Mass surveillance has been under scrutiny yet again since the UK Court of Appeal, on 20 November 2015, asked the Court of Justice of the European Union (CJEU) to clarify whether it intended to “lay down mandatory requirements of EU law with which the national legislation of members states must comply” following its decision last year that the EU’s Data Retention Directive was unlawful. In April last year the CJEU, in the Digital Rights Ireland case, declared the Data Retention Directive invalid because it disproportionately infringed individuals’ privacy rights. For more information on this decision, please see our previous post here.
Following the CJEU’s decision, on 16 September 2015, the European Commission made it clear that the issue of whether to introduce national data retention laws is a national decision and that Member States are free to maintain their current data retention systems or set up new ones, provided that they comply with EU law. For more information on this, please see our post here.
In July last year, the UK Government enacted the Data Retention and Investigatory Powers Act (DRIPA) as temporary replacement legislation. DRIPA broadly requires internet and telephone providers to keep communications data for a year and to disclose that information to law enforcement agencies when requested.
However, Conservative MP, David Davis MP and Labour MP, Tom Watson MP opposed the new legislation and, backed by civil rights group Liberty, launched a Judicial Review. They argued that the faults with the Data Retention Directive had been repeated in DRIPA because it allows police and security services to spy on citizens without sufficient privacy safeguards.
In July this year, the High Court ruled that DRIPA was “inconsistent with European Union law” because sections 1 and 2 breached the public’s rights to protect personal data and to respect private life and communications under the EU Charter of Fundamental Rights on two grounds. First, DRIPA failed to ensure data would only be used to deal with serious crime and, second, it did not require data access to be authorised by a court or independent body, so that access could be limited to that which is strictly necessary. The High Court ordered that section 1 be disapplied, but suspended that order until 31 March 2016 to give the UK Government and Parliament time to enact new legislation. Since this ruling, the UK Government has drafted a new Investigatory Powers Bill which is intended to become law by the end of 2016 to coincide with the expiry of DRIPA.
Home Secretary Theresa May subsequently appealed the High Court’s ruling and highlighted the importance of the power to retain communications data in the fight against crime. Last week, the Court of Appeal took a different approach to the High Court decision stating that, in its provisional view, the Digital Rights Ireland case “does not lay down mandatory requirements of EU law with which national legislation must comply” at least where national access rules were concerned, and were “simply too general” to be seen as mandatory requirements of national data retention laws.
However, in light of the fact that six Member States (Austria, Slovenia, Belgium, Romania, Holland and Slovakia) have already applied the Digital Rights Ireland judgment and invalidated national data retention legislation, the Court of Appeal has referred the following questions to the CJEU.
- whether the CJEU in Digital Rights Ireland intends to lay down mandatory requirements of EU law with which the national legislation of Member States must comply; and
- whether the CJEU in Digital Rights Ireland intends to expand the effect of Articles 7 (respect for private and family life) and/or 8 (protection of personal data) of the EU Charter of Fundamental Rights beyond the effect of Article 8 of the European Court of Human Rights (ECHR) (respect for private and family life).
With regard to the second point, in Digital Rights Ireland the Court imposed a general requirement for prior judicial or independent administrative approval. This condition seems to go beyond the current ECHR case law (Kennedy v UK) in which the court concluded that judicial authorisation was desirable rather than necessary, and the current system of ministerial authorisation did not render the process non-compliant with Article 8 of the ECHR.
It’s not uncommon for cases referred to the CJEU to take some time to conclude but the Court of Appeal asked the CJEU to “look favourably on a request from this court for the expedition of a reference.” Even with the expedition that has been sought, it is questionable whether the CJEU will make a decision before the scheduled enactment of the Investigatory Powers Bill, later in 2016.
The Court of Appeal’s judgment will provide some comfort to the UK Government, which decided not the include in the Investigatory Powers Bill the full protections relating to access to communications data that the High Court had specified were required in light of the Digital Rights Ireland ruling.
Whilst we await the outcome of the CJEU hearing, internet and telephone providers should continue to comply with the provisions of DRIPA (at least until the end of March 2016) and other companies should monitor national developments in the individual Member States in which they operate.