A hitherto-overlooked element of the Christmas story is the significant role of personal data in the fulfilment of ancient prophecy.
Why were Mary and Joseph in Bethlehem, the city of David, at all? They lived in Nazareth. Because there had gone out “a decree from Caesar Augustus that all the world should be taxed”, and Joseph had been required to go to Bethlehem for the census as he was “of the house and lineage of David”.
Not, perhaps, the central point of the Nativity, but Joseph’s SPD was undoubtedly part of the picture. And the interference with the Holy Family’s data rights did not end there. How did the shepherds know where to find the infant Jesus? Angelic surveillance: “For unto you is born this day in the city of David a Saviour, which is Christ the Lord. And this shall be a sign unto you; Ye shall find the babe wrapped in swaddling clothes, lying in a manger”. The Magi received further assistance from remote monitoring systems: “lo, the star, which they saw in the east, went before them, till it came and stood over where the young child was”.
Omniscience and omnipotence are, doubtless, useful things to have when you want to keep an eye on someone important. But ever since the Digital Rights Ireland judgment (as to which see here), the Court of Justice has been setting limits on the extent to which their earthly equivalents can be utilised by policing and security authorities. In that case the CJEU declared that the Data Retention Directive 2006/24/EC was invalid, as a result of its incompatibility with fundamental privacy rights. That directive provided for the retention of traffic and location data (but not content-related information) about individuals’ online activity to be retained by communications providers for a minimum of six months and a maximum of 24 months and made available to policing and security bodies.
Digital Rights Ireland undermined the transposing UK legislation, the Data Retention (EC Directive) Regulations 2009 SI 2009/859. The UK’s response was to pass the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) in record time, between 15 and 17 July 2014. S. 1 DRIPA provided that the Secretary of State could issue ‘retention notices’ to telecommunications providers, requiring them to retain non-content communications data, if considered necessary and proportionate for a number of purposes including national security, crime and disorder, taxation, public health and ‘the economic well-being of the United Kingdom’, for up to 12 months. More details of the regime were then set out in secondary legislation and codes of practice by the then Home Secretary, Theresa May MP.
A number of individuals, including Tom Watson MP and David Davis MP, brought a judicial review challenging DRIPA’s data retention powers. The Divisional Court declared s. 1 DRIPA inconsistent with European law, but the Court of Appeal were not so sure, and referred the issue to the Court of Justice.
The individuals (minus Davis, whose enthusiasm for his EU rights seems to have lessened since becoming Secretary of State for Exiting the European Union in Theresa May’s government) have now had their answer. The Court of Justice expedited the case (C-698/15) and combined it with a Swedish one on related subject-matter, C-203/15 Tele2Sverige. Yesterday, in its pre-Christmas data dump, it gave judgment.
The Grand Chamber identified two questions that it should answer (a third, in which the Court of Appeal enquired whether the CJEU was going further than the Strasbourg Court had done under Article 8 ECHR, was at - rejected as hypothetical and unnecessary):
- The retention question: Whether the (Swedish) legislation that provided “for the purpose of fighting crime, for general and indiscriminate retention of all traffic and location data of all subscribers and registered users with respect to all means of electronic communications” was compatible with European law; and
- The access question: Whether the (Swedish and UK) legislation that permitted access to retained traffic and location data but “does not restrict that access solely to the objective of fighting serious crime … is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union” was compatible with European law.
To spoil the surprise, the short answer to both is: No.
The long answer to question 1 (at -):
- Notwithstanding the absence of content data, the retention of traffic and location data enabled “very precise conclusions to be drawn concerning the private lives of persons whose data have been retained”. Such a serious interference with fundamental rights could only be justified by “the objective of fighting serious crime”;
- The retention of traffic and location data had to be “the exception”, not “the rule”;
- Because the legislation did not provide any “differentiation, limitation or exception according to the objective pursued”, and did not except (for example) legally privileged communications, or indeed “require there to be any relationship between the data which must be retained and a threat to public security”, it was disproportionate;
- What was required was legislation permitting “targeted retention of traffic and location data” which was “limited, with respect of the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary”. The legislation had to “lay down clear and precise rules” governing scope and application and “lay down minimum safeguards”, including an indication of the circumstances in which data retention would be adopted. The retention of data must “meet objective criteria, that establish a connection between the data to be retained and the objective pursued”.
- If a category of the public were to be identified for targeting, that had to be justified on the basis of “a link, at least an indirect one, with serious criminal offences”, such as a geographic area, and to contribute to fighting serious crime or public security.
The long answer to question 2 (-):
- Only the objective of fighting serious crime would do – see 1(a) above.
- National legislation should ensure that access to retained data “does not exceed the limits of what is strictly necessary”, and legally binding “clear and precise rules” must be in place stating the circumstances and conditions under which access would be granted, including substantive and procedural conditions.
- As a result, “general access to all retained data” regardless of whether there was a link with the stated purpose, was disproportionate. What was required was that access was only granted “to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime”, unless there was a particular situation such as a terrorist risk, where access to others’ data could be objectively evidenced as making an effective contribution to combating the particular threat.
- In order practically to ensure that those conditions were respected, it was “essential” that except in situations of true urgency there was a “prior review carried out either by a court or by an independent administrative body”, following a reasoned request by the authorities.
- The accessing authorities should also notify the individual concerned “as soon as that notification is no longer liable to jeopardise the investigations”, so that they could exercise their right to a legal remedy. Access should also be overseen by an independent authority.
- Where access is given, the data must be protected at a high level throughout, retained within the European Union, and irreversibly destroyed at the end of the data retention period.
What are the implications? Quite significant. DRIPA was already on its way out, given the enactment of the Investigatory Powers Act 2016. But Part 4 of that Act contains data retention powers, and the director of Liberty has already (by tweet, naturally) indicated Liberty’s intention to rely on the Tele2 Sverige judgment in planned litigation against the 2016 Act. Whether one sees the judgment as a vindication of individual privacy rights, or a stumbling block to the necessary fight against crime and terrorism, it is undoubtedly important.
It is also a shame that the Grand Chamber decided not to determine the third question. The question whether EU law provides greater privacy protection than Strasbourg has become an increasingly interesting one: as I noted in this post, in Magyar the Grand Chamber of the ECtHR was content to hold that the disclosure of individuals’ names did not even engage Article 8, since the individuals could “possibly have foreseen” such disclosure. Although the Luxembourg Court did not resolve the issue in Tele2 Sverige, it dropped a heavy hint at :
“… In particular, as expressly stated in the second sentence of Article 52(3) of the Charter, the first sentence of Article 52(3) does not preclude Union law from providing protection that is more extensive then the ECHR. It should be added, finally, that Article 8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 of the Charter and which has no equivalent in the ECHR.”
Article 8 of the EU Charter of Fundamental Rights provides that “Everyone has the right to protection of personal data concerning him or her”. Personal data rights may, in some circumstances, be a more effectual defence of privacy than reliance on Article 8 ECHR.