European Court of Justice finds EU law does not allow indiscriminate collection of electronic communications data and requires controls on access to retained data

Tele2 Sverige AB v Post-och telestyrelsen; Secretary of State for the Home Department v Watson and others (C-203/15 and C-698/15), EU:C:2016:970

Summary

The Grand Chamber of the European Court of Justice (ECJ) found that EU law precludes national laws that allow for the indiscriminate retention of all electronic communications data of all subscribers and users. It also found that national laws must put parameters around the circumstances in which authorities can access the retained data, and in particular access should be:

  • restricted solely to access for the purpose of fighting serious crime;
  • subject to prior review by a court or an independent administrative authority; and
  • subject to a requirement that the data so accessed should be retained within the European Union.

Facts

Directive 2002/58/EC (2002 Directive) of the European Parliament requires members of the European Union to achieve certain standards of privacy in the processing and retention of, and access to, personal data in the electronic communication sector.

The Directive is not concerned with the content of electronic communications, but the personal data (also known as “metadata”) relating to those communications, such as the phone numbers from which calls were made or received, the time and place of phone calls, billing information, IP addresses and dates and times of logging into and out of the IP services (communications data).

Article 15(1) of the Directive allows member states to adopt legislative measures that restrict the scope of the rights and obligations provided for in the Directive, when “such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (ie State security), defence, public security and the prevention, investigation, detection and prosecution of criminal offences or unauthorised use of the electronic communication system…”

In 2014, the ECJ held that a 2006 Directive from the EU parliament that required states to retain communications data was invalid (Digital Rights Ireland and Others (C-293/12 and C-594/12), EU:C:2014:238). It held that the EU legislature had disproportionately interfered with the rights to privacy and family life and the protection of data in the Charter of Fundamental Rights of the EU (Charter) (Articles 7, 8 and 52(1)).

Following the Digital Rights Case, courts in Sweden and the UK referred questions to the European Court of Justice for a preliminary ruling. They sought to understand the proper interpretation of article 15(1) of the 2002 Directive, so as to understand if their national laws were inconsistent with EU law. Both Sweden and the UK have laws requiring electronic communications services to retain communications data – in Sweden for 6 months and in the UK for up to 12 months – and that provide for when and how that data can be accessed.

The Administrative Court of Appeal of Stockholm, Sweden, asked the ECJ to rule on the following.

1.     Whether a general obligation to retain traffic data covering all persons, all means of electronic communications and all traffic data without any distinctions, limitations or exceptions for the purpose of combatting crime is compatible with Article 15(1) of the 2002 Directive, taking into account the rights in articles 7, 8 and 52(1) of the Charter.

2.     If the answer is no, whether retention is nevertheless permitted if:

a.     Access by national authorities is restricted

b.    Data is properly secured and protected

c.     Data is retained only for six months.

The Court of Appeal (England & Wales) (Civil Division) referred questions to the court concerning the scope of the Digital Rights judgment.

Decision

First, the ECJ held that the scope of the 2002 Directive applies to national legislation that requires providers to retain communications data and that provides for access to that data [75] -[76]. Section 15(1) “offers to the users of electronic communications services protection against risks to their personal data and privacy that arise from new technology and the increasing capacity for automated storage and processing of data.” [83].

The ECJ held that the 2002 Directive must be interpreted in light of the Charter [91]. It stated that national laws requiring retention of communications data and access by national authorities are “far-reaching and must be considered to be particularly serious” infringements on the rights to privacy and personal data [100].

“That data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, that data provides the means…of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.” [citations omitted] [99].

In terms of freedom of expression, the EJC stated: “The fact that the data is retained without the subscriber or registered user being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance.” [100].

It went on to say: “The impact of this scheme could have an effect on the use of means of electronic communication and, consequently, on the exercise by the users of their freedom of expression, guaranteed in Article 11 of the Charter.” [100].

On this basis, the Court held that the retention of communication data should be the exception and not the rule (para 104). General and indiscriminate data retention is not allowed – the retention must be strictly necessary. If a member state is to make laws concerning retention of communication data, the retention of data must be limited with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted [108].

Access to the retained data must correspond genuinely to one of the objectives set out in s 15(1), namely “to safeguard national security (ie State security), defence, public security and the prevention, investigation, detection and prosecution of criminal offences or unauthorised use of the electronic communication system.”

Further, national laws must set out the procedural and substantive conditions under which access is granted to retained data by national authorities [118]. Access must only be allowed for the object of fighting serious crime, where access is subject to prior review by a court or an independent authority and where there is a requirement that the data is not handed on outside of the European Union [125]. Further, a person affected by the access should be notified that their data is being accessed [121].

Commentary

The decision is significant for Australia. Amendments to the Telecommunications (Interception and Access) Act (Cth) in 2015 now require telecommunications and internet service providers to maintain all communications data of all users in Australia. It is general and indiscriminate data collection of the kind that the ECJ found to be a “far-reaching and serious” infringement on the right to privacy in this case, and also detrimental to freedom of expression.

Further, Australian law enforcement authorities can access retained data regardless of whether they are fighting serious crime, without prior supervision by a court or independent body and without notifying a person that their data is being accessed.

The full text of the decision can be found here.

Emily Howie is the Director of Advocacy and Research at the Human Rights Law Centre.