In 2006, the EU’s ‘data retention’ Directive 2006/24/EC required telecoms companies to store data traffic. In its Digital Rights Ireland judgment of 2014, the CJEU annulled the Directive because the Directive was incompatible with the EU Charter. Six national courts have subsequently declared their national data retention laws to be invalid. However, in other Member States legal uncertainty surrounds what the CJEU actually decided and the legal effects that flow from it. In that context, a Swedish court has already made a preliminary reference to the CJEU. Now, the Court of Appeal of England and Wales has decided to make its own preliminary reference.
In 2002, the EU created a Directive governing privacy and electronic communications (OJ  L201/37).
In 2006, the Directive was amended by the EU’s ‘data retention’ Directive 2006/24/EC (OJ  L105/54). The Directive required telecoms companies to store data traffic.
However, in April 2014 the CJEU annulled the EU’s ‘data retention’ Directive by its Digital Rights Ireland judgment.
In response to the CJEU’s judgment, the United Kingdom enacted a new piece of legislation known as the 2014 Data Retention and Investigatory Powers Act (“DRIPA”).
DRIPA covers communications data. That is to say, communications data displays who was communicating, when, from where, and with whom. Data can include the time and duration of a communication, the number or e-mail address of the originator and recipient. Sometimes, it can also include the location of the device from which the communication was made. The content of the communication is not recorded.
However, the legality of DRIPA was challenged in the courts. Among the litigants are people who are worried about DRIPA’s effect on the confidentiality of communications between people and their solicitors. Unusually for administrative law litigation, a couple of the litigants are even Members of Parliament. They are worried about the effect of DRIPA on the confidentiality of their communications with their constituents.
At first instance, the litigants booked some success. The Queen’s Bench Division of the High Court held DRIPA to be inconsistent with EU law. DRIPA was deemed to lack clear and precise rules governing access to, and the use of, communications data.
At the Court of Appeal of England and Wales
The starting point of the judges in the Court of Appeal was to recognise that though the content of communications were not being stored, communications data itself ‘can be highly revealing and informative and, as a result, highly intrusive into the privacy of users of communications services’.
They noted that a key issue in determining the legality of DRIPA was a correct understanding of the what the CJEU had decided in Digital Rights Ireland. The question was whether the CJEUhad laid down mandatory requirements with which national legislation must comply.
In that context, the judges had heard the Home Secretary make three points to support her overall belief that the CJEU had not laid down any mandatory requirements on the Member States:
1) the CJEU in Digital Rights Ireland did not impose mandatory requirements that must to be applied to national legislation;
2) the EU Charter does not apply to national rules governing access to communications data when access is by law enforcement agencies; and,
3) even if she were wrong on point 2 (with the effect that EU law could impose such requirements on national data access laws), then there was still nothing in the CJEU’s judgment to suggest that Articles 7 and 8 on the EU Charter governing privacy and data processing went beyond the scope of the fundamental right to privacy, as that right is enshrined in Article 8(2) of the ECHR. All Member States had to do was comply with Article 8(2) of the ECHR.
Before commenting on her legal submissions, the Court of Appeal recalled the salient passages of the CJEU’s judgment in Digital Rights Ireland which largely corresponded to those at stake in the recently-made preliminary reference from a Swedish court (the Tele2 Sverige reference).
However, the judges of the Court of Appeal also took into account what the CJEU had said in the most recent ‘privacy’ judgment, Schrems.
90 Moreover, the foregoing analysis of Decision 2000/520 is borne out by the Commission’s own assessment of the situation resulting from the implementation of that decision. Particularly in points 2 and 3.2 of Communication COM(2013) 846 final and in points 7.1, 7.2 and 8 of Communication COM(2013) 847 final, the content of which is set out in paragraphs 13 to 16 and paragraphs 22, 23 and 25 of the present judgment respectively, the Commission found that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
91 As regards the level of protection of fundamental rights and freedoms that is guaranteed within the European Union, EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must, according to the Court’s settled case-law, lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of that data. The need for such safeguards is all the greater where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 54 and 55 and the case-law cited).
92 Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
93 Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (see, to this effect, concerning Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54), judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 57 to 61).
94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39)
After having taken this latest case law into account, and having heard the submissions made by two interveners, the Court of Appeal formed three broad points made by the Home Secretary.
In respect of point 1, the Court of Appeal was minded to believe that the CJEU in Digital Rights Ireland did not lay down specific mandatory requirements in EU law. Rather, the Court of Appeal understood the CJEU to have been simply listing the protections that were absent from the EU’s ‘data retention’ Directive.
In respect of point 2, and access to data, the Court of Appeal thought that this too was not a mandatory requirement that was automatically applicable to national legislation. In Digital Rights Ireland, the CJEU had merely pointed out that there was no provision in the Directive requiring approved access. Again, the Court of Appeal felt fortified in its belief that there were no mandatory requirements in Digital Rights Ireland because the CJEU had provided no case law by way of support.
However, the Court of Appeal did seem to disagree with the Home Secretary on another aspect of point 2, namely, whether the EU Charter rules applied to national rules governing access to the data by national enforcement agencies.
In that context, the Court of Appeal noted that national data retention regimes and derogations for national enforcement agencies must comply with Article 15 of the e-Privacy Directive, and do so in accordance with the general principles of EU law – principles which do give effect to the EU Charter. Hence, the judges of the Court of Appeal were minded to find that national rules were indeed subject to EU law, including the EU Charter.
That said, the Court of Appeal remarked that the CJEU had not expressly discussed the topic of whether the EU Charter applied to national access rules. The Court of Appeal was also doubtful that the CJEU in Digital Rights Ireland had intended to lay down mandatory requirements in relation to retained communications data.
Turning to point 3, about whether the CJEU in Digital Rights Ireland went further than the requirements of Article 8(2) ECHR as interpreted by the Strasbourg court’s case law, the Court of Appeal thought not. On the ‘Strasbourg’ case law, the judges in the Court of Appeal reasoned that ‘Strasbourg’:
‘has not gone so far as to impose a general requirement of prior judicial or independent administrative approval as a necessary safeguard. Rather, its approach seems to be to review all aspects of the authorisation and oversight regime and to assess whether it provides overall sufficient protections to democratic freedoms’.
In that context, the Court of Appeal referred to a document written by David Anderson QC, “A Question of Trust, Report of the Investigatory Powers Review”, June 2015 at paragraphs 5.40 – 5.43.
Nevertheless, in light of the doubts surrounding the effect of the CJEU’s judgment in Digital Rights Ireland, the Court of Appeal decided to make a preliminary reference.
Having decided to make a preliminary reference, the Court of Appeal of England and Wales then requested the CJEU not only to deal with reference under the CJEU’s ‘expedited’ procedure but also to deal with it when hearing the Tele2 Sverige preliminary reference.
By way of further support to its request for a preliminary ruling from the CJEU, the Court of Appeal also noted that what was at stake was an issue of general and wide-reaching importance. Although DRIPA would expire on 31 December 2016, the judgment in Digital Rights Ireland would remain central to the validity of all future legislation enacted by the Member States in this field.
In that context, the Court of Appeal also remarked that courts elsewhere in the EU had already been applying the CJEU’s Digital Rights Ireland judgment and declaring national legislation to be invalid. The body of case law was: (a) Austrian Federal Constitutional Court, Decision G 47/2012 e.a. regarding data retention, 27 June 2014; (b) Slovenian Constitutional Court, Decision U-I-65/13-19, 3 July 2014; (c) Belgian Constitutional Court, Decision 84/2015, 11 June 2015; (d) Romanian Constitutional Court, Decision No. 440, 8 July 2015; (e) District Court of the Hague, Netherlands, Case No. C/09/480009/KG ZA 14/1575, Decision of 11 March 2015; and (f), Slovak Constitutional Court, Decision PL. US 10/2014, 29 April 2015.
In anticipation of the final wording of the questions, Lord Justice Lloyd Jones (who provided the leading judgment in the Court of Appeal), indicated that he would like to ask the CJEU two questions:
(1) Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?
(2) Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?
This post is based on the 23 November 2015 ‘Update’ to the EU Law Radar report on Case C-203/15, Tele2 Sverige.
The Curia website has not yet published the Questions that were eventually asked by the Court of Appeal of England and Wales.
Update – 11 January 2016
The UK’s latest proposed legislation, ‘The Investigatory Powers’ Bill, was presented to Parliament in November 2015 (Cmnd 9152). An overview of the proposed legislation was published on the BBC’s website in a post dated 5 November 2015. Last week, the BBC reported that ‘Tech giants raise concerns over UK draft surveillance bill’ (8 January 2016). The report mentions data encryption. Readers interested in that area might also look at the discussion which is ongoing in the Dutch Parliament.
Update – 4 March 2016
On 1 February 2016, the President of Court has issued an Order to expedite the hearing of the Davis case. A version of the CJEU’s order ECLI:EU:C:2016:70 is reproduced below. The reproduction is not authentic. Only the versions of the document published in the ‘Reports of Cases’ or the ‘Official Journal of the European Union’ are authentic. The source of the reproduction is the Eur-Lex Europa web site. The information on that site is subject to a disclaimer and a copyright notice.
ORDER OF THE PRESIDENT OF THE COURT
1 February 2016 ( )
In Case C‑698/15,
REQUEST for a preliminary ruling under Article 267 TFEU from the Court of Appeal (England and Wales) (Civil Division), made by decision of 9 December 2015, received at the Court on 28 December 2015, in the proceedings
Secretary of State for the Home Department
Open Rights Group,
The Law Society of England and Wales,
THE PRESIDENT OF THE COURT,
having heard the Judge-Rapporteur, T. von Danwitz, and the Advocate General, H. Saugmandsgaard Øe,
makes the following
1 This request for a preliminary ruling concerns the interpretation of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’) and the judgment in Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238) whereby the Court declared invalid Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).
2 The request was made in proceedings between the Secretary of State for the Home Department, on the one hand, and Mr Davis, Mr Watson, Mr Brice and Mr Lewis, on the other, concerning whether section 1 of the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) is compatible with EU law.
3 It is stated in the order for reference that Mr Davis, Mr Watson, Mr Brice and Mr Lewis brought before the High Court of Justice of England and Wales, Queen’s Bench Division (Administrative Court), actions for judicial review of the lawfulness of the data retention regime in section 1 of DRIPA, which empowers the Secretary of State for the Home Department to require public telecommunications operators to retain communications data for a maximum period of 12 months, retention of the content of the communications concerned being excluded.
4 By judgment of 17 July 2015, that court held that that regime was not compatible with EU law in that it does not meet the requirements laid down by the judgment in Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), which that court considered to be applicable to the legislation of Member States with respect to the retention of electronic communications data and access to such data. The Secretary of State for the Home Department brought an appeal against that judgment before the referring court.
5 The claimants in the main proceedings maintain before the referring court that, inter alia, a national regime which makes provision for the retention of electronic communications data must comply with the requirements stemming from Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), and with Articles 7 and 8 of the Charter. Section 1 of DRIPA constitutes, in their opinion, serious interference with the fundamental rights laid down in Articles 7 and 8 of the Charter and is incompatible with those articles in that it does not comply with the requirements laid down by the judgment in Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238).
6 By its first question, the referring court seeks, in essence, to ascertain whether the judgment in Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238) must be interpreted as meaning that it lays down requirements, in the light of Articles 7 and 8 of the Charter, which are applicable to a national regime governing retention of electronic communications data and access to such data. By its second question, the referring court seeks, in essence, to ascertain whether Articles 7 and 8 of the Charter must be interpreted as meaning that the requirements stemming from those articles are stricter than those stemming from Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950, as interpreted respectively by the Court of Justice and by the European Court of Human Rights.
7 In the order for reference and by a separate document lodged at the Registry of the Court on the same date as that order, the referring court requests a decision by the Court that this reference for a preliminary ruling should be determined pursuant to the expedited procedure provided for in Article 105 of the Rules of Procedure of the Court.
8 Article 105(1) of the Rules of Procedure states that, at the request of the referring court or tribunal or, exceptionally, of his own motion, the President of the Court may, where the nature of the case requires that it be dealt with within a short time, after hearing the Judge-Rapporteur and the Advocate General, decide that a reference for a preliminary ruling is to be determined pursuant to an expedited procedure derogating from the provisions of those rules.
9 In this case, the referring court argues that it would be desirable to join this request for a preliminary ruling to, or direct that it be heard with, the reference for a preliminary ruling in Tele2 Sverige (C‑203/15), pending before the Court, made by a Swedish court on the subject of the compatibility, with Article 15(1) of Directive 2002/58 and Articles 7, 8 and 52(1) of the Charter, of Swedish legislation that provides for the retention of electronic communications data. Moreover, as explained by the referring court, DRIPA expires on 31 December 2016 and there is uncertainty as to the scope of the judgment in Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238) with regard to any legislation which may be adopted by the Member States in the field of the retention of electronic communications data.
10 In that regard, it is clear that national legislation that permits the retention of all electronic communications data and subsequent access to that data is liable to cause serious interference with the fundamental rights laid down in Articles 7 and 8 of the Charter (see judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 37).
11 An answer from the Court within a short time might therefore be able to dispel the uncertainty experienced by the referring court as regards the possibility of serious interference with the fundamental rights laid down in Articles 7 and 8 of the Charter and as regards whether there is any justification for that interference.
12 Further, it must be observed that the fact that there is a time limit on DRIPA being in force justifies, in the light of the spirit of cooperation that characterises the relationship between the courts of the Member States and the Court, an urgent reply by the Court to the questions put by the referring court.
On those grounds, the President of the Court hereby orders:
Case C‑698/15 shall be determined pursuant to the expedited procedure provided for in Article 105(1) of the Rules of Procedure of the Court.
Luxembourg, 1 February 2016.
Language of the case: English.
Update – 11 April 2016
The Grand Chamber is due to hear this case tomorrow on 12 April 2016. The dispute will be heard together with Case C-203/15, Tele2 Sverige.
Update – 19 June 2016
The Opinion of Advocate General Saugmandsgaard Øe is due on 19 July 2016.
Update – 12 July 2016
There is another preliminary reference which is exploring the scope and impact of the CJEU’s judgment in Digital Rights Ireland; see further, Case C-207/16, Ministerio Fiscal.