Published online by Cambridge University Press: 04 March 2019
Data retention saga – Interpretative strategy of the Court of Justice – Expansive potential of the principles set by the Court of Justice – ‘Reverse’ effet utile and conflict of competence – EU acts under threat – Domino effect on national security measures – Future scenarios – Twilight of the model of bulk data retention – Modulation of the ban on bulk data retention according to the vulnerability of data processing or depending on the prior unknowability of the threats – Divergence from the European Court of Human Rights – Legitimisation of bulk data retention
‘Equo ne credite, Teucri!
Quidquid id est, timeo Danaos et dona ferentes’
— Virgil, Aeneid, II, 48-49
PhD candidate at the Sutherland School of Law, University College Dublin; Irish Research Council Government of Ireland Postgraduate Scholar. I am grateful to those who attended the panel ‘Regulating surveillance’ at the Amsterdam Privacy Conference 2018 for their thought-provoking questions on an earlier version of this paper. I would also like to thank my supervisor, Dr T.J. McIntyre, and three anonymous reviewers for their helpful comments and suggestions.
1 Cole, M. and Boehm, F., ‘EU Data Retention – Finally Abolished?, Eight Years in Light of Article 8’, 97 Critical Quarterly for Legislation and Law (2014) p. 58 Google Scholar at p. 78.
2 ECJ 8 April 2014, Joined Cases C‐293/12 and C‐594/12, Digital Rights Ireland.
3 ECJ 21 December 2016, Joined Cases C-203/15 and C-698/15, Tele2 Sverige.
4 ECJ 2 October 2018, Case C-207/16, Ministerio Fiscal.
5 ECJ 26 July 2017, Opinion 1/15, EU-Canada PNR Agreement.
6 ECJ (pending), C-623/17, Privacy International.
7 See Herlin-Karnell, E., ‘Case C-301/06, Ireland v. Parliament and Council, Judgment of the Court (Grand Chamber) of 10 February 2009’, 46 CML Rev (2009) p. 1667 Google Scholar ; McIntyre, TJ, ‘Data Retention in Ireland: Privacy, Policy and Proportionality’, 24 CLSR (2008) p. 326 Google Scholar .
8 ECJ 10 February 2009, Case C-301/06, Ireland v Parliament and Council.
9 F. Boehm and M. Cole, ‘Data Retention after the Judgment of the’Court of Justice of the European Union’, Report to the Greens/EFA Group, 30 June 2014, <www.zar.kit.edu/DATA/veroeffentlichungen/237_237_Boehm_Cole-Data_Retention_Study-June_2014_1a1c2f6_9906a8c.pdf>, visited 1 February 2019.
10 Nascimbene, B., ‘European Judicial Cooperation in Criminal Matters: What Protection for Individuals under the Lisbon Treaty?’, 10 ERA Forum (2009) p. 397 CrossRefGoogle Scholar .
11 See S. Poli, ‘European Court of Justice. The Legal Basis of Internal Market Measures with a Security Dimension. Comment on Case C-301/06 of 10/02/2009, Ireland v. Parliament/Council, Nyr’, 6 EuConst (2010) p. 137; Herlin-Karnell, supra n. 7.
12 See Cole and Boehm, supra n. 1.
13 Ibid.
14 Digital Rights Ireland, supra n. 2.
15 See Tracol, X., ‘Legislative Genesis and Judicial Death of a Directive: The European Court of Justice Invalidated the Data Retention Directive (2006/24/EC) Thereby Creating a Sustained Period of Legal Uncertainty about the Validity of National Laws Which Enacted It’, 30 CLSR (2014) p. 736 Google Scholar .
16 Digital Rights Ireland, supra n. 2, para. 37.
17 Kühling, J. and Heitzer, S., ‘Returning through the National Back Door? The Future of Data Retention after the ECJ Judgment on Directive 2006/24 in the UK and Elsewhere’, 40 European Law Review (2015) p. 263 Google Scholar at p. 264.
18 Digital Rights Ireland, supra n. 2, paras. 58-59.
19 Ibid., para. 60.
20 Ibid., paras. 61-62.
21 Ibid., paras. 63-64.
22 Ibid., paras. 66-68.
23 See, e.g., Granger, M.-P. and Irion, K., ‘The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling off the EU Legislator and Teaching a Lesson in Privacy and Data Protection’, 39 European Law Review (2014) p. 835 Google Scholar .
24 Kühling and Heitzer, supra n. 17, p. 274.
25 Ireland v Parliament and Council, supra n. 8, para. 83.
26 Ibid., paras. 34-35.
27 See Directive 2006/24/EC, Recital (25).
28 See Secretary of State for the Home Department v Davis MP & Ors [2015] EWCA Civ 1185, paras. 101-103.
29 See ibid., paras. 48 and 65.
30 Digital Rights Ireland, supra n. 2, paras. 56-59.
31 This was the position of the court of first instance in the Davis case. See Secretary of State v Davis, supra n. 41, paras. 48 and 65.
32 For a comprehensive account, see Kühling and Heitzer, supra n. 17.
33 Tele2 Sverige, supra n. 3.
34 ECJ 6 October 2015, Case C-362/14, Schrems.
35 Schrems, supra n. 34, paras. 91-94.
36 Art. 267 TFEU; see P. Craig and G. de Búrca, EU Law: Text, Cases, and Materials (Oxford University Press 2015).
37 Art. 51(1) CFR literally reads: ‘The provisions of the Charter are addressed to […] the Member States only when they are implementing Union law’ (emphasis added). However, the Court of Justice in its case law has tended to broaden the scope of this provision, generally talking of member states’ legislation ‘within the scope of EU law’. See ECJ 26 February 2013, Case C-617/10, Åkerberg Fransson; Fontanelli, F., ‘Hic Sunt Nationes: The Elusive Limits of the EU Charter and the German Constitutional Watchdog: Court of Justice of the European Union: Judgment of 26 February 2013, Case C-617/10 Åklagaren v. Hans Åkerberg Fransson’, 9 EuConst (2013) p. 315 Google Scholar . For a general overview, see also Craig and de Búrca, supra n. 36, p. 410-419.
38 Tele2 Sverige, supra n. 3, para. 64 ff.
39 In January 2017, the European Commission issued a proposal for a new regulation on the protection of personal data in electronic communications aiming to repeal the current ePrivacy Directive. Art. 11 of the proposed regulation reflects the terms of Art. 15 of the ePrivacy Directive.
40 See ECJ 18 June 1991, Case C-260/89, ERT; Craig and de Búrca, supra n. 36, p. 413-414.
41 Tele2 Sverige, supra n. 3, para. 92 ff. Cf Opinion of AG Villalón, ECJ 12 December 2013, Joined Cases C‐293/12 and C‐594/12, Digital Rights Ireland, point 52.
42 Tele2 Sverige, supra n. 3, paras. 92-93; see Tracol, X., ‘The Judgment of the Grand Chamber Dated 21 December 2016 in the Two Joint Tele2 Sverige and Watson Cases: The Need for a Harmonised Legal Framework on the Retention of Data at EU Level’, 33 CLSR (2017) p. 541 Google Scholar .
43 Tele2 Sverige, supra n. 3, para. 101; cf Digital Rights Ireland, supra n. 2, para. 39.
44 Tele2 Sverige, supra n. 3, para. 102; cf Digital Rights Ireland, supra n. 2, para. 44.
45 Tele2 Sverige, supra n. 3, paras. 103 and 108; cf Digital Rights Ireland, supra n. 2, para. 57.
46 For example, the Court prefers to talk about the circumstances in which electronic communication service providers should grant competent authorities access to retained data, instead of saying when competent authorities should have the power to access data; see, e.g., Tele2 Sverige, supra n. 3, paras. 118-119.
47 Tele2 Sverige, supra n. 3, para. 121.
48 Ministerio Fiscal, supra n. 4.
49 Ibid., para. 27.
50 Ibid., para. 26.
51 Ibid., paras. 29-30. Cf Ireland v Parliament and Council, supra n. 8.
52 Opinion of AG Saugmandsgaard Øe, ECJ 3 May 2018, Case C-207/16, Ministerio Fiscal, point 47.
53 Ministerio Fiscal, supra n. 4, para. 34; see Tele2 Sverige, supra n. 3, paras. 72-74.
54 Ministerio Fiscal, supra n. 4, para. 53.
55 Ibid., paras. 55-56.
56 Ibid., paras. 59-60.
57 For an accurate and comprehensive analysis of these measures, see Boehm and Cole, supra n. 9.
58 Opinion 1/15, supra n. 5.
59 See ibid., para. 14 ff.
60 For an accurate and comprehensive analysis of Opinion 1/15, see M. Cole and T. Quintel, ‘Data Retention under the Proposal for an EU Entry/Exit System (EES). Analysis of the impact on and limitations for the EES by Opinion 1/15 on the EU/Canada PNR Agreement of the Court of Justice of the European Union’, Legal opinion for The Greens/EFA Group, October 2017, <hdl.handle.net/10993/35446>, visited 1 February 2019.
61 Opinion 1/15, supra n. 5, para. 150.
62 Ibid., para. 164 ff.
63 Ibid., para. 190 ff.
64 Privacy International, supra n. 6.
65 Secretary of State for the Home Department v Watson & Ors [2018] EWCA Civ 70, para. 7.
66 Ibid., para. 9.
67 See, e.g., ibid., paras. 21 and 26.
68 See, e.g., ibid., paras. 12, 19, 21, 26(3).
69 See <www.ipt-uk.com/default.asp>, visited 1 February 2019.
70 Privacy International v Secretary of State for Foreign and Commonwealth Affairs & Ors [18 October 2017] IPT/15/110/CH (UK IPT). The links to all the relevant judgments of the Investigatory Powers Tribunal on this case can be found at <www.ipt-uk.com/judgments.asp?id=41>, visited 1 February 2019.
71 Ibid., para. 20.
72 See, respectively, Privacy International v Secretary of State, supra n. 70, paras. 35 and para. 46 as well as Privacy International v Secretary of State for Foreign and Commonwealth Affairs & Ors [17 October 2016] IPT/15/110/CH (UK IPT).
73 Privacy International, supra n. 6.
74 See text to n. 45 supra.
75 See text to n. 31 supra.
76 Opinion 1/15, supra n. 5, paras. 168 ff. and 186 ff.
77 Ibid., para. 187.
78 Ibid., para. 196 ff.
79 Cf the view taken in ECtHR 12 January 2016, Application No. 37138/14, Szabó and Vissy v Hungary, paras. 18-20.
80 Privacy International v Secretary of State, supra n. 72, paras. 8 ff. and 56.
81 See ibid., para. 14.
82 Tele2 Sverige, supra n. 3, para. 59.
83 Secretary of State v Davis, supra n. 28, para. 112.
84 Tele2 Sverige, supra n. 3, para. 129.
85 Ibid., paras. 130-132.
86 Cole, M. and Vandendriessche, A., ‘From Digital Rights Ireland and Schrems in Luxembourg to Zakharov and Szabó/Vissy in Strasbourg: What the ECtHR Made of the Deep Pass by the CJEU in the Recent Cases on Mass Surveillance’, 2 Europran Data Protection Law Review (2016) p. 121; cf CrossRefGoogle Scholar Breyer, P., ‘Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Traffic Data Retention with the ECHR’, 11 European Law Journal (2005) p. 365 CrossRefGoogle Scholar .
87 See Digital Rights Ireland, supra n. 2, paras. 35, 54-55; Tele2 Sverige, supra n. 3, paras. 119-120.
88 ECtHR 4 December 2015, Application No. 47143/06, Zakharov v Russia.
89 Szabó v Hungary, supra n. 79.
90 Zakharov v Russia, supra n. 88, paras. 228-236; see Szabó v Hungary, supra n. 79, para. 56.
91 ECtHR 4 December 2008, Application Nos. 30562/04 and 30566/04, S and Marper v UK, especially paras. 99, 103, 119. See Boehm and Cole, supra n. 9.
92 ECtHR 19 June 2018, Application No. 35252/08, Centrum för rättvisa v Sweden.
93 Ibid., para. 7.
94 Ibid., para 112. See M. Dawson, The Governance of EU Fundamental Rights (Cambridge University Press 2017).
95 Centrum för rättvisa v Sweden, supra n. 92, paras. 113 and 118 ff.
96 ECtHR 13 September 2018, Application Nos. 58170/13, 62322/14 and 24960/15, Big Brother Watch and Others v United Kingdom.
97 Ibid., paras. 314-316.
98 Ibid., para. 316. Cf Tele2 Sverige, supra n. 3, paras. 119-121.
99 Big Brother Watch v UK, supra n. 96, paras. 466-467.
100 See text to n. 80 supra.
101 Szabó v Hungary, supra n. 79, para. 20.
102 Big Brother Watch v UK, supra n. 96, para. 316.
103 Beyond the Privacy International preliminary reference, there are other cases pending before both courts. See ECJ (pending), Case C-512/18, French Data Network and Others; ECtHR (pending), Application Nos. 49526/15, 49615/15, 49616/15, 49617/15, 49618/15, 49619/15, 49620/15, 49621/15, 55058/15, 55061/15, 59602/15 and 59621/15, Association confraternelle de la presse judiciaire v France and 11 other applications; ECtHR (pending), Application No. 3599/10, Tretter and Others v Austria; ECtHR (pending), Application No. 50001/12, Breyer v Germany.