On 21 December 2017, the Court of Justice (Grand Chamber) delivered its much awaited judgment in joined cases C-203/15 and C-698/15, that follows up to the landmark Digital Rights Ireland ruling.
Two requests for preliminary rulings weremade by a Swedish and British court concerning the interpretation of Article15(1) of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacyDirective”), read in the light of the Charter.
With respect to case C-203/15, following the Digital Rights Ireland judgment, Tele2 Sverige, a provider of electronic communications established in Sweden, informed the Swedish competent authority that it would no longer comply with the Swedish national data retention obligations as it considered those obligations were not in line with the Court’s ruling. The competent Swedish authority notified Tele2 Sverige that it was in breach of its obligations under national legislation and ordered Tele2 Sverige to resume the retention of that data. Tele2 Sverige appealed this order before the Administrative Court in Stockholm and subsequently before the Administrative Court of Appeal, which referred the matter for a preliminary ruling to the Court.
In case C-698/15, Mr Watson, Mr Brice and Mr Lewis each brought actions challenging the UK rules on the retention of data. By judgment of 17July 2015, theHigh Court of Justice of England and Wales held that the Digital Rights judgment laid down ‘mandatory requirements of EU law’ applicable to the legislation of Member States on the retention of communications data and access to such data. It consequently declared Section 1 of the Data Retention and Investigatory Powers Act 2014 incompatible with EU law. The Secretary of State for the Home Department brought an appeal against that judgment before the Court of Appeal, which referred two questions to the Court on the effects of the Digital Rights judgment.
The Court first examined whether national legislation on the retention and access to data by national authorities for the purpose of combating crime fell within the scope of the ePrivacy Directive. In light of the general structure and objectives of the Directive, the Court held that Article 15(1) necessarily presupposes that the national measures referred to therein, such as those relating to the retention of data for the purpose of combating crime, fall within the scope of that Directive (paras. 67-73). The scope of the Directive extends to legislative measures relating to access by national authorities to the data retained by the providers of electronic communications services. The protection of the confidentiality of electronic communications and related traffic data, guaranteed by the Directive, applies to the measures taken by all persons other than users, whether by private persons or bodies or by State bodies.(paras. 74-77). National legislation such as that at issue in the main proceedings therefore falls within the scope of the ePrivacy Directive (para. 81).
The Court then examined the compatibility with EU law of general and indiscriminate data retention. The Court first observed that the ePrivacy Directive notably aims at offering to the users of electronic communications services protection against risks to their personal data and privacy that arise from new technology and the increasing capacity for automated storage and processing of data (paras. 82-83). It acknowledged that Article 15(1) of the ePrivacy Directive enables the Member States to introduce exceptions to the obligation of principle, laid down in Article5(1) of that directive, to ensure the confidentiality of communications and related traffic data, and to the corresponding obligations, referred to in Articles 6 and 9 of that Directive, but it stressed that this provision must be interpreted strictly (paras. 88-89). In addition, it stressed that this provision must be interpreted in light of fundamental rights guaranteed by the Charter, in particular the right to privacy (Article 7),the right to protection of personal data(Article 8) and freedom of expression(Article 11) and that due regard must be given in this context to the principle of proportionality (paras. 91-96). The Court observed that the national legislation at issue in the main proceedings provides fora general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, and that it imposes on providers of electronic communications services (para.97).It considered the interference entailed by such legislation in the fundamental rights enshrined in Articles 7 and 8 of the Charter to be particularly serious (para.100). The Court opined that although the effectiveness of the fight against serious crime may depend to a great extent on the use of modern investigative techniques, this objective cannot in itself justify the finding that general and indiscriminate data retention legislation is necessary to fight against crime (para.103). It noted in particular that such legislation applies to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences and provides for no exceptions for those whose communications are subject to professional secrecy (para. 105). In light of these considerations, the Court concluded that national legislation such as that at issue in the main proceedings exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article15(1) of the ePrivacy Directive, read in the light of the Charter (para. 107).
Nevertheless, the Court specified that Article 15(1), read in light of the Charter, does not prevent a Member State from introducing legislation that would permit, as a preventive measure, the targeted retention of traffic and location data for the purpose of fighting serious crime. Such legislation must however be limited to what is strictly necessary in terms of the categories of data retained, the means of communication affected, the persons concerned and the retention period adopted (para.108). In order to satisfy such requirements, any national legislation to that effect must lay down clear and precise rules governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary (para. 109).
The Court then examined the issues of data access and data security. With respect to the issue of access by competent national authorities to retained data, the Court stressed that, in the area of prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting serious crime is capable of justifying such access (para.115). In addition, in order to ensure that access by the competent national authorities to retained data is limited to what is strictly necessary, national legislation must set out clear and precise rules indicating when and how competent national authorities should be granted access to such data (paras.118-119). To ensure that such conditions are fully respected, the Court stressed that access to retained data should, as a general rule, be subject to prior review by a court or an independent administrative authority, and that the competent national authorities to whom access is granted must notify the persons affected as soon as such notification would no longer risk to jeopardise the investigations (paras.120-121). On the issue of data security, the Court found that Article 15(1) does not allow Member States to derogate from the Directive’s data security provisions, which require providers to take appropriate technical and organisational measures to ensure the effective protection of retained data. In particular, national legislation must provide for the data to be retained within the EU and for the irreversible destruction of the data at the end of the data retention period (para.122). In accordance with Article 8(3) of the Charter, Member States are also required to ensure that an independent authority reviews compliance with EU law (para.123).
Finally, in relation to the question referred by the British Court of Appeal as to whether, in the Digital Rights judgment, the Court interpreted Articles 7 and/or 8 of the Charter in such a way as to expand the scope conferred on Article 8 ECHR by the European Court of Human Rights, the Court observed that this question is not such as to affect the interpretation of the ePrivacy Directive, read in the light of the Charter, which is the matter in dispute in the main proceedings (para.131). It therefore considered this question to be inadmissible. It nevertheless specified that Article 52(3) does not preclude Union law from providing protection that is more extensive than the ECHR and that Article8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 of the Charter and which has no equivalent in the ECHR (para.129).
Case Number Joined Cases C-203/15 and C-698/15
Name of the parties Tele2 Sverige
Date of the judgement 2016-12-21
Court Court of Justice of the EU (Grand Chamber)