Here we are! The last episode of the UK saga “and what do we do with data retention laws” has been issued by the English High Court, with its judgement in the case David Davis MP, Tom Watson MP, Peter Brice, Geoffrey Lewis v The Secretary of State for the Home Department  EWHC 2092 (Admin).
The claimants had applied for judicial review of the data retention powers in section 1 of the infamous DRIPA (the Data Retention and Investigatory Powers Act 2014), previously discussed in posts here and here. [DRIPA substantively re-enacted the mandatory data retention provisions of the UK Data Retention (EC Directive) Regulations 2009, and introduced regimes for subjecting providers located outside the UK to maintenance of interception capability notices, interception warrants and communications data acquisition notices.] The claimants were claiming that the powers to retain and gain access to communications data were too broad and, in particular, that no adequate safeguards had been put in place to guarantee the confidentiality of ‘legally privileged’ communications between members of the public and their solicitors. [‘Communications data’ is described succinctly by the Court at ).]
Lord Justice Bean, giving the judgement for the High Court, held that section 1 of DRIPA shall be disapplied after 31 March 2016 for the following two reasons:
- “in so far as access and use of communications data retained pursuant to a retention notice is permitted for purposes other than the preventing and detection of serious offences or the conduct of criminal prosecutions relating to such offences; and
- in so far as access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued” .
Lord Justice Bean made it clear right from the start (at ) that the only question he had to decide was “the comparatively dry question of whether or not [the powers conferred by DRIPA] are compatible with EU law as expounded by the CJEU in Digital Rights Ireland”.
In passing, Lord Justice Bean noted that “this is not a case in which any party has argued that Article 8 of the Charter lies outside the proper scope of EU law, although it will be seen that there is a dispute as to whether it covers access to data as well as retention” [See my post on Willems et al and the scope of EU law here].
How did the High Court assess the legality of DRIPA? By applying the following test, as expressed by the Secretary of State: “The test of validity of the Act [DRIPA] and the 2014 Regulations [the Data Retention Regulations 2014] is whether they are compliant with Articles 7 [the right to privacy] and 8 [the right to protection of personal data] of the EU Charter and/or Article 8 ECHR [The European Convention on Human Rights]”.
The Court worked from the assumption that “the retention notices issued under [DRIPA] may be as broad in scope as the statute permits, namely a direction to each CSP [Communications Service Provider] to retain all communications data for a period of 12 months”.
The High Court’s judgment is fascinating for several reasons:
- The High Court considers separately the case law of the European Court of Human Rights (ECtHR) and the CJEU. First of all, it stresses that “the ECtHR has not considered a case which concerns general retention of communication data, as opposed to access to the data of a particular individual” (at ). As a result, the High Court considers that the case law of the ECtHR is not directly helpful in the case at hand.
- The High Court expressly recognises that Article 8 of the Charter “clearly goes further, is more specific, and has no counterpart in the ECHR”. Therefore, the High Court considers that the benchmarks to assess the case at hand have to be found in the case law of the CJEU and, in particular, Digital Rights Ireland. [But, is it because the ECHR does not include any equivalent provision to Article 8 of the Charter concerning the right to data protection that the Court thinks that it necessarily goes further than Article 8 of the ECHR concerning the right to privacy? The case law of the ECtHR clearly shows that its interpretation of the concept of private life has been directly influenced by the emergence and development of data protection concepts and laws].
- The High Court reads Digital Rights Ireland as stating that the judgment does not preclude the bulk retention of communications data. In the words of Lord Justice Bean, “the Court was not, as we read the judgment, purporting to lay down any particular limitations on that power [to retain communications data], as opposed to conditions of access”. [I wonder, isn’t it slightly simplifying the CJEU’s judgement? It is not because the CJEU recognises in paragraph 46 that the bulk retention of data “genuinely satisfies an objective of general interest” that the modalities of collection and retention become suddenly irrelevant. For the CJEU, the security measures put in place at the time of storage, and in particular the choice of the location of storage, seems to be an important consideration…. To note, in Weber, the ECtHR did pay attention to the fact that the selection of the communications to be listened to or read was made only on the basis of generic catchwords as well as to the fact that the Federal Constitution Court had required that these personal data be marked and bound up with the purposes which had justified their collection. Furthermore, does it make sense to say that the bulk retention of communications data, irrespective of access to this communications data, amounts to a prima facie breach of Articles 7 and 8 of the Charter, as well as to say that to justify the bulk retention of communications only conditions relating to access to this data are relevant?].
- While the High Court refuses to say anything about the combination of Article 15 and Article 13 of the e-privacy Directive, it does conclude that “a general retention regime for personal data must expressly provide for access to and use of the data to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences” (at ). The foregoing does not mean that “access must be limited to the data of people suspected to have committed serious crime” (at ).
- An access regime (and an access regime only) must include a prior review by a court or an independent administrative body. “Lack of training of magistrates, instances of a failure by magistrates to carry out proper scrutiny of applications, failure by the Ministry of Justice to introduce an electronic system to avoid delay and the requirements in some cases for payment of fees” are no excuse (at ). [This might be the reason why Article 8 of the Charter goes further than Article 8 of the ECHR. To be sure, Kennedy was not about the bulk retention of communications data but about targeted interceptions of communications. Besides, Weber was a case of strategic monitoring more limited in scope than the data retention obligations at stake. In addition the ECtHR did note that personal data obtained through the means of strategic monitoring could only be used if the person concerned was either subject to measures of targeted surveillance (“individual monitoring”) or if “there were factual indications for suspecting a person of planning, committing or having committed one of the [serious] offences” listed the German G10 Act or the German Criminal Code].
- As per , the High Court does not consider “that on a proper interpretation of Digital Rights Ireland it is necessary for restrictions on passing on information about communications data outside the EU to be embodied in statute”.
- Despite a finding of inconsistency between section 1 of the DRIPA and EU law, the High Court decides to suspend the disapplication of section 1 until 31 March 2016 (at ).
To conclude, the High Court’s judgement and its attempt to make sense of Digital Rights Ireland is more interesting than other national decisions, such as the recent Belgian decision (which “simply” notes that all the safeguards identified by the CJEU in this cases are missing in the national law and in particular an access regime).