Case C-203/15, Tele2 Sverige – Swedish data retention despite Digital Rights Ireland

Telecoms companies were legally required to store data traffic until the CJEU’s judgment in Digital Rights Ireland. The CJEU annulled the EU’s Data Retention Directive for being incompatible with the EU Charter. Nevertheless, Swedish telecoms companies are still being required to store data. The legal basis for this is an earlier EU Directive, which had been amended by the Data Retention Directive. Is this regulatory approach compatible with the EU Charter?

Background
In 2002, the EU created a Directive governing privacy and electronic communications (OJ [2002] L201/37). The Directive was amended in 2006 by the EU’s ‘data retention’ Directive 2006/24/EC (OJ [2006] L105/54).

However, in April 2014, the CJEU annulled the data retention Directive with its judgment in Case C-293/12, Digital Rights Ireland ECLI:EU:C:2014:238.

Following that judgment, the Tele2 Swedish telecoms company wrote to the Swedish Post and Telecoms Authority [Post- och telestyrelsen]. It informed them that in a few days time they would no longer store data traffic, and they would delete existing data. The police wrote to the Authority too, claiming that the effect of Tele2’s decision would impede their work combating crime. The Authority issued an order requiring the telecoms company to retain data until a specific date later on in the year. Tele2 appealed the Authority’s decision to Stockholm’s administrative law court [Förvaltningsrätten].

At the Stockholm District Administrative Law Court
The nub of Tele2’s claim was that the Authority’s order was contrary to the CJEU’s judgment in Digital Rights Ireland. In that judgment, the CJEU had made clear that it had annulled the Directive because it was a disproportionate infringement of the rights enshrined in the EU Charter, in particular Article 7 on privacy, Article 8 on data processing, and Article 52(1) on proportionality.

More specifically, Tele2 referred the Administrative Court to particular paragraphs in the Digital Rights Ireland case, which for ease of reading, are reproduced here.

Namely, the CJEU had held that the obligation to store data was an interference in private life. At paragraph 34, the CJEU had said:

As a result, the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter.

At paragraph 27, the CJEU had talked about the importance of social relationships:

Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

At paragraph 36, the CJEU had discussed rights related to data processing, and had added:

Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.

At paragraph 35, the CJEU had explained:

Furthermore, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter.

The CJEU also concluded its discussion about EU Charter rights being interfered with these words in paragraph 37:

It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.

Tele2 also believed that the Authority’s order was contrary to the rights enshrined in the ECHR, particularly in light of the judgment of the European Court of Human Rights in S and Marper. Tele2 noted that the CJEU in Digital Rights Ireland judgment had also applied paragraph 102 of Marper by analogy (the District Court refers to paragraph 102, but the CJEU in Digital Rights Ireland refers to paragraph 103 of Marper). Furthermore, they also referred the Administrative Court to the European Court of Human Rights judgment in Liberty v. The United Kingdom (Application no. 58243/00).

Again, for ease of reading, it is helpful to point out that in Liberty, the European Court of Human Rights had explained the general principles for determining whether an interference in Article 8 ECHR could be deemed to be “in accordance with the law”. The Court had reasoned:

59.  The expression “in accordance with the law” under Article 8 § 2 requires, first, that the impugned measure should have some basis in domestic law; it also refers to the quality of the law in question, requiring that it should be compatible with the rule of law and accessible to the person concerned, who must, moreover, be able to foresee its consequences for him (see, among other authorities, Kruslin v. France, judgment of 24 April 1990, Series A no. 176-A, § 27; Huvig v. France, judgment of 24 April 1990, Series A no. 176-B, § 26; Lambert v. France, judgment of 24 August 1998, Reports of Judgments and Decisions 1998-V, § 23; Perry v. the United Kingdom, no. 63737/00, § 45, ECHR 2003-IX; Dumitru Popescu v. Romania (No. 2), no. 71525/01, § 61, 26 April 2007).

60.  It is not in dispute that the interference in question had a legal basis in sections 1-10 of the 1985 Act (see paragraphs 16-27 above). The applicants, however, contended that this law was not sufficiently detailed and precise to meet the “foreseeability” requirement of Article 8(2), given in particular that the nature of the “arrangements” made under section 6(1)(b) was not accessible to the public. The Government responded, relying on paragraph 68 of Malone (cited above), that although the scope of the executive’s discretion to carry out surveillance had to be indicated in legislation, “the detailed procedures and conditions to be observed do not necessarily have to be incorporated in rules of substantive law”.

61.  The Court observes, first, that the above passage from Malone was itself a reference to Silver and Others, also cited above, §§ 88-89. There the Court accepted that administrative Orders and Instructions, which set out the detail of the scheme for screening prisoners’ letters but did not have the force of law, could be taken into account in assessing whether the criterion of foreseeability was satisfied in the application of the relevant primary and secondary legislation, but only to “the admittedly limited extent to which those concerned were made sufficiently aware of their contents”. It was only on this basis – that the content of the Orders and Instructions were made known to the prisoners – that the Court was able to reject the applicants’ contention that the conditions and procedures governing interferences with correspondence, and in particular the directives set out in the Orders and Instructions, should be contained in the substantive law itself.

62.  More recently, in its admissibility decision in Weber and Saravia, cited above, §§ 93-95, the Court summarised its case-law on the requirement of legal “foreseeability” in this field as follows (and see also Association for European Integration and Human Rights and Ekimzhiev, cited above, §§ 75-77):

“93. …. foreseeability in the special context of secret measures of surveillance, such as the interception of communications, cannot mean that an individual should be able to foresee when the authorities are likely to intercept his communications so that he can adapt his conduct accordingly (see, inter alia, Leander [v. Sweden, judgment of 26 August 1987, Series A no. 116], p. 23, § 51). However, especially where a power vested in the executive is exercised in secret, the risks of arbitrariness are evident (see, inter alia, Malone, cited above, p. 32, § 67; Huvig, cited above, pp. 54-55, § 29; and Rotaru [v. Romania [GC], no. 28341/95, § 55, ECHR 2000-V]). It is therefore essential to have clear, detailed rules on interception of telephone conversations, especially as the technology available for use is continually becoming more sophisticated (see Kopp v. Switzerland, judgment of 25 March 1998, Reports 1998-II, pp. 542-43, § 72, and Valenzuela Contreras v. Spain, judgment of 30 July 1998, Reports 1998-V, pp. 1924-25, § 46). The domestic law must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures (see Malone, ibid.; Kopp, cited above, p. 541, § 64; Huvig, cited above, pp. 54-55, § 29; and Valenzuela Contreras, ibid.).
94. Moreover, since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive or to a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference (see, among other authorities, Malone, cited above, pp. 32-33, § 68; Leander, cited above, p. 23, § 51; and Huvig, cited above, pp. 54-55, § 29).
95. In its case-law on secret measures of surveillance, the Court has developed the following minimum safeguards that should be set out in statute law in order to avoid abuses of power: the nature of the offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed (see, inter alia, Huvig, cited above, p. 56, § 34; Amann, cited above, § 76; Valenzuela Contreras, cited above, pp. 1924-25, § 46; and Prado Bugallo v. Spain, no. 58496/00, § 30, 18 February 2003).”

63.  It is true that the above requirements were first developed by the Court in connection with measures of surveillance targeted at specific individuals or addresses (the equivalent, within the United Kingdom, of the section 3(1) regime). However, the Weber and Saravia case was itself concerned with generalised “strategic monitoring”, rather than the monitoring of individuals (cited above, § 18). The Court does not consider that there is any ground to apply different principles concerning the accessibility and clarity of the rules governing the interception of individual communications, on the one hand, and more general programmes of surveillance, on the other. The Court’s approach to the foreseeability requirement in this field has, therefore, evolved since the Commission considered the United Kingdom’s surveillance scheme in its above-cited decision in Christie v. the United Kingdom.

Tele2 Sverige also went on to refer the Stockholm Administrative Court to an unnamed judgment from an Austrian District Court which had held Austria’s Data Retention law to be contrary to the ECHR.

Notwithstanding those submissions, the Stockholm Administrative Court rejected the appeal. It noted that the reason for the CJEU’s judgment in Digital Rights Ireland annulling the Directive was the sum total of the overall deficiencies in the Directive (paras 56-62).

Again, for ease of reading, the CJEU had explained:

56 As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population.

57 In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.

58 Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.

59 Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.

60 Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.

61 Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto; it merely provides that each Member State is to define the procedures to be followed and the conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and proportionality requirements.

62 In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits.

Consequently, the Stockholm Administrative Court was of the view that Member States could still require that data be retained by the Directive which preceded the EU’s data retention Directive; namely, the EU’s ‘privacy and electronic communications’ Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ [2002] L201/37).

Article 15(1) of the earlier Directive provides:

Application of certain provisions of Directive 95/46/EC
1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.

Tele2 Sverige did not agree with the judgment of the Stockholm District Court for Administrative Law and it appealed to the Stockholm Administrative Appeals Court [Kammarrätten].

Questions Referred
Although a Press Release of the Kammarrätten indicates that the referring court has asked the CJEU about the compatibility of the Swedish regulatory approach with the EU Charter and Article 15(1) of the earlier ‘privacy and electronic communications’ Directive 2002/58/EC, the Curia website has yet to publish the Questions.

Comment
For signposts to data retention law developments in the Dutch and English courts, see further, Case C-293/12, Digital Rights Ireland – telecoms, privacy and freedom of expression.

Update – 20 July 2015
The Tele2 Sverige reference has been mentioned in a judicial review conducted by two judges in the High Court of England and Wales. Their judgment has the neutral citation of Davis [2015] EWHC 2092 (Admin). The English judges declined to make a preliminary reference to the CJEU.

In the meantime, the Curia website has published the official translation of the questions asked in the Tele2 Sverige reference, and those questions read:

1. Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC, […] taking account of Articles 7, 8 and 15(1) of the Charter?

2. If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:
[-] access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and
[-] security requirements are regulated as [described below under paragraphs 26-31], and
[-] all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?

Update – 23 November 2015
The Court of Appeal of England and Wales has decided to make a preliminary reference about the legal effect of Digital Rights Ireland. The Court of Appeal’s reference refers to the abovementioned Tele2 Sverige reference. Although the CJEU has yet to docket the reference from the Court of Appeal, it is of such potential importance that readers of EU Law Radar may like to read my report of it now.

Update – 7 January 2016
The EU Law Radar Report on the reference from the Court of Appeal of England and Wales has been moved; see further, Case C-698/15, Davis – did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law?