In Joined Cases C-203/15 and C-698/15 Secretary of State for the Home Department v Watson, the Court of Justice of the European Union (CJEU) provided further details about the requirements of EU law for the retention of communications data. The Swedish Administrative Court of Appeal and the Court of Appeal of England and Wales asked the CJEU to clarify its judgment in Digital Rights Ireland and, in particular, whether it imposed mandatory requirements for national data retention legislation. In Digital Rights Ireland, the EU’s Data Retention Directive (Parliament and Council Directive 2006/24/EC of 15th March 2006) was found to be a disproportionate interference with the rights to privacy and the protection of personal data in Articles 7 and 8 of the EU Charter of Fundamental Rights.
In the United Kingdom, Tom Watson MP and David Davis MP subsequently challenged the compatibility of the Data Retention and Investigatory Powers Act 2014 (DRIPA) with EU law. (Davis withdrew after being appointed Secretary of State for Exiting the EU). Section 1 empowered the Secretary of State to order the retention of communications data by service providers. The High Court found that DRIPA was incompatible with EU law which, following Digital Rights Ireland, allowed communications data to be used only for the purpose of combating serious crime and after independent authorisation by a court or other body. The Court of Appeal questioned this conclusion but made a reference to the CJEU.
The CJEU addressed two questions. First, was a general data retention obligation compatible with Article 15(1) of Directive 2002/58/EC (the ‘E-Privacy Directive’) interpreted in light of Articles 7 and 8 of the EU Charter of Fundamental Rights? Second, following Digital Rights Ireland, did EU law permit domestic legislation which: (i) did not restrict access to communications data to the purpose of fighting serious crime; (ii) did not make access to communications data dependent upon prior review by a court or other independent body; and (iii) imposed no requirement that data should be retained within the EU.
In relation to the first question, Article 15(1) of the E-Privacy Directive allowed member states to derogate from the principle of the confidentiality of communications and related data. However, Article 15(1) had to be interpreted in light of Article 7, Article 8, and Article 11 (the right to freedom of expression) of the EU Charter. Any derogation from the protection of personal data needed to be “strictly necessary”. ()
According to the CJEU, the retention of communications data entailed a “very far-reaching” and “particularly serious” interference with Articles 7 and 8 of the Charter. () It also risked an interference with Article 11. The data allowed “very precise conclusions to be drawn” about the private lives of those affected, including “everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them”. () This was no less sensitive than the content of communications.
Article 15(1) did not prevent member states from retaining communications data. However, the court found that only the objective of fighting serious crime was capable of justifying such legislation. () Moreover, the CJEU insisted on a link between the retained data and serious crime. National data retention legislation would be incompatible with EU law if it applied to “persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences.” () Data retention needed to be targeted, perhaps by reference to particular time periods, geographic areas, or groups likely to be involved in serious crime.
On the second question, the CJEU insisted that national legislation lay down clear rules indicating the circumstances in which data may be accessed. Access could not exceed what was strictly necessary. For the purposes of fighting serious crime, access could only be granted to the data of individuals suspected of serious crime or of being implicated in such crime. The CJEU considered it “essential” that access be subject to prior review by a court or other independent body. () Moreover, the court found that national authorities must notify the persons affected as soon as it would no longer jeopardise the investigation. Finally, data must be retained with the EU.
DRIPA has now expired and has been replaced by the Investigatory Powers Act 2016 (IPA). However, Watson is likely to pose problems for the new legislation. Section 87 of the IPA allows the Secretary of State to order the retention of data for the purpose of preventing or detecting any crime, not just serious crime. Retention does not have to be targeted in the manner suggested by the CJEU, covering the data of persons with no link to serious crime. Moreover, the new legislation does not require judicial approval before communications data is accessed (except for local authorities). The IPA maintains the existing authorisation procedure under which a designated senior officer within the relevant public authority determines that access is necessary and proportionate and then consults a data expert known as a Single Point of Contact (SPOC). There is no requirement that those affected by data retention be notified. For as long as the UK is subject to the jurisdiction of the CJEU, a domestic court will have little choice but to declare the communications data provisions of the IPA incompatible with EU law.
In my view, the judgment in Watson is highly unsatisfactory. First, the CJEU did not discuss the potential impact of restricting data retention. General data retention powers are of proven operational value in the UK. In his 2014 review of surveillance powers, the independent reviewer of terrorism legislation, David Anderson QC, recommended that existing retention powers be maintained and provided examples of their utility (Annexe 10). In Watson, the CJEU suggested that retention should be restricted by reference to a number of criteria. However, as Anderson has recently pointed out, limiting data retention in this manner raises important practical issues. These issues are nowhere discussed in the judgment, nor is there any assessment of the likely impact of curtailing a longstanding capability.
As Anderson has also observed, communications data is extremely valuable to law enforcement bodies in investigations which do not concern serious crime (e.g. missing persons). The CJEU insisted that only serious crime is capable of justifying data retention without any consideration of the alternative uses to which data is put. It offered no satisfactory explanation as to why Parliament should be precluded from sanctioning data retention for other types of investigation, particularly when the utility of communications data has been demonstrated. Its assertion that data retention in itself constitutes a particularly seriously interference with privacy is contestable and was not based on objective evidence about how the power is used.
Moreover, the non-judicial procedure for securing access to communications data has been reviewed and endorsed by Parliament. In 2012, the Joint Committee on the Draft Communications Data Bill considered arguments that prior judicial approval should be required. The committee was satisfied with the existing procedure, noting the specialist expertise provided by SPOCs, and was unconvinced that judges would provide a tougher authorisation test. It highlighted the burden that would be placed on the judiciary if all requests for communications data required prior approval as well as the likely delays to investigations. Support for the non-judicial authorisation procedure was provided by the Joint Committee on the Draft Investigatory Powers Bill and David Anderson.
The authorisation procedure for access to communications data has therefore received detailed consideration in the political arena. The CJEU declared that prior judicial approval was essential without considering the effectiveness of alternative procedures and without engaging with the issues raised by the parliamentary committees.
(Section 87 of the IPA requires retention notices to be approved by a Judicial Commissioner. Although this is not the safeguard demanded by the CJEU, as it relates to retention and not access, it demonstrates Parliament’s willingness to provide stronger oversight of the communications data regime.)
In sum, the CJEU’s judgment may undermine detailed political scrutiny of the communications data regime and pose practical problems for law enforcement bodies. The court did not engage with evidence about the utility of data retention powers, nor did it consider alternatives to its preferred requirements. It also made questionable assertions about the extent to which the retention of data interferes with rights. The problem is exacerbated by the fact that EU law provides no Human Rights Act-style mechanism for allowing Parliament to disagree with the CJEU’s interpretation of Charter rights.
Thomas Raine, Public Law PhD Candidate, Glasgow University
(Suggested citation: T. Raine, ‘The CJEU and Data Retention: A Critical Take on the Watson Case’, U.K. Const. L. Blog (16th Jan 2017) (available at https://ukconstitutionallaw.org/))