasis]
"57.   In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.." [My emphasis]
Paragraph 58 goes on to criticise Directive 2006/24's mandate to engage in the mass surveillance of innocent people not remotely connected to serious crime. Additionally it circumvents rules protecting privileged communications.

Then in recognition of the need for targeted rather than mass surveillance they state:
"59.  Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences."
That paragraph alone could be interpreted as a serious judicial uppercut to the UK government's mass surveillance practices revealed by Edward Snowden. At the risk of being boring I'm going to repeat my old mantra here.  It is unnecessary and completely disproportionate, not to mention dangerously ineffective, to collect innocent communications in order to find serious criminals. Finding a terrorist or serious criminal is a needle in a haystack problem – you can’t find the needle by throwing infinitely more needle-less electronic hay on the stack.  Law enforcement, intelligence and security services have to be able to move with the times. They need to use modern digital technologies intelligently in their work and through targeted data preservation regimes – not the mass surveillance regime they are currently operating – engage in technological surveillance of individuals about whom they have reasonable cause to harbour suspicion. That is not, however, the same as building an infrastructure of mass surveillance or facilitating the same through the legal architecture of directives like 2006/24 on data retention.

The ECJ follows up this mass surveillance critique with a clear declaration in paragraph 60 that the data retention directive has no limits on access to and use of retained data to the purpose of fighting serious crime and no criteria for determining such limits. In a way paragraphs 60 to 68 provide a blueprint for the Commission and particularly rabid surveillance addicted governments to re-write the data retention directive in a way that might be acceptable to the ECJ. Since these paragraphs spell out what is missing from the directive and might be read as suggesting 'make a token effort with these things next time and you'll be ok.'

Para 61 criticises Directive 2006/24's lack of procedures on determining access to data or its use or even limiting these to crime fighting. Para 62 notes the directive does not limit the number of people with access to the retained data to those strictly necessary. Nor does it subject access to the data to the prior review or oversight of a court, in order to limit access to that which is strictly necessary. Nor are member states obliged to set down such procedures.

Para 63 complains that the blanket data retention mandated doesn't make any distinction between categories of data. Para 64 says there is not even an attempt to justify the arbitrary period of retention chosen of between 6 months and 2 years.

Then comes the clincher.
"65.  It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary." [My emphasis]
"66.   Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down." [My emphasis]
Para 67 says the 2006 directive doesn't specify a high enough data security threshold and doesn't require the irreversible destruction of data at the end of the retention period. Then in 68 the ECJ has serious concerns that the data retention directive does not require data to be retained within the borders of the EU. So control by independent authority of data protection and access to the retained data cannot be fully ensured. Such control is an essential corner stone of EU data protection law.

And that's the ballgame

They conclude:
"69. Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
70. In those circumstances, there is no need to examine the validity of Directive 2006/24 in the light of Article 11 of the Charter.
71.  Consequently... Directive 2006/24 is invalid."
In short, the data retention directive presents a disproportionate interference with the fundamental rights to respect for private and family life and the protection of personal data. Consequently the directive is invalid, null and void. And because it is invalid on privacy grounds the ECJ don't see the need to pursue the question of whether it also might be invalid on the grounds of Article 11 of the Charter of Fundamental Rights relating to freedom of expression.

If the Charter of Fundamental Rights proves to have staying power as the legislative architecture protecting the rights of EU citizens into the distant future, then this ECJ decision could well prove to be historic. On a par with the civil rights cases of the US Supreme Court such as Brown v the Board of Education or the NYT v Sullivan. Only time will tell whether it achieves that fame or notoriety but it was certainly a welcome development in the battle to avoid a mass surveilled future.

Congratulations and thanks to TJ McIntyre, Simon McGarr and Digital Rights Ireland and to Mr Seitlinger, Mr Tschol et al and the Austrian Constitutional Court the Verfassungsgerichtshof in what was a long and difficult battle and a hard fought but very welcome victory in the end. 

No comments: