Today the Court of Justice of the European Union struck down the EU’s Data Retention Directive as a disproportionate interference with fundamental rights (full judgment).
The Directive required European telecommunications companies to retain so-called ‘metadata’ for a minimum of 6 and maximum of 24 months (with exact retention periods determined by national legislation). The state could then access the retained data in cases of serious crime (including counter-terrorism) and, again, national legislation determined the precise workings of such access in the member states. In a major study of the Directive carried out by Ben Hayes and Chris Jones for the SECILE project, significant levels of variation across the member states of the European Union were identified in the working of the data retention scheme. The Directive was today deemed invalid ab initio but data retention is considered a very valuable criminal justice and counter-terrorism tool by security and policing agencies in Europe. This suggests that the EU may move relatively quickly towards a new data retention scheme. Bearing that in mind, it is instructive to look at the Court’s findings, which lay out clearly where the Directive was found lacking and, as a result, can be said to offer important guidance in the drafting of any possible new Directive.
First of all—and importantly—the Court accepted that data retention constitutes a prima facie interference with fundamental rights, not least because so-called ‘metadata’ “may allow very precise conclusions to be drawn concerning…private lives” (para 27). However, the Court also accepted that the retention of data for the purposes of counter-terrorism and the disruption of serious crime is done in pursuance of a genuine goal. This does not mean that security has some kind of hyper-weighted status within the Court’s analysis; rather, as the Court holds in para 51 “it must be held that the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 being considered to be necessary for the purpose of that fight”.
This suggests to me that the Court’s finding is that the data retention scheme in the Directive is disproportionate, but not that every data retention scheme would be. (It should be noted that Simon McGarr has suggested a narrower, less permissive reading on twitter @Tupp_Ed).
The question the Court then asked was whether the data retention system as it existed was a proportionate interference with fundamental rights. The answer, according to the Court, was that it was not.
First, the fact that the data retention scheme effectively introduces blanket surveillance and treats everyone’s data in the same way was considered problematic: the Directive’s scope, in other words, appears to be considered too wide (paras 57-58). The Court thus found it problematic that the Directive “does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences” (para 59).
This suggests that in any new data retention directive a more tailored, narrower approach ought to be taken.
This is further sharpened by the Court’s criticism of the fact that, in relation to the retention period, “Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Article 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned” (para 64) and “it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary” (para 65).
Second, the Directive “fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences” (para 60), or any clear procedural requirements for accessing such information (para 61), so that there is too much discretion at the national level and, as result, insufficient control over personal data.
Of particular importance is the finding in para 62 that the Directive “does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits”.
Finally the Court expressed significant concerns about the security of retained data and found that the Directive “does not provide sufficient safeguards…to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data” (para 66), not least because it does not guarantee that it will remain within the European Union.
Based on this analysis, and if my reading—that a data retention scheme is per se permissible provided it is proportionate—there is scope for a new scheme to be introduced at EU level. Any new scheme would, however, have to look radically different to that under the Directive. First and foremost it seems quite clear that blanket surveillance will not be considered proportionate and that a tailored approach will have to be crafted. Second the remarks about the protection of personal data particularly outside of Europe may have very significant implications for the transfer of data between intelligence agencies within the EU and non-EU agencies and, as a result, could result in a significant shift in practice.
The Commission meets to discuss the implications of the judgment on Friday, and we will no doubt soon see the beginnings of a new data retention system for the European Union.