Tuesday 10 January 2017

A Threat to Human Rights? The new e-Privacy Regulation and some thoughts on Tele2 and Watson




Matthew White, Ph.D candidate, Sheffield Hallam University

Introduction

In a follow-up to last Christmas’s post, on 10 January 2017, the European Commission released the official version of the proposed Regulation on Privacy and Electronic Communications (e-Privacy Regs). Just as the last post concerned the particular aspect of data retention, this post will too.

Just as the former leaked version maintained, the proposal does not include any specific provisions in the field of data retention (para 1.3). This paragraph continues that Member States are free to keep or create national data retention laws, provided that they are ‘targeted’ and that they comply with European Union (EU) taking into account the case-law of the Court of Justice of the European Union (CJEU) and its interpretation of the e-Privacy Directive and the Charter of Fundamental Rights (CFR). Regarding the CJEU’s interpretation, the proposals specifically refers to Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, and Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB and Secretary of State for the Home Department. Aspects of the latter case is the focus of this post; the case itself has been thoroughly discussed by Professor Lorna Woods.

So, when is the essence of the right adversely affected?

Before discussing certain aspects of Tele2 and Watson, it is first important to draw attention to the provision which enables data retention in the new e-Privacy Regs. Article 11 allows the EU or its Member States to restrict the rights contained in Articles 5-8 (confidentiality of communications, permissions on processing, storage and erasure of electronic communications data and protection of information stored in and related to end-users’ terminal equipment). From Article 11, it is clear that this can include data retention obligations, so long as they respect the essence of the right and are necessary, appropriate and proportionate. In Tele2 and Watson the CJEU noted that any limitation of rights recognised by the CFR must respect the essence of said rights [94]. The CJEU accepted the Advocate General (AG)’s Opinion that data retention creates an equally serious interference as interception and that the risks associated with the access to communications maybe greater than access to the content of communications [99]. Yet the CJEU were reluctant to hold that data retention (and access to) adversely affects the essence of those rights [101]. This appears to highlight a problem in the CJEU’s reasoning, if the CJEU, like the AG accept that retention of and access to communications data is at least on par with access to the content, it makes little sense to then be reluctant to hold that data retention adversely affects the essence of those rights. The CJEU does so without making any distinction or reasoning for this differential treatment, and thus serves to highlight that perhaps the CJEU themselves do not fully respect the essence of those rights in the context of data retention.

The CJEU’s answer seems only limited catch all powers

The thrust of the CJEU’s judgment in Tele2 and Watson was that general and indiscriminate data retention obligations are prohibited at an EU level. But as I have highlighted previously, the CJEU’s answer was only in response to a very broad question from Sweden, which asked was:

[A] general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime…compatible with [EU law]?

Therefore, provided that national laws do not provide for the capturing of all data of all subscribers and users for all services in one fell swoop, this may be argued to be compatible with EU law. Both the e-Privacy Regs and the CJEU refer to ‘targeted’ retention [108, 113]. The CJEU gave an example of geographical criterions for retention in which David Anderson Q.C. asks whether the CJEU meant that ‘it could be acceptable to perform “general and indiscriminate retention” of data generated by persons living in a particular town, or housing estate, whereas it would not be acceptable to retain the data of persons living elsewhere? This is entirely possible given the reference from Sweden and the answer from the CJEU. In essence the CJEU have permitted discriminatory general and indiscriminate data retention which would in any event respect the essence of those rights.

Data retention is our cake, and only we can eat it

A final point on Tele2 and Watson was that the CJEU held that national laws on data retention are within the scope of EU law [81]. This by itself may not raise any concerns about protecting fundamental rights, but it is what the CJEU rules later on in the judgment that may be of concern. The CJEU held that the interpretation of the e-Privacy Directive (and therefore national Member State data retention laws) “must be undertaken solely in the light of the fundamental rights guaranteed by the Charter” [128]. The CJEU has seemingly given itself exclusive competence to determine how rights are best protected in the field of data retention. It is clear from the subsequent paragraph that the CJEU seeks to protect the autonomy of EU law above anything else, even fundamental rights [129]. This is despite the ECHR forming general principles of EU law and is mentioned in Article 15(1) (refers Article 6(3) of the Treaty of the European Union (TEU) specifically referring to the ECHR as such). Article 11 of the e-Privacy Regs refers to restrictions respecting the ‘essence of fundamental rights and freedoms’ and only time will tell whether the CJEU would interpret this as only referring to the CFR. Recital 27 of the e-Privacy Regs just like Recital 10 and 30 of the e-Privacy Directive refers to compliance with the ECHR, but as highlighted previously, Recitals are not legally binding.

Is the CJEU assuming too much?

A further concern, is that had the European Commission added general principles of EU law into Article 11, the CJEU may simply have ignored it, just as it has done in Tele2 and Watson. The problem with the CJEU’s approach is that it assumes that this judgment offers an adequate protection of human rights in this context. The ECHR has always been the minimum floor, but it appears the CJEU wants the CFR to be the ceiling whether it be national human rights protection, or protection guaranteed by the ECHR. What if that ceiling is lower than the floor? The AG in Tele2 and Watson stressed that the CFR must never be inferior to the ECHR [141]. But I have argued before, the EU jurisprudence on data retention is just that, offering inferior protection to the ECHR, and the qualification by the CJEU in Tele2 and Watson does not alter this. This position is strengthened by Judge Pinto De Albuquerque in his concurring opinion in the European Court of Human Rights judgment in Szabo. He believed that:

[M]andatory third-party data retention, whereby Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law-enforcement and intelligence agency access, appeared neither necessary nor proportionate [6].

Of course, Judge Pinto De Albuquerque could have been referring to the type of third party data retention which requires Internet Service Providers (ISPs) to intercept data from Over The Top (OTT) services, but his description is more in line with data retention of services’ own users and subscribers.

Conclusions

Although the CJEU has prohibited general indiscriminate data retention, the CJEU does not seem to have prevented targeted indiscriminate data retention. If the European Court of Human Rights (ECtHR) were to ever rule on data retention and follow its jurisprudence and the opinion of Judge Pinto De Albuquerque, this may put EU law in violation of the ECHR. This would ultimately put Member States in a damned if they do, damned if they do not situation, comply with the ECHR, and violate EU law autonomy; comply with EU law and violate the ECHR. When the minimum standards of human rights protection in this context are not adhered to, because of EU law, the ECHR should prevail. As anything less is a threat to human rights, meaning that the (even if well intentioned) CJEU can also be.

JHA4: chapter II:7

Photo credit: goldenfrog.com

No comments:

Post a Comment