The judgment in case C-698/15 delivered today , 21 December 2016, by the CJEU is considered a major blow to the UK Government and, in particular, to the Prime Minister as Ms May was the driving force behind the legislation that has been declared incompatible with EU law i.e. the Data Retention and Investigatory Powers Act 2014. It also illustrates the difficult road ahead in terms of Brexit and the future of EU law in the UK (the latter meaning the case law of the CJEU which UK courts must apply for another few years at the very least). As of today the UK legislation at the centre of the national dispute is considered incompatible with EU law (e.g. any EU citizen can challenge its validity in UK courts and the latter must abide by the EU ruling).
This is a judgment handed in joined cases, one of them being the quoted above, but it will most likely be known as Tele2 Sverige. I will tailor my comments to what was decided in the UK-related case.
In the context of the preliminary ruling procedure the UK court made questions in connection with the case of Mr Tom Watson, Mr Peter Brice and Mr Geoffrey Lewis and the Secretary of State for the Home Department (UK) whereby the former challenged the conformity with EU law of Section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA). The DRIPA is commonly known as Snooper’s Charter and was put forward by the current Prime Minister when she was Home Secretary. Furthermore, David Davis, the current Secretary of State for Exiting the European Union brought the case before the CJEU alongside Mr. Watson but managed to remove his name from the CJEU records following his appointment to the Cabinet (see paragraph 60 of the judgment “[By order of 1 February 2016, Davis and Others (C‑698/15)…]”.
The joined cases revolve around the interpretation of some articles of Directive 2002/58/EC as amended by Directive 2009/136/EC, the E-Privacy Directive, which govern several aspects of the retention and access to data in electronic communications, in particular its article 15 on restrictions to certain rights and obligations and, articles 7 and 8 of the Charter of Fundamental Rights of the EU which mainly deal with the rights to privacy and protection of personal data.
Mr Watson, Mr Brice and Mr Lewis each lodged, before the High Court of Justice (England & Wales), Queen’s Bench Division (Divisional Court), applications for judicial review of the legality of Section 1 of DRIPA, claiming that that section is incompatible with Articles 7 and 8 of the Charter and Article 8 of the ECHR.
By judgment of 17 July 2015, the High Court of Justice (England & Wales), Queen’s Bench Division, held that the Digital Rights judgment (C-293/12) laid down ‘mandatory requirements of EU law’ applicable to the legislation of Member States on the retention of communications data and access to such data. According to the High Court, since the CJEU in that judgment, held that Directive 2006/24/EC was incompatible with the principle of proportionality, national legislation containing the same provisions as that directive could, equally, be incompatible with that principle. It follows that legislation that establishes a general body of rules for the retention of communications data is in breach of the rights guaranteed in Articles 7 and 8 of the Charter, unless that legislation is complemented by a body of rules for access to the data, defined by national law, which provides sufficient safeguards to protect those rights. Accordingly, Section 1 of DRIPA is not compatible with the Charter as it does not lay down clear and precise rules providing for access to and use of retained data and because access to that data is not made dependent on prior review by a court or an independent administrative body.
As expected, the Secretary of State for the Home Department brought an appeal against that judgment before the Court of Appeal (England & Wales) (Civil Division), which in turn made the reference to the CJEU.
The CJEU reasoning is as follows: Article 15(1) of Directive 2002/58/EC, read in light of Articles 7, 8 and 11 and 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. However, the same provisions indeed preclude national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.
In other words, national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data is incompatible with EU law, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the EU.
As regards objectives that are capable of justifying national legislation that derogates from the principle of confidentiality of electronic communications, it must be borne in mind that the list of objectives set out in the first sentence of Article 15(1) of Directive 2002/58/EC is exhaustive, access to the retained data must correspond, genuinely and strictly, to one of those objectives. Further, since the objective pursued by that legislation must be proportionate to the seriousness of the interference in fundamental rights that that access entails, it follows that, in the area of prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting serious crime is capable of justifying such access to the retained data.
In any event, Member States must ensure review, by an independent authority, of compliance with the level of protection guaranteed by EU law with respect to the protection of individuals in relation to the processing of personal data, that control being expressly required by Article 8(3) of the Charter and constituting, in accordance with CJEU settled case law, an essential element of respect for the protection of individuals in relation to the processing of personal data. If that were not so, persons whose personal data was retained would be deprived of the right, guaranteed in Article 8(1) and (3) of the Charter, to lodge with the national supervisory authorities a claim seeking the protection of their data.
The CJEU ruled that Article 15(1) of Directive 2002/58/EC, as amended, read in light of articles 7, 8 and 11 and article 52(1) of the Charter of Fundamental Rights of the EU, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication. This is the operative part applicable to the UK case.
Full text of the judgment available at http://www.curia.eu