A strict approach to privacy

The CJEU has taken a robustly protective approach to individual privacy. In C-293/12 and C-594/12 Digital Rights it invalidated a directive which permitted the wholesale retention of data for long periods without adequate specific justification. In C-362/14 Schrems it invalidated the so-called ‘safe harbour’ arrangements agreed between the EU and the US. And now, in C-203/15 and C-698/15 Tele2 Sverige AB, it has returned to its concerns about long-term data retention, this time in the context of national law.

Tele2 explored the consequences of Digital Rights, which had invalidated an EU directive permitting long-term data retention on grounds that it insufficiently protected EU Charter rights. The question in the Tele2 cases was how far this could be extended to domestic legislation relating to the retention and provision of traffic and location data to national authorities in order to combat crime. The cases related to national legislation requiring ISPs and mobile phone companies to retain data and, in certain circumstances, provide it to police and prosecutors. How far does EU law permit such legislation?

That depended on how far earlier EU legislation could be regarded as having occupied the field, so as to make charter rights relevant. The focus was on Directive 2002/58 on privacy and electronic communications. Some of the parties argued that the retention and provision of data to national authorities for crime prevention purposes fell entirely outside EU law; others that it was entirely within; and still others that it was partly inside and partly outside.

The CJEU decided that both the retention and provision of data to national authorities fell within the scope of the directive. This, in its view, was true in terms both of letter and spirit. When ISPs and phone companies retain data and provide it they are ‘processing’ it, which is expressly covered by the directive. Moreover, the purpose of the directive was to safeguard privacy, and providing information to third parties or storing it so that it can be provided on demand obviously affects privacy.

It followed that national rules requiring or permitting ISPs and phone companies to retain and provide data were subject to control under the directive and the charter, which guarantees a right to privacy by article 7. It was not disputed that public security or the prevention, detection, and prosecution of crime could be valid reasons for interfering with privacy. But the key question was proportionality.

Although the requirements of proportionality are almost invariably expressed in terms of necessity, seasoned observers of the CJEU know that in practice the standard is applied more or less rigidly depending on the area. In this field, because a fundamental right was at issue, ‘derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary’. This should not come as a surprise: it was clear from Digital Rights and some earlier judgments.

It followed, again consistently with Digital Rights, that legislation providing for the ‘general and indiscriminate retention of all traffic and location data’ was ‘very far reaching and must be considered particularly serious’. Even the objective of fighting serious crime could not justify such a blanket approach. What was required were clear and precise rules, limiting retention to what is strictly necessary and targeting it at people whose activities deserve scrutiny.

The same went for access to retained data. The purpose had, of course, to be a legitimate one. But that itself is not enough: the national rules must lay down specific objective circumstances in which data could be accessed by national authorities and contain suitable procedural safeguards. The CJEU mentioned specifically prior review by a court or independent administrative body and ex post facto notification of the affected person, once it was possible to do so without jeopardising the investigation, to enable a challenge.

This is strong stuff. The court not only pays lip service to the importance of fundamental rights in this field, but it provides more than usually concrete guidance about the precise requirements of EU law, as a matter of principle. And it does so in a field where, politically speaking, the pendulum has generally been swinging in favour of allowing rather intrusive use of surveillance to combat terrorism and crime. Although the outcome of Tele2 is not surprising, given the CJEU’s jurisprudence, it does show that the court is holding its nerve.

In the UK, the Investigatory Powers Act received royal assent just before Tele2 was decided. Despite its reputation as a ‘snooper’s charter’, the Act in fact contains restrictions and safeguards along the lines that the CJEU considered necessary. Of course, as things stand, that is necessary because EU law requires it. After Brexit, however, these will be matters entirely for parliament, and one might reflect that this is one area where individual rights will potentially be affected by the loss of the ability to rely on the EU charter.

Paul Stanley QC is a barrister at Essex Court Chambers

@EssexCourtLaw essexcourt.com