The CJEU's recent decision in the Tele2/Watson case contains very interesting guidance on the rules around the retention of communications data and the safeguards that must be in place to protect it. It may also call the viability of the new Investigatory Powers Act into question.
The key issue in the case was whether legislation in Sweden and the UK, which imposed an obligation on public communications providers to retain traffic and location data, was compatible with EU law. The UK legislation (i.e. s.1 of the now expired DRIPA 2014) required public telecommunications operators to retain all such communications data for a maximum of 12 months where required to by the Secretary of State.
The CJEU gave guidance on the aspects of national legislation that would be deemed unlawful under EU law. Here are the most important takeaways from the judgment:
1. The intrusiveness of traffic and location data.
The CJEU held that traffic and location data was liable to allow "very precise conclusions" to be drawn about the private lives of the persons, including their everyday habits, their permanent or temporary residence, daily movements, the activities carried out, their social relationships and social environments, which in part, can establish a profile of the person concerned.
The Court emphasized that traffic data was "no less sensitive… than the actual content of communications" and that the interference posed by such legislation was thus "particularly serious".
2. The purpose for retention must be limited to fighting serious crime
The CJEU made clear that only the objective of fighting serious crime is capable of justifying such a serious interference. No other objectives are permissible.
3. Retention must be targeted to what is "strictly necessary" to fight serious crime
The CJEU stated that even the objective of fighting serious crime cannot itself justify the "general and indiscriminate" retention of data. However, the Court made clear that "targeted" retention of data for the purpose of fighting serious crime was justified, provided that such retention of data is limited – with respect to the categories of data to be retained, the means of communications affected, the persons concerned and the retention period adopted – to what is "strictly necessary".
The Court stated that as a general rule, access can only be granted to data about individuals actually suspected of or implicated in a serious crime. However, in particular situations, like terrorism investigations, access to the data of others might be granted where there is objective evidence to deduce that it might make an "effective contribution" to combating such activities.
4. Access to the data must be subject to prior review by a court or independent authority
The CJEU further stated that it is "essential" that access to retained data should, except in cases of clear urgency, be subject to prior review by either a court or an independent body.
5. Data subjects must be informed as soon as possible
The CJEU commented that the fact that the data is retained without the users being informed of the fact was likely to cause people to feel that "their private lives were the subject of constant surveillance".
To counteract this, the Court stated that the national authorities (to whom access to retained data has been granted), must notify the persons affected as soon as such notice is no longer liable to jeopardize the investigation. This would enable individuals to exercise their right to a legal remedy where their rights have been infringed.
6. Retained data must stay within the EU
Given the quantity of retained data, the sensitivity of the data and the risk of unlawful access to it, the CJEU held that national legislation must make provision for the data to be retained within the EU and for the irreversible destruction of the data at the end of the retention period.
Although the CJEU gave the guidance above, it did not make findings in relation to the Swedish and UK legislation in question. It is now down to the domestic courts to rule on the actual lawfulness of the specific legislation – though, given the guidance above, the inevitable answer must be that DRIPA is incompatible with EU law.
… so what is to become of the new Investigatory Powers Act 2016?
With DRIPA 2014 having already expired at the end of 2016, you'd be forgiven in thinking that the guidance in this case is now all moot. However, this judgment now has potentially major ramifications on the Investigatory Powers Act 2016 (IPA), the new UK legislation that came into force on 30 December 2016 to replace DRIPA.
It is clear that many aspects of the new IPA still fall short of satisfying the CJEU's criterion above. Here are some of the reasons:
- The purposes of retention are not limited to "fighting serious crime": The warrants and notices under the IPA can be granted on various non-crime related grounds, including to safeguard the economic well-being of the UK, in the interests of public safety, public health, to collect taxes or other government levies, to prevent death, injury or damage to health, to assist in the identification of a deceased person, for the regulation of financial markets, financial stability, and so on (see s.61(7)). This is much too wide a range of purposes, according to the CJEU judgment.
- Data retention is not targeted to what is "strictly necessary": Firstly, there are several categories of "bulk warrants" that can be issued under the IPA (e.g. bulk interception warrants, bulk acquisition warrants, bulk personal dataset warrants). These are inherently not targeted in nature, and do not need to be limited to particular persons/times/premises. For example, "all communications transmitted on a particular route or cable, or carried by a particular telecommunications operator could, in principle, be lawfully authorised" (see this Code of Practice, para 6.6). Secondly, even in respect of the targeted warrants, there is no express requirement that such warrants be limited to that which is strictly necessary for the permitted purposes.
- Prior independent review not required in all cases: Although many of the orders are subject to prior review by a Judicial Commissioner, there is no need for such review for "Authorisations for Obtaining Communications Data" under Part 3 of the Act. These empower numerous public authorities to obtain communications data directly from any person, telecommunications system or operator without need for independent review.
- There is no provision for informing affected individuals of any orders made
- There is no provision for keeping the retained data within the EU
Given the above, the Tele2/Watson judgment is likely to threaten the viability of many parts of the IPA, leaving the Act in a further precarious and uncertain state. The IPA was already a controversial piece of legislation in the UK and as a result of this judgment; it is now even more exposed to successful legal challenge.
The UK will need to consider carefully what amendments, if any, it will make to the IPA to bring it into conformity with EU law. In the meantime, electronic communications providers can expect even longer delays in the implementation of these new rules.