Data Retention: About Haystacks and Needles?

April 16, 2014

In line with the recent outcry against wholesale data collection and retention (‘getting the haystack to find the needle’) the Court of Justice of the EU held on 8 April 2014[1] that the Data Retention Directive 2006/24/EC is invalid, as it breaches Articles 7 and 8 of the EU Charter of Fundamental Rights.[2]

Background and Judgment

The first request for a preliminary ruling was made by the Irish High Court in proceedings between Digital Rights Ireland and the Minister of Communications and the second request came from the Austrian Constitutional Court in a challenge brought by the Government of the Province of Carinthia and 11,130 individual applicants. Both challenges concerned the implementing laws (in Ireland and Austria respectively) transposing the Directive 2006/24/EC (DR Directive) into national law.

Referring to the Data Protection Directive 1995/46/EC and in particular the provision on the security of processing of personal data[3] and the Directive on Privacy and Electronic Communications 2002/58/EC as well as the DR Directive 2006/24/EC, which together form the applicable legal framework, the Court tested this framework against the provisions on privacy[4] and data protection[5] in the European Charter of Fundamental Rights.[6]

As readers are no doubt aware, the DR Directive imposed an obligation on Member States to oblige communications service providers[7] to retain certain categories of defined communications data,[8] ie traffic and subscriber data for a period of between six months and two years (at the implementing Member State’s choice).[9]

The DR Directive described the data to be retained in Article 5 as relating to the identities of the source of a communication and the destination of a communication (including IP addresses, telephone numbers and subscribers’ details), date, time and duration of a communication, type of communication, equipment used and location data. However, it explicitly excluded from its scope content data, ie the content of electronic communications (eg an email header), including information consulted using an electronic communications network (eg the URL of a web site).[10]

As the Court points out, notwithstanding the exclusion of content, this data allows precise conclusions about habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and networks as well as social environments frequented.[11] Although this data does not include content as such, it may be possible to make inferences about a person’s consumption of content or the nature of  his/her activities from an IP address or telephone number (for example regular calls to Alcoholics Anonymous). The broad range of data retained not only brings with it the risk for potential unlawful abuse, but also the users’ perception and fear of potential abuse and constant monitoring which may lead to self-censorship, thus affecting freedom of expression and engaging Article 11 of the Charter in addition to Articles 7 and 8.[12]

One of the reasons why the DR Directive was found to fall foul of the privacy rights was that it provided for security protection standards for the retained data as merely the same as for data on the network and merely appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration or unauthorised or unlawful storage, processing, access or disclosure.[13] Furthermore, Directive 95/46/EC provides in Article 17(1) on security of processing of personal data that data controllers are allowed to have regard to the costs of implementation of security measures and the level of security must merely be appropriate to the likely risks. The CJEU felt that this ‘relative’ security concept is not proportionate considering the privacy risks the mass retention of communications data entails (vast quantity of data, sensitive nature of (some) of the data and the risk of unlawful access to the data).[14]

The Court pointed out that Directives 95/46/EC and 2002/58/EC provided for the confidentiality of communications data and the obligation to erase or make anonymous the data once no longer needed for the purposes for which they were originally collected. Hence, the DR Directive was a derogation from these data protection principles and a restriction of Articles 7 and 8 of the Charter, which, therefore, must be interpreted narrowly.[15] The Court found that the privacy rights were engaged[16] but that the retention of communications data does not affect the essence of the rights, as it does not involve acquisition of the content of the communications and the DR Directive provides for security measures.[17] The Court also granted that the fight against international terrorism and serious crime is a legitimate general interest objective justifying some data retention in principle.[18] In a similar vein the Court also stated that the use of electronic communications data is a valuable tool in the fight against (organised and other) crime.[19] The Court did not accept the argument that since organised criminals are likely to hide their tracks through using privacy enhancing technologies such that they cannot be easily traced, the DR Directive is an ineffective measure and hence disproportionate.[20]

However the CJEU found that the DR Directive was not a proportionate measure[21] on the basis that it was too uncertain, left too many gaps in its implementation and did not provide sufficient safeguards against abuse: ‘the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards (…)’.[22] This is all the more important given that the DR Directive affects the communications data of the entire European population.[23] The Court criticised both the generalised and comprehensive nature of the Directive.[24] It stated that there was no differentiation between different types of communications data, that it covers the data of everyone, with the overwhelming majority of the data retained being not relevant to criminal investigations or prosecutions, that there was no exception for data which was legally privileged and that there were no restrictions on the retention such as particular time periods or geographical zones.[25]

The Court also held that the safeguards were inadequate to comply with the principle of proportionality: access should be made dependent on prior review by a court or by an independent administrative body ‘whose decision seeks to limit access to the data and their use to what is strictly necessary’.[26]

The Court also held that the data retention period was arbitrary and vague (between six months and two years) with no distinction made between different types of communications data.[27]

Finally the Court found that the Directive should require that the data in question should be retained in the EU.[28]

Commentary

The Court stated that the DR Directive did not only mandate the retention of the defined communications data but also allowed the national authorities access to the data.[29] This statement is, in my view, incorrect, as Article 4 clearly cross-refers to national law, so access depends on the restrictions and conditions laid down in national law.

The Court refuses to recognize the dichotomy set up by the DR Directive: on the one hand we had a law regulating data retention at EU level (ie the DR Directive), on the other hand we had a multitude of national laws governing and restricting access to communications data by public authorities in the EU. These national laws must comply with the protection of the fundamental rights to privacy and data protection as laid down in national constitutions and Article 8 of the European Convention of Human Rights (ECHR). Or put another way, data retention had been harmonised (to an extent) in the DR Directive, but the power to access such retained data had not and was still governed by national law. For example the Court criticized the fact that the notion of ‘serious crime’ is not defined in the DR Directive and left to national law[30] and that it does not stipulate which authorities or persons can access and subsequently use the data.[31]

So effectively what the Court said is that Articles 7 and 8 of the Charter required the harmonisation of the extent of national authorities’ powers to access communication data in conformity with the Charter. Essentially the Court held that it was not sufficient to simply restrict access in conformity with human rights protection under national law[32] it was also necessary to limit data retention, as data retention itself (as the step preliminary to the actual access) bore significant data protection and privacy risks. The Court seems to say that the national laws in the Member States cannot be trusted to be human rights compliant.

Generally speaking, under the old, pre-internet security paradigm, data was only retained and accessed if there was a particularized and reasonable suspicion that a person had committed a crime or was a terrorist. Under the new, internet security paradigm, the electronic communications data of the whole population can be potentially used to start establishing a suspicion, or in other words ‘you need to get the haystack in order to find the needle’.[33] Although the present case was not about the interception of communications content or even about access to the communications data but merely about the retention of the data for potential access, the Court rejected the idea of wholesale data retention- so the haystack must be destroyed, even if it has (one or two) needles in it. The privacy risks outweigh the potential use of intelligence.

This reasoning and evaluation is analogous to the Marper decision of the European Court of Human Rights, where that Court decided that the retention of DNA data of persons not convicted of a criminal offence is contrary to Article 8 of the ECHR, thus prohibiting the police from building a DNA database with wholesale coverage.[34]

This decision comes in the wake of the Article 29 Working Party Report which heavily criticized the implementation of the DR Directive in national laws and its implementation in the procedures of national communication service providers as a breach of the privacy rights.[35] The implementation of the DR Directive has been controversial and has been challenged before several constitutional courts in the EU. However, one should ask whether it was the DR Directive itself which is not privacy compliant or the national implementation.

One of the interesting questions raised by this decision is whether national laws which implemented the provisions of the DR Directive are now equally not compliant with the privacy rights and Article 8 of the ECHR. This decision has the effect of mandating what safeguards Member States have to provide for access to communications data, which goes beyond the scope of the Directive as originally agreed. In practice it will mean that the European institutions will have to go back to the drawing board and provide for greater harmonisation which is also privacy rights compliant. 

Dr Julia Hörnle is Professor in Internet Law at the Centre for Commercial Law Studies, Queen Mary University of London and Programme Director for the LLM/Diploma in Computer & Communications Law by Distance Learning

 



[1] Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Judgment of 8. April 2014 available from the Curia Website

[2] 2000/C 364/01

[3] Art 17(1)

[4] Art 7

[5] Art 8

[6] Referred to together in this article for the sake of brevity as ‘privacy rights’

[7] Or more precisely, providers of publicly available electronic communication services or the providers of public communication networks, Art 1 (1)

[8] The term ‘communications data’ is used in this article to mean metadata other than the content of a communication

[9] Arts 3 and 6

[10] Art 1 (2) and Art 5 (2)

[11] Para 27

[12] Paras 28-29, 37

[13] Art 7 (a) and (b)

[14] Paras 66-67

[15] Para 32

[16] Paras 33-36

[17] Paras 39-40

[18] Paras 42, 44

[19] Paras 43, 49

[20] Para 50

[21] Para 69

[22] Para 54

[23] Para 56

[24] Paras 57-59

[25] ibid

[26] Para 62

[27] Paras 63-64

[28] Para 68

[29] Para 32

[30] Para 60

[31] Para 62

[32] And there may be a big question mark over the human rights conformity of Member States’ laws on access to communications data, for example, following Edward Snowden’s revelations about Tempora, Article 8 (5) (a) cannot be considered in compliance with Article 8 of the ECHR

[33] So General Keith Alexander, Director of the US National Security Agency in July 2013, see http://arstechnica.com/tech-policy/2014/02/nsa-head-floats-idea-what-if-we-only-gathered-terrorist-communications/

[34] Referred to by the CJEU in Para 47; see S and Marper v the UK [2008] ECHR 1581

[35] WP172 of 13 July 2010