In the joined cases C-203/15 (Tele2 Sverige AB v Post- och Telestyrelsen) and C-698 (Secretary of State for Home Department v Tom Watson and Others) of 21 December (the Joined Cases), the ECJ decided a request for preliminary ruling from the Swedish Administrative Court of Appeal (Kammarrätten), and from the Court of Appeal (England & Wales) (Civil Division) (United Kingdom). Both cases concerned the interpretation of Article 15 (1) of Directive 2002/58/EC (paras. 1-2).
On 9 April 2014, Tele2 Sverige, a Swedish provider of electronic communication services, informed the Post- och Telestyrelsen (PTS) (Swedish Post and Telecom Authority) that, having regard to the judgment in the Digital Rights Ireland and Others case (C-293/12 and C-594/12) which invalidated Directive 2006/24, it would stop to store electronic communications data. The reason for this was that, as a consequence of the Digital Rights judgment, Tele2 believed it was no longer obliged to do so under the Swedish national law (Lag [2003:389] om elektronisk kommunikation, or LEK), which implemented the now invalid Directive. On 29 April 2014, the Swedish Minister of Justice appointed a special reporter to examine the Swedish legislation at issue in the light of the Digital Rights judgment. The conclusion of the Report was that Swedish law was not incompatible with either EU law or the European Convention on Human Right (ECHR). As a consequence, the PTS informed Tele2 Sverige that it was in breach of its obligations under LEK, and ordered them to start retaining that data. Tele2 on the other hand, believed the Report was based on a misinterpretation of the Digital Rights judgment, and that the obligation under LEK was in breach of the fundamental rights guaranteed by the EU Charter of Fundamental Rights (the Charter). Therefore, Tele2 Sverige brought an action against the order of the PTS before the Administrative Court (paras. 44-48).
In the case Secretary of State for Home Department v. Tom Watson and Others, the applicants brought applications for judicial review of the lawfulness of the data retention regime in Section 1 of the Data Retention and Investigatory Powers Act of 2014 (DRIPA). They claimed that Section 1 DRIPA was incompatible with Articles 7 and 8 of the Charter and Article 8 of the ECHR. The High Court of Justice stated, on 17 July 2015, that the regime was conflicting with EU law because it did not satisfy the conditions laid down in the Digital Rights judgment. According to the Court, the Digital Rights judgment stated that ”mandatory requirements of EU law” are applicable to the Member States legislation on the retention of communications data and access to data. The National Court also stated that national legislation that contained same provisions as Directive 2006/24, which was held to be conflicting with the principle of proportionality, could not be compatible with that principle. Furthermore, the Court stated that Section 1 DRIPA is not compatible with Articles 7 and 8 of the Charter because it does not state how to get access to and use retained data. Later, the Secretary of State for the Home Department brought an action against that judgment before the referring court (paras. 52-58).
To summarise, the referring national courts requested a preliminary ruling, under Article 267 TFEU, on the following questions:
- Must Article 15 (1) of Directive 2002/58, read in the light of Articles 7, 8 and 52 (1) of the Charter, be interpreted as precluding national legislation that provides for, the purpose of fighting crime, general and indiscriminate retention of all traffic and location data of all subscribers and registered users with respect to all means of electronic communications? (paras. 51, 59 and 62)
- Must Article 15 (1) of Directive 2002/58, read in the light of Articles 7, 8 and 52 (1) of the Charter, be interpreted as precluding national legislation governing the protection and security of traffic and location data, and more particularly, the access of the competent national authorities to retained data, where that legislation does not restrict that access solely to the objective of fighting serious crime, where that access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that data concerned should be retained within the EU? (paras. 51, 59 and 114)
Decision and reasoning
On 21 December 2016, the ECJ (Grand Chamber) announced its ruling in the Joined Cases. Firstly, the Court examined whether national legislation falls within the scope of EU law (para. 64). Furthermore, the Court examined the general structure of Directive 2002/58 and argued that the legislative measures mentioned in Article 15 (1) of Directive 2002/58 concerns activities of state authorities and not individuals (para. 72). It concluded that Article 15 (1) together with Article 3 in the directive shall be seen as legislative measures that fall within the scope of that directive (para. 74).
The ECJ found that Article 15 (1) of Directive 2002/58 must be interpreted strictly, since it enables the Member States to provide for exemptions to the obligation to ensure the confidentiality of personal data (paras. 88–89). But, this does not prevent a Member State from adopting legislation permitting targeted retention of traffic and location data for the purpose of fighting serious crime, provided that the retention of data is limited to what is strictly necessary (para. 108). To satisfy this requirement, the Court stated that national legislation must lay down clear and precise rules governing the scope and application of data retention and impose minimum safeguards to guarantee effective protection of the retained data (para 109). In short, the Court found that Article 15 (1), read in the light of Articles 7, 8 and 52 (1) of the Charter precludes national legislation which provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication (para. 112).
The ECJ also found that Article 15 (1) must be interpreted as precluding national legislation governing the protection and security of traffic and location data, and access of competent national authorities to the retained data, unless it is restricted to solely fighting serious crime and that it prescribes a requirement of prior review by a court or an independent administrative authority before granting access to the data (paras. 123 and 125). Furthermore, the competent national authorities whom access the retained data must give information to those concerned (para. 121).
The ECJ shows with this new judgment its concern to ensure respect for the Charter, in particular the rights to respect for private life and protection of personal data, also proclaimed by Article 8 of the ECHR. The jurisprudence of the ECJ, which seems to act as a protector of fundamental rights of EU citizens, remains confused on two points: the wording of the contested directive, which is contradictory, and the control of proportionality. Where is the boundary between the acceptable and the unacceptable? Where does ‘targeted retention of traffic and location data’ start and where does it end? On paper the concept seems clear, however, in the reality, it is difficult to apply.
This judgment may leave an ajar door for a possible retention of data for purposes of administrative policing, when it comes to ‘preventing a serious risk to public safety’, on the condition that very strong guarantees are ensured, namely the prior control by an independent authority (para. 123) and information to those concerned (para. 121). States will have to combine the protection of the state with respect for the privacy of its citizens. (Orla Lynskey, Tele2 Sverige AB and WATSON and AL: continuity and radical change, 12 January 2017)
The Joint Case Tele2 Sverige AB highlights several interesting aspects (Gunnar Beck, Case Comment: C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 SSHD v Tom Watson & Others, 13 January 2017). Firstly, the Court emphasizes that the data retention provisions of the Member States have to comply with EU law. Secondly, the Court repeated its ruling in the Digital Rights judgment according to which generalized and indiscriminate surveillance is not permissible under EU law. The retained data from every phone call, text and internet connection display information about the location, time and duration of the communication. The Court highlighted a focal point when it comes to this retained data. It stated that very precise conclusions may be drawn from it with regard to the private life of the person whose data has been retained. Thirdly, the Court accepted that data can be retained under certain circumstances. For example, in case of public interest, retained data can reveal a direct or indirect link to a serious criminal offense. The Court lays down conditions for that national data retention laws which need to comply with EU law. The provisions of the national law must be clear and precise. In addition, they must indicate the circumstances and conditions in which data may be retained. Moreover, the retention must be ‘strictly necessary’.
Furthermore, in his opinion delivered on 19 July 2016, Advocate General Saugmandsgaard Øe drew the following conclusion: Article 15(1) of Directive 2002/58/EC concerning the privacy and electronic communications and Articles 7, 8 and 52 (1) of the Charter are to be interpreted as not precluding Member States from imposing on providers of electronic communications services an obligation to retain all data with regard to communications effected by the users of their services if all of the above mentioned conditions are satisfied [Opinion delivered by Advocate General S on 16 July 2016, paragraph 263].
Thus, what can we learn from this case? We believe that the Court is methodical in the sense that it is more precise in its reasoning in comparison to other decisions. It enumerates the exceptions to fundamental rights guaranteed under EU law, which must be interpreted strictly. Thereafter, the Court follows its ruling in the Digital Rights case, in which the Digital Retention Directive was declared invalid due to the fact that the EU legislation exceeded the principle of proportionality in the light of Articles 7,8 and 52 (1) of the Charter. Moreover, the Court weighs the right to data protection against the demands of public security. It then suggests that measures allowing for retaining data in some circumstances comply with the Charter.
Christofer Bjerkhoel, Nora Shoki, Anna Puck Lundgren and David Peralta