Minutes from EU Court of Justice on #DataRetention
On 19th July 2016, Advocate General Øe Saugmandsgaard will present the Court of Justice of the European Union (CJEU) his opinion in the joined cases C-203/15 and C-698/15,Tele2 Sverige and Davis and Others. They concern the validity of national laws in Sweden and the UK for the retention of telecommunications data under EU law and the EU Charter of Fundamental Rights. This is a very relevant question, since the Court invalidated the EU Data retention directive in 2014.
To see what is to be expected, it is helpful to know what happened at the oral hearing on 5th April 2016. Our legal trainee Antonia Latsch attended the hearing (which is public, but not streamed or recorded). She live-tweeted from there, and has allowed me to re-publish her tweets in chronological order here. I have done minor editing to clean up the language, correct typos, etc. So here we go:
Court is in session
Judgement first, hearing about to start
Hearing started. Johansson addressing question of what constitutes electronic processing of personal data
Tele2 Lawyer Johansson: Law needs to be proportional to what is strictly necessary for the concrete objectives
Tele2: legislation needs to limit access of data, only to fight serious crimes & subject to ex ante court control
Tele2: Swedish data collection law is not limited to serious crimes, nor does it grant ex ante court control
Watson/Davis Lawyer: The United Kingdom does not provide sufficient safeguards for personal data collection
Davis/Watson: Minimum safeguards need to be in place to protect personal data to prevent abuse
Davis: Court should give guidance to what necessary safeguards are, UK does not meet the safeguards
Davis: UK allows collection of data for purposes that are not in regards to suspected crimes, constitutes breach of Art. 51
Brice: authorization and purpose for what it is granted for are connected; intrusiveness needs to meet seriousness of crime
Brice: Authorization to access to data must me be granted by structural independent body
Brice: purpose of law is only in case of serious crimes. Domestic legislation goes way beyond, including tax purposes
Open Rights Group: Case is of global significance, challenging the courts position on personal data protection
ORG/Privacy International: states need to be able to prevent passing of data to states that don't comply with EU privacy law
PI: Art. 15 e-privacy directive is lex specialis, it does not allow for the individual to be completely stripped of their privacy rights
Law Society: Limitation by independent authorization for the kind of data that can be stored is missing
Sweden: general obligation to keep data can be proportional for very important measures
Sweden: not all access to general data needs to be directly related to a serious crime, but be strictly necessary
Sweden: investigations have shown that it is impossible to limit retention of data prior for measurements to be effective
Sweden: possibility of rapid decisions is necessary for effectiveness, therefore outside review is unpractical
UK: Law requires commercial service providers to keep the data, not authorities
UK: We cannot know in advance what data is necessary and valuable
UK: in matters concerning national security, member states must make assessments of what is necessary and proportionate
UK: objective requirements for necessity of the taken measurements are different from specific rules laid out by the court
UK: it should be up to national courts to check that specific requirements and set standards are met
Czech: important how domestic law allows access and safety of data, if safeguards are in place, it is not disproportionate
Czech: "We live in troubled times, do we really want to constrain the member states in this way?"
Denmark: data retention must be general to be effective as a crime fighting tool
Denmark: Rules on access to and retention of date go hand in hand and can not be separated
Denmark: proportionality test strikes the right balance, provided it gives clear and precise rules/guarantees of protection
Denmark: approach to data retention should be all or nothing
Denmark: no reason to assess these national measures more stringent than other national measures
Germany: active passing of data by private sector allows government access, this must be compatible with fundamental rights
Germany: objective safeguard criteria can be sufficient, therefore concrete implementation determines if law is proportionate
Antonia Latsch re-tweeted @TetsuwanAstro:
Germany: Data protection guarantees should be assessed as a whole, access AND retention rules together
Estonia: We consider it necessary in the fight against terrorism to collect data of all people
Estonia: Saving someone's life and effectively fighting crime is worth allowing government's intervention
Ireland: access of data is not directly governed by EU law
Ireland: court is providing guidance for interpretation of EU law to national courts
Ireland: member states must be given discretion on how to provide proportional measures
Ireland: access of data is not directly governed by EU law
Antonia Latsch re-tweeted @JanAlbrecht
Jan Philipp Albrecht quoted Antonia Latsch:
Rubbish. The ePrivacy Directive regulates use of personal telecom data, therefore governed by EU law.
Ireland: access of data is not directly governed by EU lawIreland: Diversity of different member states needs to be respected by the court#dataretention
Spain: The burden that data retention puts on the internal market and private actors should not be underestimate
Spain: The upholding of fundamental rights must be the upper limit to granted discretion
Spain: General data retention cannot be seen as an indispensable measure taken by all means
France: Data can be used for prosecution as well for proof of innocence. It is impossible to know in advance what is needed.
France: French government finds the retention period of 1 year for data absolutely necessary to combat crime and terrorism
European Commission: Interference must be proportional as well as respect the essence of the interfered right
Finland: Connection between retention and use means that retention can only be justified if the later use is also justified
Finland: Practical reasons necessitate a system of universal retention of data that can be compensated by limitation
European Commission: procedural safeguards in their entirety need to be assessed to their efficiency
after questioned by Judge Rapporteur von Danwitz, Tele2: about 10.000 data request have been made to tele2. No overall statistic available
von Danwitz to UK: Does DRIPA enable public authority to collect data from persons outside of the UK?
UK: Scope of data retention of DRIPA applies to all data generated and processed in the UK
v. Danwitz:"how far are we taking this logic that we don't know who will be a criminal tomorrow and therefore need all data?"
v. Danwitz: "Isn't there always something more effective and also more intrusive? Where do we stop?"
Advoc. General Saugmandsgaard to UK: can you be more precise to when general retention is indispensable?
UK: retention of general data is vital to prevent terrorism and preventing crime but also for protecting people in general
Advoc. General to Tele2: Are Swedish authority demanding you to secure data you would otherwise not acquire?
Tele2: No, its data that is there, but would not be kept and deleted at once.
Advoc. General to Sweden: Is there information about the misuse of this data retention?
Germany: data retention is not useful if limited to specific geographical locations
Sweden: The chancellor of the data protection agency must be informed of mistakes; here ex-post control is more efficient
Tele2: All retention of data carries a risk of misuse, member states should look closely at what is stored and for how long
Davis: Case regards the lack of safeguards. Access to data takes place in secret; high demands cannot be monitored adequately
Davis: Although individuals can, it's unlikely they will bring a complaint if they don't know their information was accessed
Sweden: if data retention is to be an effective measure in fighting crime it needs to be general by nature
Session is closed. Advocate General opinion will be delivered on the 19th of July 2016.