CJEU Declares General Data Retention Unlawful in Tele2 Sverige

On 21 December 2016, the CJEU delivered a ground-breaking judgement in joined cases C-203/15 and C-698/15 of Tele2 Sverige and Watson by taking a bold step in a direction already established in its 2014 judgement in Digital Rights Ireland. The CJEU made it clear that any legislation that does not limit the range of targets based on reasonable suspicion is unlawful, while also highlighting that the safeguards and limitation set out in Digital Rights Ireland are mandatory. The judgement brings stronger protection for privacy, data protection and freedom of expression, but also has the potential to hinder the effective prosecution of crimes and terrorism. Tele2 Sverige is the third decision of the CJEU dealing with the issues of indiscriminate surveillance, the first being Digital Rights Ireland and the second Schrems, where the Court elaborated on the validity of safe harbour agreements with third states that do not protect the data subjects’ rights to the same level as EU standards.

Data retention in the EU

While Digital Rights Ireland annulled the Data Retention Directive, it posed a number of questions to member states, the telecoms sector and citizens alike because it did not expressly state that blanket data retention is unlawful per se. Therefore, it allowed for the misinterpretation that data can be retained indiscriminately provided that additional measures regarding access, storage and oversight are in place.¹ In the aftermath of the judgement, courts in 11 Member States quashed national regulations, while some others started a review as a governmental initiative. The scattered legal landscape could easily end up obstructing judicial and investigative cooperation and providing patchy and inefficient protection of the fundamental rights of EU citizens. The Data Retention Directive and its revocation were of particular significance since only 5 EU Member States have introduced legal frameworks for signals intelligence operations. In the remaining states, data retention was the sole legal vehicle for untargeted surveillance of large groups or entire populations. Therefore, Tele2 Sverige is a response to a pressing need to clarify the scope and effect of Digital Rights Ireland.

Tele2 Sverige and its future implications

Digital Rights Ireland left a number of open ends and opened the door for four types of legal actions. The first and most commonly used avenue for the judicial re-assessment of the data retention regime was the procedure of constitutional review. Secondly, Digital Rights Ireland laid the ground for individuals to take action against service providers that continued to retain data, and telecoms providers that had ceased to comply with the national legislation could still be held accountable by states. Administrative liability could also be invoked against public authorities that enforced penalties on the providers for not meeting an obligation that had potentially lost its legal foundation, as happened when  Tele2 Sverige initiated Administrative Court proceedings against the Swedish Post and Telecom Authority for enforcing penalties against Tele2 after it had stopped retaining customer data and deleted existing records. The UK referral for a preliminary ruling was a result of a judicial review case where the Court of Appeal had found DRIPA (Data Retention and Investigatory Powers Act 2014) to be inconsistent with binding EU law as it allowed for indiscriminate data retention.

Both referrals sought to clarify the impact of Digital Rights Ireland on the domestic regimes covering the retention of and access to communications metadata, and its relation to the Directive 2002/58 ‘on the processing of personal data and the protection of privacy in the electronic communications sector E-Privacy’ (hereinafter, the E-Privacy Directive). As contemporary surveillance measures concern the public sector and private telecommunications service providers alike, the applicants asked whether community legislation designed to harmonise privacy standards within the telecommunications industry apply in areas where the telecoms providers are playing a vital role in crime prevention and investigation.

Does the E-Privacy Directive apply?

Article 1(3) of the E-Privacy Directive states that matters relating to public security, defence and state security fall outside the scope of the directive, whereas Article 15(1) grants states the power to infringe the principle of confidentiality in the context of activities reserved to states or state authorities that are unrelated to fields in which individuals are active. Data retention, however, does not fall comfortably within the borders of the Article 15(1) exemption, as it directly concerns both the functioning of the service providers and the communication practices of regular individuals.

While acknowledging this controversy, the Swedish and British governments argued that even when the process of persistent dragnet data retention does fall within the scope of the E-Privacy Directive, the subsequent procedures of requesting and granting access are matters relating strictly to state activities and thus not bound by the privacy safeguards foreseen in the directive. Neither the Advocate General nor the Court accepted the proposed distinction between regulating retention and access, and advocated for a more holistic way of looking at data retention.²

Untargeted equals unlawful

Having declared the whole procedure from the start of the retention period to granting access and deletion to be subject to the requirements of the E-Privacy Directive and Articles 7, 8 and 52(1) of the EU Charter of Fundmanetal Rights, the Court proceeded to evaluate whether a general data retention obligation constitutes a disproportionate infringement. What made the Court’s decision remarkable is how boldly it did away with data retention, in some aspects going further than Tele2, Tom Watson, Open Rights Group and Privacy International argued in their submissions, or Advocate General Saugmandsgaard Øe in his opinion of July 2016.

Although the applicants had suggested that untargeted might equal disproportionate when it comes to data retention, the emphasis of the submission was still on the accompanying guarantees and safeguards.³ The AG also came to the conclusion that untargeted surveillance is not necessarily unlawful, provided that it is overseen by an independent authority or a court, limited in time, and contingent on strict access and security requirements. The court, however, held that an unlimited range of subjects of data retention amounts to a violation of the principles of strict necessity and proportionality.⁴ The court stressed that, although not revealing the content of the communications, metadata allows precise and intimate conclusions about a person’s life to be drawn, and the objective of fighting serious crime cannot justify such an intrusive intervention in the private lives of citizens who do not have any connection to criminal activities. It nevertheless went on to reflect on the additional standards and restrictions for targeted data retention and access to data in particular.

Updated requirements of lawful targeted data retention

Digital Rights Ireland left member states with a wide margin of discretion on whether and how to review and amend their national data retention regimes. Some reacted by exhaustively determining the scope of offences, the prosecution of which justifies access to the retained data; others added the additional requirement to store the data on the territory of the member state or the EU; some put stricter limits on the retention periods; and others took no action. Nevertheless, the margin of discretion and space for creative play was much reduced. The Court has unambiguously spelled out that, in addition to being targeted based on reasonable criteria and objective evidence, a proportional regime of retention and access has to meet the following conditions. It must:

• be clear and precise;
• define the categories of retained data, retention periods and the means of communication and persons affected, and limit them to what is strictly necessary;
• provide sufficient guarantees against the misuse of data, including the obligation to retain the data in EU and irreversibly destroy the data at the end of the retention period;
• allow for access solely in the interest of fighting serious crime;
• lay down the procedure for accessing retained data; and
• lay down a system of independent ex ante and ex post review of access requests.

The Court superseded the applicants’ and interveners’ submissions in one more important aspect; it reiterated that, in addition to infringing the fundamental rights to privacy and data protection, indiscriminate retention also contravenes the freedom of expression foreseen in Article 11 of the Charter.⁵ This falls in line with the concept of intellectual privacy, which implies that although privacy has sometimes been perceived as being in conflict with the freedom of expression, it is in truth a necessary precondition for it. Pursuant to the Charter, the E-Privacy Directive and the CJEU case law, any interference with fundamental rights has to be ‘strictly proportionate’ to the intended purpose. The requirement of strict proportionality calls for a thorough examination of the suitability and necessity before a surveillance technique can be legitimised, and this means that any infringing practice should be weighed against all the possible alternatives and that its true efficiency has to be openly assessed.

Future implications

The open assessment of the advantages and disadvantages of data retention in relation to its alternatives might prove to be controversial, since intelligence measures are inherently characterised by secrecy and their efficiency or lack thereof can thus be extremely difficult to determine. Tele2 Sverige is nonetheless likely to bring about an obligation to talk about surveillance capabilities in a more open manner, and to critically review all the evidence that speaks for or against data retention. Experts and policy-makers have been largely divided on the matter with some hailing data retention as second to none⁶ and some chastising it or even claiming that any form of mass surveillance undermines the targeted intelligence practices of proven efficiency⁷ . Any relevant post-Tele2 Sverige regulation should not authorise data retention based on the possibility of it being reasonably effective, but only when there is specific proof of it being the single most effective measure for attaining the desired outcome.

In addition to the general legal uncertainty prevailing after Digital Rights Ireland, the terror attacks of January and November 2015 spurred the Commission to reconsider the value of data retention and some of the member states that had previously revoked data retention began to support its reintroduction, but Tele2 Sverige impedes any attempt to swiftly reintroduce a data retention regime. Those member states that did not react to Digital Rights Ireland by initiating a review of their national legislation are now likely to be forced to do so, and should dwell on the binding standards introduced in Digital Rights Ireland and further elaborated in Tele2 Sverige. As for future case law, there will probably be an increase in the number of constitutional review cases and of cases where either telecoms providers challenge the state for forcing on them an unlawful obligation, or individuals take action against the telecoms providers for continuing to retain their data.

Ultimately, while the key concept of dispute after Digital Rights Ireland was proportionality, Tele2 Sverige is likely to raise discussion over the definitions and distinction between targeted and untargeted data retention, which touches upon the sensitive question of profiling. The Court maintains that retaining the data of, for instance, defined user groups or populations of specific areas is a lawful measure. It is therefore up to the member states and law enforcement, intelligence and judicial authorities to determine which groups or areas are particularly prone to criminal connections and therefore subject to data retention. This is considered by some to be a gateway to ethnic, religious and social profiling, but it is the only feasible, efficient and less infringing alternative to untargeted retention.

The ruling only very briefly touches upon the practices of the service providers regarding the retention of data, and therefore it is likely that the data will still be stored in future. While not drawing a line between retention and access, the judgment will still influence access procedures. As corporate retention rules tend to vary across at least as wide spectrum as national policies, the option to retroactively access the communications metadata of defined subjects will, to a certain extent, still be available. After Digital Rights Ireland, Europol reported that the ruling had hampered investigations in areas such as computer intrusion, hacking, and child abuse.⁸ Others, in particular information security and computer science specialists, have claimed that it is statistically impossible to, for example, find terrorists through any total population monitoring programme. Whether the lack of uniform national regulation is going to gravely hinder the investigation and prosecution of serious crime remains to be seen.

Ann Väljataga

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

1. See e.g., EP LIBE Committee, Legal Opinion: Questions relating to the judgment of the Court of Justice of 8 April 2014 in Jolned Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others – Directive 2006/24/EC on data retention – Consequences, para 88 [↩]
2. CJEU, Joined Cases C-203/15 and C-698/15 of Tele2 and Watson, paras 74 – 78, Opinion of Advocate General Saugmandsgaard Øe, paras 123 – 125. [↩]
3. CJEU, Joined Cases C-203/15 and C-698/15 of Tele2 and Watson, paras 44-59. [↩]
4. Ibid., para 112. [↩]
5. CJEU, Joined Cases C-203/15 and C-698/15 of Tele2 and Watson, paras 92-93. [↩]
6. See e.g. Malmström, Cecilia. Speech on Data Retention, European Commission conference in Brussels, 3 December 2010 http://europa.eu/rapid/press-release_SPEECH-10-723_en.htm?locale=FR; Eurojust, Consultative Forum of Prosecutors General and Directors of Public Prosecutions of the Member States of the European Union – 10th meeting, 11 December 2015; Eurojust/Europol, ‘Common challenges in combating cybercrime‘, 30 November 2015 [↩]
7. See e.g Roth, Kenneth. Rethinking Surveillance, New York Review of Books, 2 July 2013, http://www.nybooks.com/daily/2013/07/02/electronic-surveillance-missing-laws/ ; Pieter Omtzigt, CoE Committee on Legal Affairs and Human Rights, Report on mass surveillance, 26 January 2015, http://website-pace.net/documents/19838/1085720/20150126-MassSurveillance-EN.pdf/df5aae25-6cfe-450a-92a6-e903af10b7a2; Macherez, Felix. La surveillance de masse ne peut pas stopper les attaques terroristes, Interview with Bruce Schneier, 26 June 2015, Vice France, https://www.vice.com/fr/article/la-surveillance-de-masse-ne-peut-pas-stopper-les-attaques-terroristes-128. [↩]
8. Europol, An Update on Cyber Legislation,” Europol, www.europol.europa.eu/iocta/2015/app-2.html.  [↩]