This post, composed immediately after judgment was handed down in this important case on 21 December 2016, encapsulates my reaction to it. Its possible implications for the Investigatory Powers Act 2016, for the other “bulk powers” used by UK intelligence agencies and others, for the developing case law of the European Court of Human Rights and indeed for any EU adequacy determination directed to the UK post-Brexit, remain to be worked out over the months and years ahead.
What happened today?
The Grand Chamber of the EU’s Court of Justice (CJEU) gave judgment this morning in the case brought in 2014 by David Davis MP and Tom Watson MP, from which David Davis withdrew on his appointment to Government. They challenged the powers to require the retention of certain types of communications data – not the content, but the “who, where and when” of communications – in the Data Protection and Investigatory Powers Act 2014 (DRIPA 2014).
The Court spelled out the requirements of EU law, specifically, the privacy protections of the EU Charter of Fundamental Rights, in a manner which makes it plain that DRIPA 2014 is incompatible with those requirements. In doing so, it went further than the more pragmatic opinion of its own Advocate General and further also than the existing case law of its sister court, the (non-EU) European Court of Human Rights.
The CJEU considered that DRIPA 2014 “exceeds the limit of what is strictly necessary and cannot be considered to be justified, within a democratic society“: para 107. But it referred the case back to the English Court of Appeal for a decision on the extent to which UK law is consistent with EU requirements (para 124). The battle will resume there in the New Year.
The case (Case C-698/15) was joined with a Swedish case brought by Tele2 Sverige AB (Case C-203/15). The judgment is here watson-judgment, and the Court’s own press release is here watson-press-release. A previous post in which I set out the background is here.
What are the powers in issue?
The power of chief concern to the Court was the power to require communications service providers to retain fixed and mobile call logs (“traffic data”) and mobile phone location data for up to 12 months.
Those powers have been exercised in the UK for many years. The EU’s own Data Retention Directive of 2006, a measure supported by the UK Government which required such powers to be exercised EU-wide, was itself struck down by the Court in 2014 (Digital Rights Ireland). Many Member States have continued to exercise such powers under their own national law, and a number of them (Czech Republic, Cyprus, Estonia, Finland, France, Germany, Ireland, Poland) joined the UK in arguing in this case that the principles set out in Digital Rights Ireland should not be treated as mandatory requirements in these circumstances.
What are the powers used for?
The DRIPA 2014 power at issue in Watson is a relatively familiar and low-tech one: contrast some of the bulk collection powers used by security and intelligence agencies in the UK and other countries whose utility I reviewed in this report of August 2016. (The Treaty on European Union states at Article 4(2) that “national security remains the sole responsibility of each Member State“: the scope of that carve-out remains to be definitively determined.)
Access to retained traffic and location data is however extremely useful to the police and other law enforcement authorities, in the investigation not only of serious crime but e.g. of reported disappearances where examination of the phone records of the missing person may offer clues as to their contacts and so help locate them. During my investigatory powers review of 2014-15, I was left in no doubt as to its value.
Some specific examples of the utility of retained communications data in investigating both missing persons and serious crimes (sexual offences, supply of drugs, trafficking, homicide, terrorism) are at Annex 10 to my June 2015 report, A Question of Trust. Similar examples were provided to the European Commission from a variety of Member States. See further A Question of Trust at 7.47-7.51, 9.21-9.32 and 9.43-9.47. As I wrote at 9.45, retained data may be particularly useful because:
- Conspirators become more guarded in their use of communications as the moment of a crime approaches. Older data may therefore be the best evidence against them.
- It may be relatively easy to arrest the minor players in a drugs importation or smuggling ring. But by going through their historic communications data, it may become possible to trace the bigger players who have taken care to remain in the background.
- A time lapse between the incident and the identification of a suspect will mean that old data is needed.
Law enforcement figures cited at 7.50(c) showed that over a two-week period in 2012, 27% of requests for communications data in terrorism cases and 37% of requests in sexual offence cases were for data more than six months old.
I also quoted Rob Wainwright, the (British) Director of Europol, who gave the following evidence to the European Parliament in late 2014:
Ask yourself what the end of data retention would mean in concrete terms? It would mean that communications data that could have solved a murder or exonerate a suspect is simply deleted and no longer available.
The European Commission has been a strong supporter of universal retention of communications data, noting in 2014:
Data retention enables the construction of trails of evidence leading up to an offence. It also helps to discern or corroborate other forms of evidence on the activities of and links between suspects and victims. In the absence of forensic or eye witness evidence, data retention is often the only way to start a criminal investigation. Generally, data retention appears to play a central role in criminal investigation even if it is not always possible to isolate and quantify the impact of a particular form of evidence in a given case.
Precisely because suspects are often not known in advance, data retention which is not universal in its scope is bound to be less effective as a crime reduction measure. In addition, a person whose data has not been retained cannot be exonerated by use of that data (e.g. by using location data to show that the person was elsewhere).
The judgment: minimum safeguards
The Court followed its Advocate General (the member of the court entrusted with preparation of a preliminary opinion) in requiring that access to stored data should be restricted to serious crime purposes (para 119) and subject to prior independent authorisation (para 120). Those points were anticipated also by the English High Court in its ruling of July 2015, though on grounds which were doubted by the Court of Appeal in November 2015.
The judgment also introduced a requirement to notify persons affected when such notification is no longer liable to jeopardise an investigation (para 121). It further requires that data must be retained in the EU (para 122: this is not currently the case for all data).
The judgment: principle of general data retention
The wider significance of the Grand Chamber’s judgment is in its ruling that the whole principle of what it called “general and indiscriminate retention” (para 97) is contrary to EU law – specifically the Charter of Fundamental Rights. Though some saw this bold conclusion prefigured in Digital Rights Ireland, the High Court, the Court of Appeal and the CJEU’s own Advocate General all chose to avoid it in Watson. Indeed as Open Rights Group reminds us, even Tom Watson’s advocate, Dinah Rose QC, submitted that the position later taken by the CJEU was “wholly impracticable“. Her case was, rather, that a general retention obligation could be lawful so long as accompanied by an access regime with sufficiently stringent safeguards.
The judgment of the CJEU was thus a genuinely radical one. The proven utility of existing data retention powers, and the limitations now placed on those powers, is likely to mean that it will be of serious concern to law enforcement both in the UK and in other Member States. On the other side of the balance, not everyone will agree with the Court’s view that these powers constitute a “particularly serious” interference with privacy rights, or that they are “likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance” (para 100). A more rigorous analysis of proportionality would have focussed on any actual harm that this useful power might be shown to have caused over its years of operation, and sought to avoid assertions based on theory or on informal predictions of popular feeling.
It must be acknowledged, however, that feelings on these matters do vary at least to some extent across Europe. Thus:
- The comments of the CJEU in relation to the seriousness of the interference with privacy find no real echo in the three parliamentary and expert reports which led to the introduction of the Investigatory Powers Bill, nor in the regular reports of the Interception of Communications Commissioner, the senior former Judge who conducts detailed oversight of this activity in the UK.
- But in the eastern part of Europe and in Germany, historic experience, coupled with a relative lack of exposure (until recently) to terrorism have induced greater circumspection. National data retention rules have proved controversial and were annulled even before Digital Rights Ireland in Bulgaria, Romania, Germany, Cyprus and the Czech Republic.
This may reflect what I have previously described as “marked and consistent differences of opinion between the European Courts and the British judges … which owe something at least to varying perceptions of police and security forces and to different (but equally legitimate) conclusions that are drawn from 20th century history in different parts of Europe” (A Question of Trust, 2.24).
The qualms expressed by the Court in relation to the principle of universal data retention did not extend to a retention obligation “based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences …“. Indeed the CJEU advised (para 111) that:
Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.
Did the Court mean by this that it could be acceptable to perform “general and indiscriminate retention” of data generated by persons living in a particular town, or housing estate, whereas it would not be acceptable to retain the data of persons living elsewhere? Such geographical profiling could prove “wholly impracticable“, in the phrase of Dinah Rose QC. If attempted, it would certainly raise extremely sensitive legal and ethical issues. Those issues were not touched upon in the judgment.
Impact on the Investigatory Powers Act 2016
DRIPA 2014 expires anyway at the end of 2016: but the judgment has significance for the Investigatory Powers Act 2016, which received Royal Assent on 29 November and provides for data retention powers similar to (indeed in some respects more extensive than) those contained in DRIPA 2014.
The precise impact of the judgment will have to be worked out over the weeks and months ahead, with the assistance of the Court of Appeal which referred questions to the CJEU for a preliminary ruling and to which the answers have now been returned (para 124). But its consequences are likely to have to include the amendment of the Investigatory Powers Act 2016, either by further primary legislation or by a statutory instrument (secondary legislation) under the European Communities Act 1972.
And after Brexit?
The UK remains bound by decisions of the CJEU, including this one, until such time as it has left the EU.
But even after Brexit, it will not be possible to ignore its data protection judgments altogether. The sharing of personal data with non-EU countries, in particular, is subject to certification by the EU that their data protection standards are adequate. In the 2014 case of Schrems, the CJEU held that this required the non-EU country to provide for “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order“. The implications of this for countries such as the USA and Canada (and in due course, no doubt, the UK) were explored with admirable clarity by Jemima Stratford QC and Graham Smith in this recent seminar. See, to similar effect, para 118 of last week’s House of Lords EU Committee Report.
This important judgment is bound to feature in law exams across Europe this summer. If I were setting a question, it would be this one:
“Lives are ruined by crime, not by the properly safeguarded use of general data retention to fight crime. Discuss.”
That question will continue to be debated in many forms and for many years. It is to be hoped that those debates will generate light as well as heat. For this to happen, the participants – legislators, courts, NGOs, academics and students – need to avoid trading prejudices, and instead make productive use of the increasing evidence base relating to both the harm and the utility of bulk data retention.
[amended 23 Dec 2016, 2300]
STOP PRESS [14 June, corrected 16 June]
I have just heard that in June 2017, the Investigatory Powers Tribunal in a different case (chaired by Burton J, with Mitting J and three others on the panel) stated orally its intention of making a further reference to the CJEU in order to seek clarification of the Watson/Davis judgment. A hearing was fixed for late July for the purpose of finalising the questions. It remains to be seen what those questions will be, and how they will be disposed of by the CJEU.