UK parliamentarian deals a punch to data retention, but EU saga continues

Image Source: IT World

Last week, the UK Court of Appeal sent (PDF) an important case involving data retention, Home Secretary vs David Davis, to the Court of Justice of the European Union (CJEU) for clarification. The UK appeals court is requesting that the CJEU clarify what it intended when the court invalidated the Data Retention Directive in April 2014 via its judgment in the Digital Rights Ireland case.

The key questions: In striking down the directive, did the CJEU intend to lay down legislative requirements for data protection that all member states must follow in their own national laws? Did the CJEU also intend to expand the impact of certain articles in the EU Charter beyond the effect established in court cases?

In other words, the UK court is asking whether the EU’s highest court acted as a legislator and overstepped its authority by expanding rights, instead of interpreting them.

These questions are important for a number of reasons. First, the answers could help clarify the extent to which member states have authority to shape national legislation on data retention in the aftermath of the CJEU ruling. This will impact how the right to data protection is treated in member states across Europe going forward.

Second, right now the Luxembourg-led Council of the European Union is asking member states to weigh in on whether the European Commission should develop a brand new Data Retention framework. For human rights advocates, that’s a frightening prospect. It’s not clear from the Commission’s track record in this area that any new framework would adequately protect human rights — especially if you consider the effect of the current political climate in the aftermath of the attacks in Paris. What is decided in this case may have an impact on whether a new framework is developed.

The background in the David Davis case

When the CJEU invalidated the Data Retention Directive in its 2014 Digital Rights Ireland ruling, member states were no longer required to uphold the disproportionate data retention mandates that the EU had earlier prescribed. There are still other rules at EU level for data retention, encompassed in the e-Privacy Directive, which prohibit retaining communications data with the exception of limited, justified mandates that are necessary and proportionate, and in line with the EU Charter.

That said, the CJEU’s ruling did not explicitly address the issue of national legislation. In the absence of needed guidance from the EU Commission on how to implement this ruling, some member states moved forward with surveillance legislation that included data retention provisions. The UK, for example, enacted the highly controversial Data Retention and Investigatory Powers Act (DRIPA).

Due to its massive scope and seemingly careless violation of human rights — including the right to privacy — DRIPA has drawn an avalanche of criticism. In July, the UK High Court ruled that DRIPA is inconsistent with EU law, and ordered that the law cease to be in effect 31 March 2016 — a full ten months earlier than the original sunset. When the government appealed this decision to the UK’s Court of Appeal, the court declined to overturn it, instead referring the case to the CJEU in Luxembourg for clarification.

The UK Court of Appeal’s decision to refer this case to the CJEU is based on the premise that the scope for the collection and retention of data is excessive, allowing authorities to identify the people communicating, when, from where, and with whom, and in certain cases even exposing the content of the communication. Government proponents justify this by arguing that communications data can be used as evidence in court. However, the data collected can be highly revealing and thus intrusive, and there is no evident justification for the current broad scope and form of its collection and retention.

Political context

Since the Data Retention Directive was invalidated, we have seen a wide range of reactions from member states. Eleven countries have seen their data retention laws overturned by national constitutional courts. Some of them re-enacted the legislation almost immediately, others extended their data retention mandates, and the rest have left their laws untouched. The Home Secretary vs David Davis case could therefore be an opportunity to clarify what the disintegration of the Data Retention Directive means for member states. As we note above, the UK Court sent questions to the EU Court that are, in the current context, highly political:

  • Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements for EU law with which the national legislation of member states must comply?
  • Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 as established in the jurisprudence of the European Court of Human Rights?

The UK government is contemplating leaving the European Union — and even possibly withdrawing from the European Convention of Human Rights. At the same time, the UK Court is questioning whether the EU’s highest court overstepped its authority in Digital Rights Ireland.

There are similar issues in play when it comes to the proposed Investigatory Powers Bill (a.k.a. the IP Bill), which is currently under debate in Britain. When the issue of data retention came up in Monday’s committee hearing on the bill, proponents’ only defense for proposing 12 months for retaining data was that the period “fits nicely” between the 6-24 month period for EU data retention that was previously struck down. Only one tangible example was provided to support a 6-month period for retention. David Davis, in an interview with the London School of Economics and Political Science, vowed that he will place the IP Bill’s data retention provision under the same scrutiny as DRIPA.

What now? Will the EU seek a new data retention framework?

In a recently released communication, the Council of the EU — which represents the member states in the EU — suggests that the CJEU’s decision striking down the Data Retention Directive has led to confusion for national governments. This concern stems from a different court case originating in Sweden, in which a Swedish telecoms company — Tele2 — is fighting to stop the retention of customer data, challenging the national rules for law enforcement’s access to this data.

This is why the Council is asking EU member states whether they would like the EU Commission to propose a new Data Retention framework — to address the differences in national legal frameworks on data retention, which are increasingly profound.

Our recommendation 

Access Now urges EU leaders and legislators to carefully consider the human rights implications of any new legislation on data retention. Lawmakers should take heed of the lessons learnt from the eight years during which the Data Retention Directive violated the fundamental rights of everyone in the EU.

If there is a need to address issues of harmonisation and legal certainty with regard to data protection, we reiterate the calls made by EDRi, an association of civil liberties organisations which we are a member, for the European Commission to investigate the data retention laws of EU member states that appear to contradict the CJEU’s rights-affirming ruling on the Data Retention Directive.