‘If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary. In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself’.
James Madison, 1788 (highlighted in the AG’s opinion)
Enabling a government to control the governed, whilst obliging it to control itself, is the dilemma with which the European Court of Justice (ECJ) has been faced in its preliminary ruling on the appeal decisions of Tele2 and Watson. In today’s ruling against the UK Government, the ECJ has clarified that national governments need to respect EU standards on data retention in their domestic legislation. The ruling is a potentially embarrassing setback for Theresa May, as it has the potential to undermine much of her recently enacted Investigatory Powers Act (as explored by Datonomy here). Whether, post Brexit, this will matter will depend on the Government’s attitude toward claiming adequacy for the purpose of international data transfers.
Watson and Tele2 are joined cases concerning the lawfulness of both the UK and Sweden’s electronic communications data legislation respectively, brought together following the ruling of the ECJ in the 2014 Digital Rights Ireland (DRI) case. In that case, the ECJ struck down the 2006 Data Retention Directive on the following grounds:
- the general obligation to retain certain communications data constituted a serious interference with the fundamental rights to respect for private life and to the protection of personal data, and
- The rules accordingly established were not limited to what was strictly necessary for the purpose of fighting serious crime.
Following this judgment, the UK Government passed emergency legislation, the Data Retention and Investigatory Powers Act 2014 (DRIPA), to replace the then current retention regime which had transposed the now overturned 2006 Directive.
Under DRIPA, which is due to “sunset” on 31 December of this year, the Home Secretary is empowered to require public telecommunications operators to retain communications data for a maximum period of 12 months. After an application for judicial review by MPs Tom Watson and David Davis (Mr Davis has since removed his name from the challenge due to his position in government), the High Court ruled that this regime was inconsistent with EU law as it did not satisfy the above requirements laid down by the ECJ in the DRI case. The Home Secretary appealed and the Court of Appeal’s provisional view was that the ECJ had not laid down specific mandatory requirements of EU law with which national legislation must comply, but that it had identified and described protections that were absent from the harmonized EU regime.
Those proceedings were stayed awaiting today’s preliminary ruling by the ECJ.
The ECJ was asked to rule on the following two questions:
- In the light of the DRI case, do the current PEC Directive (soon to be replaced- as explored by Datonomy here) and the Charter preclude Member States from implementing national data retention laws?
- If not, can EU Member States impose on service providers a general data retention obligation without the safeguards laid out in the DRI case?
Following the AG’s opinion, published in July this year, the ECJ ruled as follows:
- The answer to the first question … is that the PEC Directive, read in the light the EU Charter, “must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.”
- The second question “must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.”
Implications and next steps
The case will now return to the UK Court of Appeal. As it stands, the judgment has potentially wide reaching ramifications for data protection and privacy laws. Most notably it has worrying implications for the Government’s recently enacted Investigatory Powers Act (IPA) and UK data transfers in a post-Brexit era.
The implications being, whilst the UK remains in the EU the IPA is open to challenge, and currently it will almost certainly not meet the conditions set out by the ECJ. Notably, the Act is not limited to retention for fighting serious crime, but contains various other justifications, such as retention for the purpose of:
- protecting public health, and
- exercising functions relating to the regulation of financial services and markets.
If and when the UK leaves the EU, this could cause serious problems for the UK in claiming adequacy (through White List status or otherwise) for the purposes of data transfers. Even more likely to now be a problem in a post-Schrems and Snowden era.
Datonomy will be closely following this, and will be keeping you up to date with any developments.