The CJEU in Tele2 Sverige: are general(ised) data retention obligations incompatible with EU law?

Christmas was particularly festive for privacy advocates with the Court of Justice of the European Union (CJEU) judgement in the joint cases C‑203/15 Tele2 Sverige AB v Postoch telestyrelsen and C‑698/15 Secretary of State for the Home Department v Secretary of State for the Home Department and the leak of the European Commission’s upgraded version of the E-Privacy Directive, which it appears is actually meant to become a directly-applicable EU regulation.

The purpose of this post is to cover the CJEU judgement. Many commentators have already stated that the judgement is unsurprising, particularly as it broadly echoes  the opinion of Advocate General Saugmandsgaard Øe and confirmed that national legislation for the purpose of fighting crime – which provides for the general and indiscriminate retention of traffic and location data of all subscribers and registered users relating to all means of electronic communication – is incompatible with the E-Privacy Directive (2002/58/EC) when read in the light of Articles 7, 8, 11 and 52(1) of the Charter of the Fundamental Rights of the European Union (Charter).

Still, in the trilogy of CJEU cases comprising Digital Rights Ireland, Schrems (commented about here) and now Tele2 Sverige & Watson, the third one seems to be the boldest, when considered in detail.

The ruling can be summed up in 4 points:

1. The CJEU outlaws general and indiscriminate obligations to retain traffic and location data covering all persons, all means of electronic communication and all data without any distinctions, limitations or exceptions for the purpose of combating crime (para. 107).
2. It defines broadly the scope of EU law by including within its remit both data retention obligations and data access regimes. As such the CJEU was thus not convinced by the UK Government and the European Commission (EC), which were of the view that “only legislation relating to the retention of data, but not legislation relating to the access to that data by the competent national law enforcement authorities, falls within the scope of that directive” (para. 65).
3. The CJEU holds that a data retention measure must “lay down clear and precise rules indicating in what circumstances and under which conditions the providers of electronic communications services must grant the competent national authorities access to the data” and these rules “must be legally binding under domestic law.” (para. 117).
4. It adds that national legislation setting forth access-to-data regimes cannot simply refer to one of the objectives mentioned in Article 15(1) of the E-Privacy Directive. [As a reminder, Article 15(1) provides that Member States (MS) may adopt legislative measures to restrict the scope of the rights and obligations of certain provisions in the E-Privacy Directive when such restriction is to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.] They have to contain substantive and procedural safeguards (para. 118), and in particular:
   1. “access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime (see, by analogy, ECtHR, 4 December 2015, Zakharov v. Russia, CE:ECHR:2015:1204JUD004714306, § 260). However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.” (para. 119)
   2. “it is essential that access of the competent national authorities to retained data should, as a general rule, except in cases of validly established urgency, be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.” (para. 120).
   3. “the competent national authorities to whom access to the retained data has been granted must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities.” (para. 121).
   4. “Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the providers of electronic communications services must, in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high level of protection and security by means of appropriate technical and organisational measures. In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period” (para. 122).

While the CJEU has been largely applauded for its judgement, does it mean that we have been provided with a clear distinction between measures of mass surveillance and measures of targeted surveillance, and that the former are now incompatible with EU law?

Well, to answer this question, we are confronted with the same, old, problem, i.e. that of properly defining these terms.

The CJEU’s approach to this topic is nonetheless interesting for the following reasons:

It says that national legislation [such as that at issue in the main proceedings] that “does not require there to be any relationship between the data which must be retained and a threat to public security” – in particular that “is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime” – “exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter”  (para. 106 and 107).

How is this so? This is essentially because Article 15(1) of the E-Privacy Directive should be interpreted in the light of the European Charter of Fundamental Rights (i.e. Articles 7, 8 and 11 and 52), which should mean that:

• General data retention obligations can only be put in place to fight serious crimes and serious crimes only (para. 102) AND [the ‘and’ is important as it is not enough to point to this objective to justify such obligations]
• Data retention obligations have to be calibrated as per para. 110-111.

In particular, this is because of the principle of confidentiality of communications and related traffic data to be found in Article 5 of the E-Privacy Directive. Holding general and indiscriminate data retention obligations lawful would mean undermining this principle, as the retention of traffic data would become the rule instead of being the exception (para. 104).  [Notably, the re-formulation of the principle of confidentiality of communications by the CJEU is quite broad as it targets all providers: “The protection of the confidentiality of electronic communications and related traffic data, guaranteed in Article 5(1) of Directive 2002/58, applies to the measures taken by all persons other than users, whether private persons or bodies or State bodies.” While the CJEU did say that the retention of traffic and location data for the purposes of creating profiles is “no less sensitive, having regard to the right to privacy, than the actual content of communications,” it does not equate the retention of traffic and location data with the retention of the content of communications as the former does not adversely affect the essence of Articles 7 and 8 rights. Nonetheless, the CJEU added that the retention of traffic and location data “could…have an effect on the use of means of electronic communications and, consequently, on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the Charter” (para. 101).]

What is the CJEU saying? That general retention obligations are actually incompatible with EU law… as they have to be calibrated? [By general retention obligations, one should understand obligations targeting the entire user base of service providers, which should mean that general retention obligations are a species of general monitoring obligations!].

Here are the exact words of the CJEU at para. 110 and 111:

“Second, as regards the substantive conditions which must be satisfied by national legislation that authorises, in the context of fighting crime, the retention, as a preventive measure, of traffic and location data, if it is to be ensured that data retention is limited to what is strictly necessary, it must be observed that, while those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued. In particular, such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.

As regard the setting of limits on such a measure with respect to the public and the situations that may potentially be affected, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.”

In other words, it would seem that even when the objective is to fight serious crimes, retention obligations have to be calibrated so that they are based upon objective criteria that create a [foreseeable] link between the content of the obligations and the public affected.

If we assume that it is possible to have local service providers, then general retention obligations could still be compatible with EU law, assuming it is possible to rely upon a geographical criterion only. But are local service providers really the norm?

With this said, at para. 107-108, the CJEU uses the precise word ‘targeted’ and states the following:

“National legislation such as that at issue in the main proceedings therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter.

However, Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.”

It would seem that only targeted retention obligations are compatible with EU law, be they preventive or not [arguably if they are not preventive but reactive, strictly speaking they are not retention obligations but preservation obligations]. Obviously, as stated above, it all depends upon what the CJEU means by targeted!

But remarkably, in para. 108 the CJEU seems to be giving a definition of targeted retention obligation that relies upon 4 cumulative criteria:

1. Targeted in relation to the categories of data to be retained
2. Targeted in relation to the means of communication affected
3. Targeted in relation to the persons concerned
4. Targeted in relation to the retention period

The question is then whether it would be possible for preventive targeted retention obligation to be calibrated so that “individuals [who] are not, and are unlikely to become, of interest to” competent authorities are still targeted (to use a terminology to be found in the UK Investigatory Powers Act of 2016 (IPA 2016). Furthermore, can data retained on the basis of data retention obligations be used to ‘produce’ suspicions?

The answers to these [fundamental] questions are not crystal clear [are they?], although it seems that the CJEU is hinting in one direction.

• When dealing with retention as such, the CJEU seems to distinguish between a calibrating based on geographical location and a calibrating based on the role or contribution of the individuals targeted by data retention obligations (see para. 106). The CJEU then seems to suggest, as aforementioned, that using a geographical criterion is a way to calibrate the obligation as regards the public or persons concerned. (para. 111).
• However, when dealing with access to retained data, the CJEU is stricter: either competent authorities already suspect the targeted individuals or “in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities” they already hold “objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.” (para. 119). [Wow, even if it is not entirely obvious what an effective contribution could be, does not this go against the whole logic of the UK IPA 2016 and its introduction of new bulk data powers?]

What do readers think? Has the CJEU managed to clarify the distinction between general(ised) surveillance measures and targeted surveillance measures? Can MS continue to doubt about the implications of the CJEU rulings?

Sophie Stalla-Bourdillon