Tuesday 8 April 2014

"A total map of everyday life" - Today’s data retention decision: The good, the bad and the ugly

Nothing like a long held cherished cause to bring Matron out of blogging retirement. Although many have already commented on today’s CJEU decision, there is sure to be room for another one. Budge up fellows!

The Good

Where to begin? On a purely substantive level of fundamental rights soundbites, it really doesn’t get better than this. In contrast to the Advocate General’s opinion, delivered at the end of last year, the CJEU does not pussyfoot around the issues:

1. The court has strongly resisted falling into the retention/access trap that the Commission and the member states so carefully laid for it all those years ago. For nigh on a decade privacy campaigners have had to contend with the arguments that the Directive is fundamental rights compliant because it only regulates the retention of personal data. Retention itself, so the story went, is not the bad thing. Access is where the potential infringement of privacy and data protection rights kicks in and that’s all down to the member states. Move on folks, nothing to see here. Not so, says the court. Communications data “as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out and the social environments frequented by them” (para. 27). As a result, both Article 7 and Article 8 of the Charter are fully engaged with regard to retention as well as access, and nearly everything the court says subsequently about infringements of rights and the justification for such infringements (or lack thereof) applies to both. Caspar Bowden’s argument, made in his Duke* article all the way back in 2002 that communications data provides a “near complete map of the private life of an individual” has been fully embraced by the court. Well done Caspar and everyone who made that point over the years.

2. The court has not dodged the Article 8 bullet. Unlike Article 7 (right to private life) of the EU Charter of Fundamental Rights, with which EU constitutional scholars feel reasonable comfortable because we have lots of ECHR case law to draw from, Article 8 (right to data protection) has so far been – shall we say – "underexplored”. Following the Advocate General’s opinion, this was set to continue as the AG simply refused to accept that the right to data protection was engaged here. He DID fall into the retention/access trap and argued that the Article 7 right covered the collection and retention of data while the Article 8 right covered its subsequent use. Since the Directive was not concerned with the latter, Article 8 did not have to be examined. Not so, says the court as it clearly states that “retention also falls within the meaning of Article 8 of the Charter because it constitutes the processing of personal data” (para. 29). Cue response from data protection lawyers all over Europe, “Well, duh!”

3. Both the retention of, and access to, communications data constitute an interference with both Articles 7 and 8 and, yes, that interference is particularly serious because of “the important role played by the protection of personal data in the light of the fundamental right to respect for private life” (para. 48) and the likely impact on individuals’ perception of surveillance. In a paragraph that will surely turn out to be the most quoted in the press, the Court confirms that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (para. 37). And apparently that’s not ok.

4. The interference is not proportionate and here’s why:

4.1 Because of the importance of the rights interfered with and because of the particular seriousness of the interference, the EU legislature’s discretion is reduced to start with. Meaning that the EU legislator should have been extra extra careful when adopting the Directive to make sure that it dots all the I’s and crosses all the T’s. Not something that can easily be achieved in what remains the briefest legislative procedure in EU history, you will surely agree, dear reader.

4.2 The fight against terrorism is not the universal trump card it once was. The court makes it clear that while the fight against serious crime, in particular against organized crime and terrorism, is of the utmost importance, it “does not, in itself, justify a retention measure such as that established” in the Directive. No, the court doesn’t use the word “overkill” exactly, but yes, it goes on and on about the way in which the Directive “covers, in a generalized manner, all persons and all means of electronic communication” (para. 57), without any differentiation, limitation or exception being made in the light of its crime-fighting objective; how it “affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly being in a situation which is liable to give rise to criminal prosecutions" (para. 58); that it applies even to persons “whose communications are subject […] to the obligation of professional secrecy” (para. 58); and that it does not provide for any restrictions that would in some way minimize its impact on law abiding members of society, like, for example, a temporal or geographic restriction or a restriction to persons actually suspected of having committed a crime (para. 59). So while the court does not mention the taboo term “data preservation”, this is where to look for its substance.

4.3 The Directive does nothing to clarify the conditions for access to the retained data. This is one the AG was already very unhappy about and we have of course seen where the decision to let the member states roam freely has already led us. Successful constitutional court challenges in several countries and the ludicrous situation in the UK where local councils and other bodies in no way concerned with security and law enforcement were handed broad access rights to retained data that were subsequently abused.

4.4 The retention period provided for in the Directive bears no relation to any kind of considered calculation regarding what was actually necessary. A spectrum ranging from six to 24 months was handed to the member states to play with as their own national political situations allowed.

4.5 There is nothing in the Directive that imposes obligations on the member states or the communications service providers to ensure the ongoing security of the retained data. No prescribed safeguards, no minimum security standards. Zilch! Not good enough, says the courts. Look at all those hackers out there, to say nothing of the NSA. That last one is Matron’s favourite, because the court doesn’t leave it at the security point. Instead it makes it absolutely clear in para. 68 that in its view security may require that the retained data should be held within the EU. Not in the US, not in some piddly cloud server in the middle of the Indian Ocean, no, in the EU! How else, asks the court, can “the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security […] [be] fully ensured”? Matron couldn’t have said it better. So what does that mean for the ongoing discussions around the future of the safe harbor, the EU-US data protection umbrella agreement and the TTIP? And is there any way to give the various PNR Agreements and the SWIFT Agreement the CJEU treatment?

The Bad

Ignoring the essence of Articles 7 and 8

Unnoticed by many, the court has also made a less welcome announcement that neither the retention of, nor the access to, communications data “adversely affect the essence” of Articles 7 and 8. Art. 52(1) of the Charter provides that a law that affects the essence of a Charter right is immediately invalid and can thus not be proportionate. This interpretation is similar to the case law of the German Constitutional Court which applies the so-called “Kernbereichstheorie” (core of the right theory) under which interference with the core of a right can never be justified. In the area of information privacy, it did, for example, hold that the security service’s installation of spyware on an individual’s computer can constitute an interference with the core of the right because the data thus collected could include data concerning the individual’s intimate sphere.

The CFEU’s decision that there is no interference with the essence of the two rights in question seems to be based on the notion that the Directive does not affect the content of the communication but merely the metadata. So here we have one trap the court DID fall into: surveillance of content – bad, surveillance of metadata – not quite so bad. This invalidates a little bit, what it said itself about the importance of communications data in assembling a complete picture of a person’s life. Surely, who an individual communicates with can in some cases be part of that individual’s intimate sphere? Matron is therefore not convinced that the “essence” argument can be so easily resolved.

An invitation to long-term legislative pingpong?

Although the decision includes extensive criticism of the various ways in which the Directive fails to comply with fundamental right obligations, it is actually a bit thin on the ground on the limits within which a fundamental rights compliant law would have to operate. So, for example, the court says that retention periods of six to 24 months are not good enough because there are no criteria for when which period would be proportionate. But it does not say what ballpark period it would like to see as an upper limit for what type of data. In this is differs from the approach of, for example, the German Constitutional Court, which told the German government in no uncertain terms what kind of safeguards would have to be included in a national data retention law before it could pass muster.

Some commenters have remarked that this is a good thing. Former German Federal Data Protection Commissioner, Peter Schaar, for example, tweeted that it was good that the ECJ did not provide a “cookbook” for a revised Directive. The thinking behind that is, of course, that such a cookbook would make it easier for the EU institutions to re-adopt a revised Directive at Warp speed. This way, so the thinking seems to go, the institutions will have to give this some thought. And that will take time. And that’s a good thing for all of us, right?

Matron is not so sure. She can't help thinking that the EU institutions will seek to adopt a revised Directive anyway and without specific guidance from the court, the institutions are once again left alone to be “creative”. There is a real danger that they will come up with a new version that formally ticks many of the boxes mentioned by the court but that substantively would still be found to be an infringement of the Charter rights. So, there is a chance that this kind of uncertainty will open us all up to decades of a game of legislative pingpong between the EU institutions and the CJEU. It's been done before and maybe this is one of the reasons why the German Constitutional Court tends to be so prescriptive.

But this kind of passing the ball to and fro between the legislative and the judiciary is just about doable at national level in a country like Germany where citizens can bring a constitutional challenge as soon as a law is adopted. The Germans got their Constitutional Court decision on the implementing law within 2 years, some other member states were even quicker. But at EU level where it has taken the combined civil society power of 27 (at the time) member states eight years to get the damn thing to a competent court? Is it going to take us another eight years again next time? And the time after that, as they fiddle about with the detail? For Matron this is a bit concerning and it raises all kinds of issues with regard to the enforcement of fundamental rights in multi-level governance systems. On the plus side, her PhD thesis (a labour of Hercules, if ever there was one) just became a hell of a lot more interesting.

The question of trust

With the Charter only in force for a few short years, the CJEU’s case law on fundamental rights enforcement is still in its infancy. This is one of the first, if not THE first, CJEU decision that has roundly declared an EU secondary instrument invalid in its entirety because it violates Charter rights. The way in which CJEU jurisprudence shapes up in this regard is closely watched by the citizens, businesses, governments and national courts of the EU member states. Particularly in countries like Germany, where the Constitutional Court enjoys an immense level of trust by the population, people are worried that the CJEU will not guarantee the same level of protection of fundamental rights as their own court. This is becoming a particularly hot topic with regard to the ongoing discussions about the proposed EU Data Protection Regulation, where the German government (supported – surprisingly – by many civil society campaigners) would like to exempt the data processing activities of public bodies from the scope of the Regulation. The German government may very well have its own sinister reason for proposing this, but the privacy campaigners Matron has spoken to are broadly on board with the idea because including those activities in a directly binding EU instrument would potentially remove them from the Constitutional Court’s competence for judicial review. Questions of fundamental rights compliance of that Regulation (and the measures taken under it) would then have to be decided by the CJEU.

The concern arises partly from the problem of standing. German citizens have a right to challenge an Act of the German Parliament in the form of a constitutional complaint. There is, as yet, no comparable right of EU citizens to challenge an Act adopted by the EU institutions before the CJEU. But this is also a question of whether or not national judges will trust the CJEU to do its job. The German Constitutional Court, for example, is currently operating on the basis of some sort of self-denying ordinance when it comes to reviewing EU law. Under its “Solange II” principle, it will refuse to do so “as long as” (“solange”) it is satisfied, that the CJEU will apply an equivalent fundamental rights standard. This principle has wobbled a fair few times already (data retention being one of those occasions), but remains intact. However, any indication that the CJEU will indeed apply a significantly lower standard than the German Court itself would adopt could act as a trigger to topple “Solange II”. For all their generally pro-European attitude, the Germans have a few sensitivities of their own. The right to informational self-determination is one of them.

... and the downright Ugly

Finally, the one thing the CJEU left entirely open is what will happen now. According to the decision, the Directive is invalid ab initio, i.e. from the date it came into force. This means that in those countries – like Germany – that have not yet implemented the Directive, there is now seemingly no longer a legal obligation to do so.

However, it must be remembered that the Directive itself was adopted as a derogation from a general principle (confidentiality of communications) included in another Directive (Art. 15 of the E-Privacy Directive (2002/58/EC)). This derogation was originally granted to the member states but was then exercised by the EU itself through the adoption of the Data Retention Directive. This means that while the Directive was in force, member states did not have the power to derogate under Art. 15, if only to the extent that the DRD had exercised that power.

So this raises two questions:

1. If the CJEU declares a Directive invalid, what happens to national legislation that has already implemented that Directive? Does it automatically become invalid too or does it have to be repealed? For example, the UK has implemented the Directive through the Data Retention (EC Directive) Regulations 2009. If the invalidity of the Directive does not cause those Regulations to become invalid by extension, is there an obligation on the UK government to repeal them? And if there isn’t, is there at least a way in which UK citizens, CSPs or civil society organisations can ask a UK court to declare the Regulations invalid? Does any of us have standing to do this? Do the courts have the power to make such a declaration?

2. If the EU exercise of a derogation falls by the wayside because the derogating instrument was declared invalid, does this mean that the power to derogate in the area previously covered by the EU instrument reverts back to the member states? In other words, could the UK, being bloody-minded on this point, issue the same legislation again as a national instrument under the derogation contained in Article 15 of the E-Privacy Directive? If it did, would it have to do so within the limits set by the CJEU with regard to compliance with Charter rights? And how does the UK’s opt-out from the Charter play into this? The CJEU has ruled previously that the opt-out negotiated by the UK and Poland does not intend to exempt the UK from the obligation to comply with the provisions of the Charter or to prevent a UK court from ensuring compliance with Charter provisions (see Judgment in Joined Cases C-411/10 N.S. v Secretary of State forthe Home Department and C-493/10 M.E. and Others v Refugee ApplicationsCommissioner, Minister for Justice, Equality and Law Reform). But even though this may be correct with regard to laws implementing EU legislation, does it also apply with regard to national legislation that is not mandated by the EU?

Matron’s Twitter feed is abuzz about this and the last time she looked no consensus had yet been reached. In the meantime, Commissioner Malmstroem, who currently still oversees that part of the Commission responsible for the Data Retention Directive, has already issued her own version of history. In an FAQ document released today, she specifically claims that:

“National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.”**

Put that in your pipe and smoke it, pesky privacy nerds!

So, onwards and upwards it is! No rest for the wicked and all that. At least the upcoming European Parliament elections and Commission rotation will hopefully give all of us a bit of a much-needed breather. But people, this makes it absolutely clear, how important it is that we get the right kind of European Parliament next time round. 

So, in May, please get out and exercise your democratic right to vote. Whatever the weather!

* C Bowden (2002) “"Closed circuit television for inside your head: blanket traffic data retention and the emergency anti-terrorism legislation", Duke Law & Technology Review, p. 5.

** Many thanks to Lexferenda for bringing this to my attention.

No comments:

Post a Comment