McGarr Solicitors act for Digital Rights Ireland.
The case of Digital Rights Ireland Limited, seeking to challenge Data Retention, reached a significant milestone on the 9th July 2013, when the case was heard before the European Court of Justice in Luxembourg.
The ECJ had received a referral from the Irish High Court, asking it to rule on the question of whether the Data Retention Directive (Directive 2006/24, to its friends) was compatible with basic EU laws.
You can read the text of the High Court’s referral on the ECJ’s website.
All parties were sent a set of questions the Court wanted addressed in Oral Submissions. You can read a copy of them here.
Below are Digital Rights Ireland’s Oral Submissions to the Court, which were delivered by Mr. Frank Callanan SC, Counsel for DRI, before the European Court of Justice. The Court was sitting in Grand Chamber.
It is our submission that the Directive is not a proportionate measure. This encompasses a submission that it is not proportionate stricto sensu. The Directive is of limited efficacy in relation to the stated purpose of the investigation detection and prosecution of serious crime. It has a deficient evidentiary basis and a lack of measures against abuse. The countervailing negative effects are immense, and entail an interference of exceptional gravity with the right to respect for private and family life under Article 7 of the Charter and the Right to Protection of Personal Data under Article 8. That interference extends to the mass surveillance of citizens of the European Union using the telephone or electronic communications services in their homes.
If the proper functioning of the internal market is the “predominant” purpose of the Directive, the interference with fundamental rights that attends it cannot be justified by reference to a completely different purpose – that of law enforcement – which the Union may not legally pursue on the basis of Article 114 TFEU.
To turn to question 1 raised by the court, the limitations on the scope of the Directive raise significant issues about its efficacy. There are moreover many ways to circumvent the retention of traffic data under the Directive, from the use of public telephone booths and prepaid cell phones to more high tech methods involving the relation to internet communication, commercial anonymisation services, and onion-routing networks. This has implications for the final stage of a proportionality analysis.
As to question 2, the emphasis placed in the Observations on the fact that the Directive does not extend to the contents of communications misses the point. It is abundantly clear the retained data encroaches upon the user’s private sphere, and is capable of facilitating the building up of a profile of the user’s private and social life, of his or her medical history, political connections, economic activities. The potential for building up profiles of individuals increases exponentially if used in combination with other information about them. The more dots that there are to join up, the more intimate and detailed the portrait of the user that can be drawn from them.
In relation to the third question raised by the Court, my client shares the view of the European Data Protection Supervisor in his Opinion on the Evaluation Report that the Directive is “the most privacy invasive instrument ever adopted by the EU in terms of scale in the number of people it effects” . It is respectfully submitted that the interference with fundamental rights involved is unjustifiable whether by reference to the aim of ensuring the proper functioning of the internal market which is the legal basis for the Directive or the purpose of the investigation detection and prosecution of serious crime.
In relation to question 4, the Commission’s 2005 Extended Impact Assessment appended to the Proposal for the Directive has a number of striking deficiencies. It is lacking in analytical rigour and does not provide an empirical basis for the Directive. It appears a priori in favour of data retention conceived in opposition to data retention. In paragraph 4.1 it identified data retention as the single viable option without considering how this might be combined in a less privacy intrusive manner with measures of data preservation. In its own terms, having regard to the limited evidence it cites in relation to how far back data requests went – it states that the investigation into the Madrid bombings relied heavily on traffic data going back three to six months – the Commission “pushed the boat out” in proposing retention periods of one year for telephony data and six months for “internet” data which it candidly justified as “the most acceptable compromise between the different interests at stake”. It states at 4.3.1 that those periods would allow operators to respond successfully to almost all data requests received. The Directive in Article 6 went far beyond even this period in providing for retention for periods of not less than six months and not more than two years from the date of the communication, quite apart from the possibility on extension of the retention periods under Article 12.
In relation to the fact that it is easy to circumvent data retention controls the response of the Impact Assessment seems insufficient and anecdotal. The treatment of the question of fundamental rights is peremptory and declaratory. There is nothing approaching a sustained proportionality analysis.
The Commission’s Impact Assessment is largely comprised of unsupported assertion mostly going towards the uncontroversial proposition the telecommunications data can be useful in the investigation and prosecution of crime. One has to conclude that the European Union legislature did not have objective criteria to justify the adoption of the Directive and relied on the unsupported assertions of the law enforcement authorities of member states and on an empirical basis that was both fragmentary and lacking in transparency.
In relation to question 4(d), it is submitted that looking at the 2011 Evaluation Report of the Commission it is clear there are no statistics from which it can be deduced that the data retention directive has established either an improvement in the detection and prosecution of serious offences or a fortiori the nature or extent of any such improvement. There is no basis advanced for the statement that “overall the evaluation has demonstrated that data retention is a valuable tool for criminal justice systems and for law enforcement in the EU”. The empirical data is patchy and crude and is insufficient to stand up the assertion at paragraph 5.4 that “retained data is integral to criminal investigation and prosecution in the EU”.
As to question 5, the indiscriminate retention of traffic data of users of telecommunications networks requires a high level of justification, and a rigorous analysis of the proportionality of the measure falls to be made.
The Directive may pass the first stage of a proportionality text of suitability or appropriateness. It is manifestly not necessary in the sense that there is no other option less restrictive by which the aim could be achieved. It is also disproportionate stricto sensu in that the means employed went beyond the aim sought to be achieved. Even if the Directive was to be considered suitable and necessary, the burden placed on civil society is wholly disproportionate to the limited benefits achieved.
The benefits have not been demonstrated. The countervailing negative effects are massive and entail an actual (rather than potential) interference of a drastic kind with the right to respect for private and family life under Article 7 of the Charter, and the right to protection of personal data under Article 8. That interference extends to the monitoring of citizen’s behaviour in the home.
The decision of this court in Schecke & Eifert which enunciates a text of strict necessity establishes it was incumbent on the institutions to consider whether less invasive means existed to achieve comparable results. Data preservation is dismissed at the outset rather than weighed against data retention in greatly reducing the invasion of privacy and data protection rights.
The Directive does not provide adequate and effective measures against abuse by national authorities or third parties as required by the Human Rights Court in Klass v Germany, and the retention period appears clearly excessive. Article 51(1) of the Charter which provides that any limitation on the exercise of the rights and freedoms recognised by the Charter must respect the essence of those rights and freedoms affirms the need for the application of a robust proportionality test.
The Directive also fails to meet the requirements on proportionality set in the jurisprudence of the Court of Human Rights on proportionality. In S and Marper v. United Kingdom the Court of Human Rights condemned the “blanket and indiscriminate” retention of DNA samples from all those arrested. Data retention goes much further again, targeting the entire population without any prior suspicion, and raises the concerns noted by the Court of Human Rights in MK v. France where it characterised the storage of fingerprints of the entire population as certainly excessive.
The assumption that private providers are less dangerous than the state as far as the handling of data is concerned, has been properly criticised. Moreover, the failure to make explicit provision for the prohibition of outsourcing or at the very least for the conditions under which outsourcing is to be permitted is, it is submitted, a further vitiating flaw in the Directive.
The observations [of the parties to the case supporting the Directive] place overwhelming reliance on the element of subsidiarity. It is argued that the fact that it is for member states to lay down the conditions for access to the retained data in accordance with requirements of necessity and proportionality, and to the relevant provisions of European Law and of the European Convention on Human Rights renders the Directive effectively immune from challenge. The plaintiff does not accept that this is so. In particular, it is submitted that the court cannot rely on the fact that certain obligations are devolved to the member states to take no account of the manifold risks – one might say the virtual inevitability – of the improper use or inadvertent disclosure of retained data.
This case does not arise in a juridical vacuum. Some of the Observations remarkably seem to assert or imply that there is a consensus among member states about the ends of the Directive if not the Directive itself. They are conspicuously silent about the striking fact that the German, Bulgarian, Romanian, Cypriot and Czech implementation of the Directive have been severely criticised by their supreme or constitutional courts. This is quite apart from the pending actions in other member states.
It is of course true that these judgements were directed at the particular national measures of transposition, but many of the concerns that were canvassed by those courts can be interpreted as bearing on the Directive itself. In this seminal case, in which this court is asked to pronounce on rights of the fundamental kind which bear on the democratic order, where there is a corpus of national constitutional court jurisprudence which addresses not merely the implementation of the Directive in the member states concerned, but the weight to be given to the rights that are engaged, it is appropriate for this court to take general account of those decisions.
There is a striking pattern that has emerged in these cases, in which the striking down of domestic implementation measures reflect concerns in relation to privacy and data protection problems which are inherent in the Directive itself. The national courts have sought by the application of stringent criteria for implementation to achieve a balance that the Directive fails to strike. The very significant difficulties that have been encountered within domestic legal orders in giving effect to the Directive raise obvious questions about the validity of the Directive and about the appropriateness of the model of a very generalised loose fitting law at the European level, the implementation of which is devolved entirely to member states.
The constitutional court of the Czech Republic in its judgement on the national implementing measures states that the court has doubts – doubts that are fully shared by Digital Rights Ireland – about whether the blanket and preventative retention of traffic and location data on almost all electronic communications is a necessary and appropriate tool given the intensity of its interference with the private sphere of a vast number of electronic communication users.
It is our case that the Directive also infringes Article 11 of the Charter . This arises from the general chilling effect of the retention of traffic data and has more specific aspects, for example, in relation to the protection of the confidentiality of journalist’s sources. The same arguments apply as in relation to Articles 7 and 8.