Privacy and Data Collection/Retention in the EU: Villalón Opinion

On Thursday of last week, Advocate General Cruz Villalón (see here for a description of the role of the Advocate General and the non-binding nature of their Opinions) delivered his Opinion in two joined cases pending before the CJEU, the Court of Justice of the European Union: Case C-293/12 Digital Rights Ireland; Case C-594/12 Seitlinger (the opinion is here). The Advocate General concludes that the Data Retention Directive 2006/24/EC (“the Directive”), and the obligation it imposes regarding the collection and retention of data, is a serious interference with the right to privacy which is not sufficiently circumscribed (as it ought to be) with safeguards and that the temporal scope of the obligation (6mths-2 years), in Article 6 of the Directive, is disproportionate. The Judgment of the Court is still awaited so the future of the Directive remains to be determined.

In both of these cases the referring court (Irish and Austrian, respectively) made a request for a preliminary ruling to the CJEU regarding the Directive. In Digital Rights Ireland, that entity (“DRI”), a limited liability company with the object of promoting and protecting civil and human rights, especially in the field of modern communication technologies, brought an action in Ireland against public bodies alleging that they have unlawfully processed, retained and exercised control over data related to its cell phone communications. Not only does DRI seek the annulment of various Irish laws but it also challenges the validity of the Directive, given the provisions of the EU Charter and the European Convention on Human Rights (“the ECHR”). Seitlinger also involves a challenge to the validity of the Directive and the provisions of Austrian law transposing the Directive into Austrian law.

Both cases therefore focus on the Directive’s obligation on economic operators to collect and retain, for a specified time, data generated or processed in connection with electronic communications effected by citizens throughout the territory of the EU. This obligation to collect and retain (“OCR”) in the Directive is based on two objectives: (i) to ensure the data is available for investigating and prosecuting serious criminal activity and (ii) to ensure the proper functioning of the internal market. The human rights’ challenge at the heart of the cases is to the compatibility of the Directive with the right to privacy (Article 7 of the EU Charter, Article 8 of the ECHR) (the right to protection of personal data in Article 8 of the EU Charter is touched upon as is the right to freedom of expression in Article 11 of the EU Charter and Article 10 of the ECHR). (Other issues, such as the proportionality of the Directive in the light of its stated purposes are also considered in the Opinion but are not considered here).

The Advocate General’s Opinion rightly notes, by placing the Directive in the context of the broader legislative framework (paras 31-47), that the OCR is a profound innovation. He refers to two other Directives – Directive 95/46/EC which imposes on Member States the obligation to guarantee the right to privacy of individuals with respect to the processing of personal data relating to them, with a view to allowing the free flow of such data between Member States and Directive 2002/58/EC, which contains specific rules relating to the processing of personal data and the protection of privacy in the electronic communications sector. Both of these Directives contain provisions (Articles 13(1) and 15(1), respectively), which allow Member States to adopt legislative measures restricting the scope of individual rights where this is necessary to safeguard national security, defence, public security or the prevention, investigation, detection and prosecution of criminal offences. The Advocate General observes that the Directive “alters profoundly” (para 36) the law in these other Directives by establishing the OCR which applies to data which falls within the scope of the restrictions on the right to the protection of personal data in Articles 13(1) and 15(1) of these latter Directives. What is surprising is that, given that the OCR is such a profound innovation, it should have been articulated absent the safeguards, which the Advocate General goes on to find should have been identified and are necessary protections for the right to privacy.

The Advocate General rightly finds that the Directive itself is an interference with the right to privacy (a matter on which there is “hardly any doubt”: para 68), indeed “a particularly serious interference” (para 80). He takes into account the following factors in coming to this conclusion: although the content of telephone or electronic communications is excluded, the collection and retention of data “establishes the conditions for surveillance which, although carried out retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period.” (para 72); the use of the data may make it possible to create a “faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity” (para 74); there is a risk that the data may be used for unlawful purposes (para 75); a risk which is compounded by the fact that the data is retained by the providers of electronic communications services (not by or under the direct control of public authorities) and the Directive does not require the data to be stored in the territory of a Member State (paras 76-79).

The Advocate General goes on to consider whether this interference with the right to privacy is permissible under Article 52(1) of the EU Charter, i.e. “if it is ‘provided by law’ and… meets the quality of law requirements, it respects the essence of the right to privacy and it is proportionate…[i.e.] it necessarily and genuinely meets objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.” (para 107). He concludes that the Directive does not satisfy the “provided by law” requirement since it simply imposes the OCR, without laying down safeguards to govern access to retained data and their use, which is left to Member States (with the conclusion that the Directive as a whole is incompatible with Article 52(1) of the EU Charter): paras 113-132. The EU legislature should have defined the fundamental principles that were to govern the determination of the minimum guarantees for access to the data collected and retained and their use (para 125). For example, the EU legislature should have provided a more precise definition than “serious crime” as an indication of the criminal activities which are capable of justifying access by the competent national authorities to the collected/retained data (para 126); it should have limited access to either judicial or other independent authorities or by making requests for access subject to a case-by-case judicial (or other independent) review (para 127); considered specific situations such as medical confidentiality (para 128) and an obligation to erase (para 129). There is one aspect of the Advocate General’s reasoning which is undoubtedly right and deserves emphasis, and that is that the EU legislature should have limited access to the data to either judicial or other independent bodies or by making requests for access subject to a case-by–case judicial (rather than other independent) review. With this essential requirement in place at the EU level, Member States could have been left to fill in the detail.

In relation to proportionality, the Advocate General focuses on the temporal scope of the OCR: viz., Article 6 of the Directive which provides that data must be retained generally for a minimum period of 6 months and for a maximum period of 2 years.  He concludes that “with all the caution that this aspect of the review of proportionality always requires, no argument was able to convince me of the need to extend data retention beyond one year.” (para 149) He supported this by reference to the possibility, which the Directive includes, of an extension to the maximum period of data retention where necessary in a particular case. Article 6 of the Directive was therefore held to be incompatible with the right to privacy (in Article 7 of the EU Charter): para 152. Whilst the Advocate General’s resistance to the two-year limit is understandable, it is harder to understand the rationale that leads to his acceptance of a one-year limit. He may be right to regard the interference as sufficiently justified in relation to the present rather than the past (para 149), but the problem lies in his definition of the “present” as being a period quantifiable in months whereas the past (or “historical time” as he calls it: paras 148-149) is a period measured in years. This is not a conclusion that can be easily reconciled (if at all) with the ordinary meaning or usage of “present”. Nor is it a conclusion that seems to take any account of the purpose of the OCR and, in my opinion, the need for that purpose to be taken into account in defining the temporal scope of the OCR.

It remains to be seen what the Court itself will make of the Directive and whether it is compatible with the right to privacy. Regardless, the Advocate General’s Opinion is a timely and interesting contribution to the on-going debate about the balance between “surveillance”-type data collection/retention and human rights. 

About the Author(s)

Shaheed Fatima Q.C.

Queen's Counsel Barrister practicing at Blackstone Chambers