CJEU’s ruling in HK vs Prosecution and the Living Spectre of Data Retention

In 2014, the CJEU’s judgement in Digital Rights Ireland revoked the Data Retention Directive, following which in the joined cases of Tele 2 Sverige and Watson in 2016 it was highlighted that any legislation that does not limit the range of targets based on reasonable suspicion is unlawful. Since then, EU member states seem to have acknowledged that obliging telecom service providers to indiscriminately retain communications metadata for future administrative or criminal proceedings is not compliant with EU law. However, in Ministerio Fiscal and Quadrature du Net, in which CJEU gave law enforcement authorities some hope that the prohibition is not absolute and there is some room for interpretation. In the most recent data retention case, HK vs Prosecution, Estonia asked for a preliminary ruling on the limits of the prohibition and received a rather resolute answer. According to the CJEU evidence extracted from retained metadata quite simply cannot be used against suspects in anything less than serious crimes regardless of the duration of the surveillance or any other minutiae. While the Court showed no signs of a more permissive stance, we are far from a common understanding and harmonised practices, especially as there are still valid security and business arguments for keeping logs of customer metadata and legitimate concerns over the cybersecurity implications of corporate and governmental digital hoarding.

Since the invalidation of the Data Retention Directive, data retention is regulated by the e-Privacy Directive as interpreted in the light of Charter of Fundamental Rights of the European Union. In Tele 2 and Watson, the Court laid down that Article 15(1) of the Directive applies to any national legislation providing for the retention of data for a limited period. It went on to elaborate that: “the national legislation concerned must be based on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data of subscribers or registered users. In that regard, access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime” .

In 2015, a magistrates’ court in Spain refused to meet the police’s request to order various electronic communications service providers to disclose the telephone numbers that had been activated during twelve days with the International Mobile Equipment Identity code of a stolen mobile device and to disclose the names and addresses of the owners of the SIM-cards associated with the device. The magistrate had referred to Tele 2 Sverige and Watson and concluded that access to the retained data was limited to cases involving serious crime. On appeal, the Spanish courts turned to the Luxembourg judges, who in its 2018 ruling made it clear that there has to be a proportionate relationship between the gravity of the infringement of the fundamental rights and the seriousness of the crime that is being investigated.

At one end of the gravity of the interference scale, we find untargeted metadata retention, which was unambiguously ruled out in Tele 2 and Watson. Disclosure of the identities of the owners of SIM cards activated on a specific stolen phone during a limited period was perceived to be somewhere near the opposite end and so seen as having only a limited effect on the right to privacy, and therefore warranted even when prosecuting less than serious crimes. The CJEU also affirmed in Ministerio Fiscal that access to retained data that reveals the date, time, duration and recipients of the communications or the locations where they took place constitutes a serious interference since the data allows precise conclusions to be drawn about the private lives of the people concerned, and can be only be granted to authorities investigating crimes that qualify as ‘serious’. None of the data retention cases, however, offer any guidance on establishing the seriousness of a crime.

In introducing a degree of flexibility when deciding on the use of the telecommunications data of targeted suspects, Ministerio Fiscal avoided a straightforward conflict with the ban on indiscriminate data retention. This crucial step away from the Tele 2 and Watson principles was taken in late 2020 in Quadrature du Net. Called a ‘victorious defeat’ by the applicants, the ruling reopened the door for preventive mass data retention, but was at the same time quite particular about legal clarity, preconditions, safeguards and remedies. It stated that EU e-Privacy Directive read in the light of the Charter of Fundamental Rights does not preclude a legislative measure that permits competent authorities to order providers of electronic communications services to retain traffic and location data of all users of electronic communications systems for a limited time, as long as there are sufficient grounds for considering that the member state concerned is confronted with a serious threat to national security which is shown to be genuine and present or foreseeable (para 137). The Court added that the retention must be ‘limited in time to strictly necessary’, subject to safeguards and conditions and ‘not systematic in nature’. The retention periods, however, may be renewed in the case of ongoing threats.

The Court gave threats to national security a very obvious priority over other legitimate aims. When it came to the general and discriminate retention of traffic and location data for the purpose of combating serious crime, it was held to exceed the limits of what is strictly necessary and not justified in a democratic society (para 141) The particularly serious interference entailed by the targeted retention of traffic and location data was, at the same time, seen as proportionate to the aims of combating serious crime, preventing serious attacks on public security and, a fortiori, safeguarding national security (para 146). In a nutshell, provided all the other preconditions are met, national security threats justify indiscriminate data retention, whereas serious crimes suffice to legitimise targeted data retention. Looking back, it is clear that this predicted the outcome of HK vs Prosecution.

In that case, the accused was prosecuted for a series of petty crimes including the theft of fruit preserves and dog food, and incriminating evidence was obtained from, inter alia, several reports which were drawn up based on data relating to electronic communications that took place over 12 days. At the time of the proceedings and until now, Estonia has continued to follow the original national implementation of the Data Retention Directive, which does provides a framework for untargeted data retention and does not limit access to retained data only to the objective of investigating serious crime. It also sets out a rather indulgent system of authorisation, where access to the data is authorised within the same institutional body that is in charge of the investigation – the Prosecutor’s Office. This was all held to be incompatible with Community law by the CJEU. The national legislation has been under revision since 2018 and the recent ruling looks like a final blow to the vocally chastised legacy of the long-gone Data Retention Directive.

The Court reiterated that Article 15(1) of the e-Privacy Directive, read in the light of the EU Charter of Fundamental Rights, precludes legislative provisions which foresee for the purposes of crime prevention, the preventive, general and indiscriminate retention of traffic and location data Second, as the Prosecutor’s Office had accessed data that provided insight into the location, length and recipients of the accused’s communication, the Court viewed it to be an infringement that could only be justified by combating serious crime and preventing serious threats to public security, regardless of the short timeframe or limited quantity of the data (para 53).Third, the public prosecutor’s office which directs the investigation procedure and, where appropriate, brings the prosecution, was not held to be an independent administrative body. Any access procedure which is not specific about the range of subjects whose data can be accessed, the legitimate objectives and the competent authorities also fails to comply with the e-Privacy Directive, the Charter and EU case law (para 55).

While the recent ruling’s primary value is likely to lie in substantiating some of the crucial aspects relating to criminal procedure, the uncertainty surrounding the obligation to store and maintain large sets of communications metadata will also affect the confidentiality and availability of digital information. Such metadata will continue to be retained on several specific legal grounds. Digital Rights Ireland and Tele 2 and Watson, for instance, allowed for its collection for business purposes, such as service continuity and billing. Provided that, as is often the case, a service telecommunications service provider qualifies as an ‘operator of essential service’ under the NIS Directive, it can keep logs to be able to generate audit reports necessary for incident response.

 Furthermore, the landscape of data retention regimes currently in force in EU is patchy at best, since some of them have been brought to line with CJEU case law while others have remained intact ever since they were first introduced (see Council of the European Union, Working Paper. Data Retention – Situation in Member States). As a clear indication of the gap left by the Data Retention Directive, draft e-Privacy Regulation sets forth a non-exhaustive catalogue of objectives allowing for metadata retention ranging from network management and optimisation to statistical and scientific purposes. Chances are, therefore, that the data will be there and under some circumstances accessible to investigative authorities. Cases such as Microsoft Ireland or FBI vs Apple where service providers have refused to provide access and assistance make headlines and fuel debates, but are statistically rare. This is where corporate cyber security practices, specific regulation of access procedures and the independent administrative or judicial authorisation and oversight become relevant.

This being said, it would be useful to take a glance at the options currently being discussed, previously imposed or actively in use.

Obligation to build backdoors-by-design has recently been raised in a draft resolution presented by the Council of the European Union in the context of end-to-end encryption. Deliberate weakening of a system’s encryption (or any other technical confidentiality measure) to prevent and investigate hypothetical crimes comes with the most serious costs to both cybersecurity and privacy.

Backdoors on request – The same risks apply, however, as the obligation is not universal, to a somewhat lesser degree.

Covert use of spyware. So-called ‘government hacking’ has implications for privacy, system integrity and confidentiality and also it stands for the weakest possible access control and undermines the very concepts of independent oversight and accountability (See Privacy International, Government Hacking).

Obligatory indiscriminate data retention – declared a violation of Charter rights by the CJEU in Digital Rights Ireland and Tele 2 and Watson, later considered legitimate for the prevention of serious threats to national security in Quadrature du Net.  National legislation continues to vary. Such a regime creates large and often useless yet highly vulnerable collections of data, the secure maintenance of which can be burdensome for the service providers.

Data preservation (quick freeze). Communications traffic data is not retained preventively but only after a judicial warrant, which has to be motivated by a reasonable individual’s involvement in serious criminal offences or threats to national security. Quick freeze is applied from the moment a crime is detected or suspected and includes existing or past data that is currently stored by the service provider for other purposes (see European Commission, Study on the retention of electronic communications non-content data for law enforcement purposes).

Targeted data retention constitutes a moderate to serious interference (Ministerio Fiscal, Quadrature du Net) with fundamental rights and freedoms and consequently can be applied for combating serious crime. For instance, Europol distinguishes between targeted and restricted data retention; the latter would allow collecting data on more abstractly determined groups of people, periods or geographical scope. In reality, a strict interpretation of targeted metadata retention would exclude preventive activities and therefore overlap with ‘quick freeze’.

Private data retention, also sometimes referred to as ‘data retention through the back door’, in principle means introducing a wide array of different legal grounds allowing the retention of communications metadata. This ensures that while there is no obligation to do so for criminal investigation purposes, the data will still be collected and, when supported by a liberal access and warranting system, available to law enforcement.

All these measures can be combined, and while the first three are first and foremost about access, the efficiency and fundamental rights compliance of the other four is ultimately also conditioned by the robustness of access procedures and the existence of an independent oversight framework. Since Tele 2 and Watson, the CJEU has drawn a line between retention and access and as retention has survived seven years of condemnatory case law, access is likely to be the key to finding the balance between privacy and security. Access is also the one variable in the equation which fits within the scope of EU law only when it concerns operations by service providers to enable third parties to become aware of communications and data. For this reason all of the referred judgments have skilfully refrained from directly regulating the activities of national security and law enforcement agencies.

In Privacy International, released on the same day as Quadrature du Net, the Court clarified that access to data must be consistent with the objective pursued by that legislation and lay down the substantive and procedural conditions governing that use (para 77).The UK national legislation in question had detailed a system of automatic data transmissions from the service providers to the national security and intelligence agencies, who then retained and used it for their activities. The Court held that, since general access to all retained data regardless of whether there is a link with the aim pursued, cannot be regarded as being limited to what is strictly necessary, national legislation governing access to traffic and location data must rely on objective criteria to define the circumstances and conditions under which the competent national authorities are to be granted access (para 78). As national intelligence and security agencies are usually those granted the most autonomy and freedom to choose how they acquire and process information, this can only translate into imposing equal or higher restrictions on law enforcement or other national authorities.

Therefore, while the Court has somewhat relaxed the general ban on indiscriminate data retention and deviated from the absolute character of the Digital Rights Ireland and Tele 2 and Watson principles towards a more relativist way of thinking, it has not re-legitimised data retention. There seem to be several ways for national authorities to continue with the practice or at least gain the same benefits. One commentator has noted that, when combined with an access regulation that includes law enforcement access for combating serious crime, limitations on retention only might lose much of their intended effect. Another route would be to combine a permissive regime of private data retention with easily renewable quick-freeze warrants. It is also possible, but legally hardly permissible, to mix government hacking with private data retention. If any of the more plausible alternative scenarios were ever to be applied, it is likely to end up under the scrutiny of the Luxembourg judges and reveal what will be left of the once-resolute prohibition. None of them, however, will be a triumph for the privacy camp. As privacy-conscious end-users, we would probably prefer strict adherence to and expansion of the GDPR standards combined with exceptionally clear access procedures, efficient oversight and legal remedies available to those whose rights have been violated. From the cyber security point of view perhaps a system true to the principle of data minimisation and adjustable to a company´s security needs, capacity, resources and working model would score the highest. Law enforcement authorities most likely want to have access to as much data as possible. The three wishlists seem to share a sincere interest in greater legal clarity but not in much else.

Author: Ann Väljataga, NATO CCDCOE Law Branch

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.