A strict approach to privacy

14 Feb 2017Feature

Tele2 shows the CJEU is holding its nerve on the retention and provision of data to national authorities, explains Paul Stanley QC

The CJEU has taken a robustly protective approach to individual privacy. In C-293/12 and C-594/12 Digital Rights it invalidated a directive which permitted the wholesale retention of data for long periods without adequate specific justification. In C-362/14 Schrems it invalidated the so-called ‘safe harbour’ arrangements agreed between the EU and the US. And now, in C-203/15 and C-698/15 Tele2 Sverige AB, it has returned to its concerns about long-term data retention, this time in the context of national law.

Tele2 explored the consequences of Digital Rights, which had invalidated an EU directive permitting long-term data retention on grounds that it insufficiently protected EU Charter rights. The question in the Tele2 cases was how far this could be extended to domestic legislation relating to the retention and provision of traffic and location data to national authorities in order to combat crime. The cases related to national legislation requiring ISPs and mobile phone companies to retain data and, in certain circumstances, provide it to police and prosecutors. How far does EU law permit such legislation?

That depended on how far earlier EU legislation could be regarded as having occupied the field, so as to make charter rights relevant. The focus was on Directive 2002/58 on privacy and electronic communications. Some of the parties argued that the retention and provision of data to national authorities for crime prevention purposes fell entirely outside EU law; others that it was entirely within; and still others that it was partly inside and partly outside.

The CJEU decided that both the retention and provision of data to national authorities fell within the scope of the directive. This, in its view, was true in terms both of letter and spirit. When ISPs and phone companies retain data and provide it they are ‘processing’ it, which is expressly covered by the directive. Moreover, the purpose of the directive was to safeguard privacy, and providing information to third parties or storing it so that it can be provided on demand obviously affects privacy.

It followed that national rules requiring or permitting ISPs and phone companies to retain and provide data were subject to control under the directive and the charter, which guarantees a right to privacy by article 7. It was not disputed that public security or the prevention, detection, and prosecution of crime could be valid reasons for interfering with privacy. But the key question was proportionality.

Although the requirements of proportionality are almost invariably expressed in terms of necessity, seasoned observers of the CJEU know that in practice the standard is applied more or less rigidly depending on the area. In this field, because a fundamental right was at issue, ‘derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary’. This should not come as a surprise: it was clear from Digital Rights and some earlier judgments.

It followed, again consistently with Digital Rights, that legislation providing for the ‘general and indiscriminate retention of all traffic and location data’ was ‘very far reaching and must be considered particularly serious’. Even the objective of fighting serious crime could not justify such a blanket approach. What was required were clear and precise rules, limiting retention to what is strictly necessary and targeting it at people whose activities deserve scrutiny.

The same went for access to retained data. The purpose had, of course, to be a legitimate one. But that itself is not enough: the national rules must lay down specific objective circumstances in which data could be accessed by national authorities and contain suitable procedural safeguards. The CJEU mentioned specifically prior review by a court or independent administrative body and ex post facto notification of the affected person, once it was possible to do so without jeopardising the investigation, to enable a challenge.

This is strong stuff. The court not only pays lip service to the importance of fundamental rights in this field, but it provides more than usually concrete guidance about the precise requirements of EU law, as a matter of principle. And it does so in a field where, politically speaking, the pendulum has generally been swinging in favour of allowing rather intrusive use of surveillance to combat terrorism and crime. Although the outcome of Tele2 is not surprising, given the CJEU’s jurisprudence, it does show that the court is holding its nerve.

In the UK, the Investigatory Powers Act received royal assent just before Tele2 was decided. Despite its reputation as a ‘snooper’s charter’, the Act in fact contains restrictions and safeguards along the lines that the CJEU considered necessary. Of course, as things stand, that is necessary because EU law requires it. After Brexit, however, these will be matters entirely for parliament, and one might reflect that this is one area where individual rights will potentially be affected by the loss of the ability to rely on the EU charter.

Paul Stanley QC is a barrister at Essex Court Chambers

@EssexCourtLaw essexcourt.com

Legal News desk contact: editorial@solicitorsjournal.com|

Paul Stanley QC is a barrister at Essex Court Chambers

@EssexCourtLaw essexcourt.com

Sir Keir Starmer resigns as Prime Minister

Sir Keir Starmer has stepped down as Labour leader and Prime Minister, triggering leadership nominations soon

Youth sentencing, custody thresholds, and judicial discretion examined

How legal frameworks governing child defendants shape outcomes in serious sexual offence cases before the Court of Appeal

Andy Burnham's potential impact on employment law

Experts warn that an Andy Burnham administration could reshape employment law, impacting flexibility and workers' rights

Singh v SSHD: Court of Appeal confirms graduate route sponsor notification is a standalone mandatory criterion

Court of Appeal confirms graduate route sponsor notification is a mandatory, freestanding immigration rule requirement.

Mulalley & Co v Sto: High Court awards 87.5% contribution for defective Grenfell-era cladding

Pepperall J holds German parent liable for inherently defective cladding under the Building Safety Act 2022.

Janssen-Cilag v United States: UKIPO address for service constitutes consent to be sued

High Court rules US government validly served via UKIPO register despite state immunity challenge.

Homebuying reforms aim to simplify process

Major reforms to the homebuying and selling process in the UK promise to reduce delays and costs for families and first-time buyers while increasing certainty...

Online shoppers face product safety risks

Lawyers demand urgent reforms for online product safety to protect consumers and ensure justice access

Brexit anniversary and its impact on banks

The tenth anniversary of Brexit highlights the UK's dynamic financial services sector and the implications for firms

Good Law Project v Reform UK: the data rights case that tests who can sue on behalf of others

High Court refuses to strike out data subject access claim against Reform UK, finding the Good Law Project has arguable standing as a representative body.

Hattons of London v Knightsbridge Collection: the coin dealer data theft that a CRM system and a cloud provider helped unravel

Seven former employees found liable for conspiracy and breach of confidence after secretly building a rival business on stolen customer data.

Pfizer v Competition and Markets Authority: the phenytoin saga enters its third decade with the CMA's original decision restored

Court of Appeal reinstates the CMA's finding that Pfizer and Flynn abused their dominant position, but wipes out the CAT's retaken decision on procedural fairness...