When you use a telephone or go onto the internet a company registers and stores data about you. Companies are obliged to do this not for billing purposes but because of the EU’s data retention Directive 2006/24/EC. Can you access this ‘retention data’, and if not, is this compatible with the EU Charter?
The claimant is a customer of an Austrian telecoms company. He has a mobile and is an end-user of publicly available electronic communications services.
In June 2012, he wrote to his telecoms company requesting access to the processed ‘retained data’. His request was turned down. Although the company offered to describe the nature of the collected data, it refused to give substantive details about the processed retained data about him.
The claimant appealed to the Austrian Data Protection Commission. He claimed that his right to access information had been infringed by the telecoms company. The telecoms company pointed out that the legislature had, within its margin of appreciation, limited the access right to retained data in view of criminality and law enforcement. Further, the EU’s data retention Directive had proceeded on the basis that data retention was a necessary measure for the purposes of Article 8 ECHR.
The Austrian Data Commission did not know how to resolve the matter and decided to refer 3 questions to the CJEU. It provided some context to each question.
Question 1 arose because the telecoms company had claimed that as a result of Austrian law, which corresponds to the EU’s data retention directive, it was prevented from allowing the individual to use its access right.
Further, Article 7(c) of the data retention Directive states:
‘the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only’.
So was the phrase ‘specially authorised personnel only’ to be understood as being in conflict with the obligation on data processors to grant individuals access to the processed data about them?
On the one hand, a possible interpretation of Article 7(c) was to interpret it in accordance with the aim of the data retention. This would mean that it was only the people who were authorised by law, such as the police, prosecutors and the courts, who could access the data. Individuals would then be refused access to their own data. This could be justified on the basis that the scope of the data retention was prescribed by law and individuals could understand this without a knowledge of the details; and, secondly, denying access would stop a potential criminal making it more difficult for security services and prosecutors to prevent criminal activity.
However, the opening sentence of Article 7 of the data retention Directive also stipulates that Member States shall ensure communications suppliers respect the data security principles but ‘without prejudice to the provisions adopted pursuant to Directive 95/46/EC and Directive 2002/58/EC’. Equally, Recital 15 states: ‘Directive 95/46/EC and Directive 2002/58/EC are fully applicable to the data retained in accordance with this Directive’. So the European legislature did not intend to deprive individuals of their rights under the EU’s data processing Directive 95/46/EC.
On the other hand, the question arose as to whether the interpretation of obligations in the EU’s data processing Directive 95/46 fell within that Directive’s own exceptions. For whereas Article 12 deals with the data subject’s right of access to data, Member States can still create exemptions and restrictions on the basis of Article 13 so that they can safeguard:
‘(c) public security;
(d), the prevention, investigation, detection and prosecution of criminal offences’.
So when Article 12 is read together with Article 13, do the obligations on the Member States fall within those exceptions or, in the event of there being no suspicion of criminality, does it create an obligation on the Member State to set down an access right?
The Austrian Data Protection Commission went on to explain Question 3. It believed this question would arise in the event that Article 7 of Directive 2006/24/EC would prevent an access right, either when it was read in isolation, or when it was read together with Articles 12 and 13 of the data processing Directive 95/46/EC. The Data Protection Commission asked whether the exception was compatible with Article 8 of the EU Charter because the second sentence to Article 8 (2) states:
‘Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.’
In the case before the Austrian Data Protection Commission, here was an apriori blanket retention of data about individuals – the retention was occurring without cause and irrespective of suspicion.
In that context, the Austrian Data Protection Commission referred to the concerns which had recently been expressed by the Austrian Constitutional Court on the arrangement of geo-location and traffic data, in paragraphs 40-46 of the ‘Seitlinger’ reference.
The official English translation of those paragraphs from ‘Seitlinger’ reads as follows:
40. According to Art. 8 para. 1 Charter of Fundamental Rights, every person has a right to their personal data being protected. According to Art. 8 para. 2 of the Charter, such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Inasmuch as the Charter of Fundamental Rights contains rights which correspond with the rights guaranteed in the ECHR, their meaning and scope shall be the same as those laid down by the said Convention pursuant to Art. 52 para. 3 of the Charter of Fundamental Rights.
41. The Constitutional Court does not fail to recognise the importance and weight of the goal of harmonising the duties of service providers and/or network operators regarding the retention of defined data and ensuring the availability of this data for the purpose of investigating, identifying and prosecuting serious criminal acts, which the Data Retention Directive aims at. Moreover, the Constitutional Court draws attention to the fact that Art. 4 of the Data Retention Directive requires Member States to define the procedures to be followed and the conditions to be fulfilled in due consideration of i.a. the ECHR.
42. This notwithstanding, concerns prevail regarding the retention of data without cause as such and the related consequences. The applicants’ concerns are largely based on the high degree of intervention of data retention, and that for several reasons. First, the directive sets out a retention period ranging from six months to two years. This timeframe is to be assessed in consideration of the data volume to be stored. It is the preliminary view of the Constitutional Court that this retention period gives rise to serious concerns.
43. Second, the scope of data retention raises concerns as to its conformity with the Charter of Fundamental Rights. The directive allows for the large‐scale collection of data in terms of the category of data, even though there is a limitation by a catalogue of traffic data, the non‐limited group of persons, and in terms of the state tasks for which it is ordered. The “spread” of the intervention hence goes beyond that of interventions with the fundamental right to data protection which the Constitutional Court had to rule on in its case law to date, whereby the possibility of interlinking data recorded in different contexts must also be taken into account (Berka, Das Grundrecht auf Datenschutz im Spannungsfeld zwischen Freiheit und Sicherheit, Gutachten, 18. Österreichischer Juristentag, 2012, 76 and 111 et. sequ.).
44. Moreover, data retention almost exclusively affects persons who do not give cause for their data being stored. At the same time, they will necessarily be subject to a higher risk, regardless of any concrete modalities of data use defined in national law, namely that the authorities will record their data, become aware of their content, inform themselves of the private behaviour of such persons and then further use this data for other purposes (e.g. as a consequence of an accidental presence in a given radio cell at a given moment that is relevant for official investigations).
45. In addition, there is a heightened risk of abuse. Here, one should note in particular that the obligation to store personal data set out in the Data Retention Directive – and such also in Art. 102a TKG 2003 that was enacted in implementation of the Data Retention Directive – goes beyond the former
permission to store traffic data for billing retail or wholesale charges. Given the multitude of telecommunications services providers which exist and, as a consequence, the large number of those obliged to store data, an incalculable group of persons has access to traffic data which must be retained for at least six months according to the Data Retention Directive. Regardless of efforts undertaken by the national legislator, preventing abuse is likely to reach ‘structural limits’, since smaller providers would also have to be included which, if only for their small size, have a limited capacity to prevent abuse. (explicitly BVerfG, 2.3.2010, 1 BvR 256/08 et al., para. 212).
The Austrian Data Protection Commission shared these concerns of the Austrian Constitutional Court – especially those expressed in paragraph 43. And it felt that in view of EU data protection law, particular significance ought to be attributed to individual’s right of access.
An unofficial translation of the Questions asked by the Austrian Data Protection Commission reads:
1. Is Article 7(c) of Directive 2006/24/EC to be interpreted as meaning that an individual who is a data subject of retained data does not qualify as ‘specially authorised personnel’ within the meaning of this provision, and has no right of access to their own data from the provider of a publicly available electronic communications services or of a public communications network?
2. Is Article 13 (1)(c) and (d) of Directive 95/46/EC to be interpreted as excluding or limiting the right of an individual who is the data subject of retained data within the meaning of Directive 2006/24/EC, to access their own data pursuant to Article 12(a) of Directive 95/46/EC from the provider of a publicly available electronic communications services or of a public communications network?
3. In the event of an, at least in part, affirmative answer to Question 1:
Is Article 7(c) of Directive 2006/24/EC compatible with the fundamental right enshrined in Article 8(2) second sentence of the EU Charter, and thereby valid?
First, it was the Irish High Court: Case C-293/12, Digital Rights Ireland – telecoms, privacy and freedom of expression.
Then, it was the Austrian Constitutional Court: Case C-594/12, Seitlinger – Austrian and EU data retention law.
Update – 8 April 2014
According to the Curia website, the Grand Chamber in the joined cases of Digital Rights Ireland and Seitlinger has held:
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.
Update – 27 September 2014
The CJEU issued an Order in C-46/13, H ECLI:EU:C:2014:1998 removing the case from the Register.