«

»

European court rules mass surveillance of communications unlawful

scales-of-justice-gavel_4By Simon Davies

In one of the most significant civil liberties developments of recent years, the European Court of Justice has ruled that the EU Data Retention Directive  – which requires the mass collection of citizen communications data – is incompatible with the Union’s Charter of Fundamental Rights.

The controversial 2006 Directive requires communications providers to store traffic information on all their customers in case it is requested at some unforeseeable point in the future. This requirement has been ruled unconstitutional in a small minority of countries including Germany.

The ruling essentially prohibits any data retention, and limits possible law enforcement activities to case-by-case activities rather than mass retention of entire populations.

The ruling, published today, follows the opinion of an ECJ Advocate General who found in December that the Directive is “wholly”  incompatible with the right to privacy. The full Court has now ruled that the infringement on privacy was “particularly serious” and has effectively repealed the Directive.

The ECJ declared the directive invalid, saying it “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data.”

“The fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance,” it said.

“Untargeted, suspicionless data retention is too broad and not limited to the absolute minimum necessary”. This position essentially rules out any data retention, and limits possible law enforcement activities to case-by-case activities rather than mass retention of entire populations.

The case follows a court action by Digital Rights Ireland against the State in 2006 that questioned the legality of Irish data-retention legislation requiring phone companies and internet service providers to gather data about customer locations, calls texts and emails, and store that information for up to two years.

TJ McIntyre, chairman of the organisation, welcomed the ECJ’s decision.

“This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The ECJ’s judgement finds that untargeted monitoring of the entire population is unacceptable in a democratic society,” he said.

Gus Hosein, executive director of Privacy International, has produced an excellent annotation summary of the judgment:

Page 14,
Content: “On  11 August  2006,  Digital  Rights  brought  an  action  before  the  High  Court  in which  it claimed  that it  owned  a  mobile  phone  which  had  been  registered  on3 June  2006  and that it  had used that  mobile phone since that date. It  challengedthe  legality  of  national  legislative  and  administrative measures  concerning  the retention  of  data  relating  to  electronic  communications  and  asked  the nationalcourt, in particular, to declare the invalidity of Directive 2006/24 and of Part 7 of the  Criminal  Justice (Terrorist  Offences)  Act  2005,  which  requires telephonecommunications  service  providers  to  retain  traffic and  location  data  relating  tothose  providers  for  a period  specified  by  law  in  order  to  prevent,  detect, investigate and prosecute crime and safeguard the security of the State.  ”

Page 18,
Content: “The  obligation,  under  Article 3  of  Directive  2006/24,  on  providers  of  publicly available electronic communications  services  or  of  public  communications networks  to  retain  the  data  listed  in Article 5  of  the directive  for  the  purpose  of making them accessible, if necessary, to the competent national authorities raises questions  relating  to  respect  for  private  life  and  communications  under  Article 7of  the Charter,  the  protection of  personal  data  under  Article 8  of  the  Charter  and respect for freedom of expression under Article 11 of the Charter.  ”

Page 18,
Content: “In  that  regard,  it  should  be  observed  that  the  data  which  providers  of  publicly available electronic communications  services  or  of  public  communications networks  must  retain,  pursuant  to Articles 3  and  5  of Directive  2006/24,  include data  necessary  to  trace  and  identify  the  source  of  a communication  and  its destination,  to  identify  the  date,  time,  duration  and  type  of  a  communication,  to identify  users’ communication  equipment,  and  to  identify  the  location  of  mobile communication equipment, data which consist, inter alia, of the name and address of  the  subscriber  or  registered  user,  the calling  telephone  number,  the number called  and  an  IP  address  for  Internet  services.  Those  data  make it  possible,  in particular, to know the identity of the person with whom a subscriber or registered user  has communicated  and  by  what  means,  and  to identify  the  time  of  the communication  as  well  as  the place  from  which  that  communication  took  place. They also  make  it  possible  to  know  the  frequency  of the  communications  of  the subscriber or registered user with certain persons during a given period.  Those data,  taken  as  a  whole,  may  allow  very  precise  conclusions  to be  drawn concerning the private lives of the persons whose data has been retained, such as the  habits  of everyday  life,  permanent  or  temporary places  of  residence,  daily  or other  movements,  the  activities  carried out,  the  social  relationships  of those persons and the social environments frequented by them.  ”

Page 18,
Content: ” it  is  not  inconceivable  that  the  retention  of  the  data  inquestion might have an effect on the use, by subscribers or registered users, of the means  of  communication  covered  by  that  directive  and, consequently,  on theirexercise of the freedom of expression guaranteed by Article 11 of the Charter.  ”

Page 18,
Content: “The retention of data for the purpose of possible access to them by the competentnational authorities, as provided for by Directive 2006/24, directly and specifically ”

Page 19,
Content: “affects  private  life  and,  consequently,  the  rights  guaranteed  by  Article 7  of  theCharter.”

Page 19,
Content: “To establish the existence of an interference with the fundamental right to privacy,it  does  not matter whether  the  information  on  the  private  lives  concerned  is sensitive or whether the persons concerned have been inconvenienced in any way ”

Page 19,
Content: “As  a  result,  the  obligation  imposed  by  Articles 3  and  6  of  Directive  2006/24  on providers  of publicly  available  electronic  communications  services  or  of  public communications networks to retain, for a certain period, data relating to a person’sprivate life and to his communications, such as those referred to in Article 5 of thedirective,  constitutes  in  itself  an  interference  with  the  rights  guaranteed  by Article 7 of the Charter.  ”

Page 19,
Content: “Furthermore,  the  access  of  the  competent  national  authorities  to  the  data constitutes  a further interference  with  that  fundamental  right ”

Page 20,
Content: “Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data. ”

Page 20,
Content: “It  must  be  stated  that  the  interference  caused  by  Directive  2006/24  with  the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General  has  also  pointed  out,  in particular,  in paragraphs 77  and  80  of  his Opinion,  wide-ranging,  and  it  must  be  considered  to  be particularly  serious. ”

Page 20,
Content: ” the  fact  that  data  are  retained  and  subsequently  used  without  thesubscriber or registered user being informed is likely to  generate in the  minds of the persons concerned the feeling that their private lives are the subject of constantsurveillance.  ”

Page 20,
Content: “So  far  as  concerns  the  essence  of  the  fundamental  right  to  privacy  and  the  other rights laid down in Article 7 of the Charter, it must be held that, even though the retention  of  data  required  by  Directive 2006/24 constitutes  a  particularly  serious interference  with  those  rights,  it  is  not  such  as  to  adversely affect  the essence  of those rights given that, as follows from Article 1(2) of the directive, the directive does not  permit  the acquisition  of  knowledge  of  the  content  of  the  electronic communications as such. ”
Comment: Not so good.

Page 21,
Content: “It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required byDirective 2006/24, genuinely satisfies an objective of general interest. In  those  circumstances,  it  is  necessary  to  verify  the  proportionality  of  the interference found to exist. ”

Page 22,
Content: “As regards the necessity for the retention of data required by Directive 2006/24, it must  be  held that  the fight  against  serious  crime,  in  particular  against  organised crime and terrorism, is indeed of the utmost importance in order to ensure publicsecurity and its effectiveness  may depend to a  great extent on the use  of modern investigation techniques. However, such an objective of general interest, howeverfundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 being considered to be necessary for the purpose of that fight. ”

Page 23,
Content: “As  for  the  question  of  whether  the  interference  caused  by  Directive  2006/24  is limited to what is strictly necessary, it should be observed that, in accordance with Article 3  read  in  conjunction  with Article 5(1)  of that  directive,  the  directive requires  the  retention  of  all  traffic  data  concerning  fixed telephony,  mobile telephony,  Internet  access,  Internet  e-mail  and  Internet  telephony.  It  thereforeapplies to  all  means  of electronic  communication,  the  use  of  which  is  very widespread  and  of  growing importance  in  people’s everyday  lives.  Furthermore, in  accordance  with  Article 3  of  Directive  2006/24, the  directive  covers allsubscribers  and  registered  users.  It  therefore  entails  an  interference  with  the fundamental rights of practically the entire European population.  ”

Page 23,
Content: “Directive 2006/24 affects, in a comprehensive manner, all persons using electroniccommunications services, but  without the  persons whose data are retained being,even indirectly, in a situation which is liable to give rise to criminal prosecutions.It  therefore  applies  even  to  persons  for  whom  there  is  no  evidence capable  of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all”

Page 24,
Content: “suggesting  that  their  conduct  might  have  a  link,  even  an  indirect  or  remote  one,with  serious crime. Furthermore,  it  does  not  provide  for  any  exception,  with  the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy. ”

Page 24,
Content: “Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24  does not require  any  relationship  between  the  data  whose  retention  is provided for and a threat to public security and, in particular, it is not restricted to a  retention  in  relation  (i)  to  data  pertaining  to  a  particular time  period  and/or  a particular  geographical  zone  and/or  to  a  circle  of  particular  persons  likely  to  be involved, in one way or another, in a serious crime, or (ii) to persons who could, for  other  reasons,  contribute, by  the  retention  of  their data,  to  the  prevention, detection or prosecution of serious offences.  Secondly, not  only  is  there  a  general absence  of  limits  in  Directive  2006/24  butDirective  2006/24  also  fails  to  lay down  any  objective  criterion  by which  to determine the limits of the access of the competent national authorities to the data and  their  subsequent use  for  the  purposes  of  prevention,  detection  or  criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference  with  the fundamental  rights  enshrined  in  Articles 7  and  8  of  the Charter,  may  be  considered  to  be  sufficiently serious  to  justify  such  an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law. ”

Page 24,
Content: “Furthermore,  Directive  2006/24  does  not  contain  substantive  and  procedural conditions relating  to the  access  of  the  competent  national  authorities  to  the  data and to their subsequent use. Article 4 of the directive, which governs the access of those  authorities  to  the  data  retained,  does  not expressly  provide  that that  access and  the  subsequent  use  of  the  data  in  question  must  be  strictly restricted  to  thepurpose  of preventing  and  detecting  precisely  defined  serious  offences  or  ofconducting criminal  prosecutions  relating thereto;  it  merely  provides  that  each Member State is to define the procedures to be followed and the conditions to be fulfilled  in  order  to  gain  access  to  the  retained  data  in accordance  with  necessity and proportionality requirements. ”

Page 24,
Content: ” Above  all,  the  access  by  the  competent  national  authorities  to  the  dataretained is not  made dependent on a prior review carried out by  a court or by an independent administrative body whose decision seeks to limit access to the dataand their use to what is strictly necessary for the purpose of attaining the objective pursued and  which  intervenes  following  a  reasoned  request  of  those  authorities submitted within the framework of procedures of prevention, detection or criminal ”

Page 25,
Content: “prosecutions.  Nor  does  it  lay  down  a  specific  obligation  on  Member  Statesdesigned to establish such limits.  ”

Page 25,
Content: “Furthermore,  that  period  is  set  at  between  a  minimum  of  6  months  and  amaximum of 24 months, but it is not stated that the determination of the period ofretention must be based on objective criteria in order to ensure that it is limited towhat is strictly necessary. ”

Page 25,
Content: ” it  must  be  held  that  Directive2006/24 does not provide for sufficient safeguards, as required by Article 8 of theCharter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. ”

Page 26,
Content: “In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be  held  that  the  control,  explicitly required  by Article 8(3)  of  the  Charter,  by  an independent  authority  of  compliance  with  the  requirements of  protection and security,  as  referred  to  in  the  two  previous  paragraphs,  is  fully  ensured.  Such  a control,  carried  out  on the  basis  of  EU  law,  is  an  essential  component  of  the protection  of  individuals with  regard  to  the processing  of  personal  data  (see,  to that effect, Case C-614/10 Commission v Austria EU:C:2012:631, paragraph 37). ”

Page 26,
Content: “Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24,  the EU  legislature  has  exceeded  the  limits  imposed  by compliance  with  the  principle  of proportionality  in  the light  of  Articles 7,  8  and 52(1) of the Charter. ”