Is EU data protection law hampering terrorism and serious crime investigations?

Irish high court

In February 2018 the Irish High Court will assess if Irish legislation governing the retention and access to telecommunications data is compatible with EU law. This will not be the first time a  case regarding EU data protection law and the retention and access to telecommunications emanated from Ireland. The Irish campaign group Digital Rights Ireland brought a case to the Irish courts that ended up in the EU’s Court of Justice of the European Union (CJEU) where the compatibility of the EU’s Directive 2006/24/EC with EU law protecting privacy rights and protection of personal data was examined. Introduced following the terrorist attacks in Madrid 2004 and London 2005, the 2006 Directive laid down an obligation on publicly available electronic communications services or public communications networks to retain certain data generated or processed by them that would assist in investigating and prosecuting terrorism and serious crime cases.

CJEU

In the case of Digital Rights (2014) the CJEU found the 2006 Directive would  for a number of reasons (reasons underpinned by the 1995 Data Protection Directive 95/46/EC and articles 7, right to privacy, and 8, protection of personal data in the EU’s Charter of Fundamental Rights and Freedoms – CFRF) the 2006 Directive was invalid.  Among those reasons it included that the retention of the data was indiscriminate, the grounds for limiting the rights were too broad and not sufficiently specific, there was a lack of judicial authorisation or scrutiny and there were insufficient safeguards protecting those rights.

In December 2016 the CJEU was again requested in the Tele2 case to examine the compatibility of EU law protecting personal data, this time with the statutes in Sweden and the UK that were then covering the retention and access to telecommunications data linked to investigations into terrorism and serious crime. In Tele2 the CJEU also examined article 52 CFRF and the EU’s 2002 e-Privacy Directive 2002/58/EC.  Both Sweden and the UK’s statutes were found to be incompatible with EU law and therefore invalid. In Tele2 the CJEU did recognise that fighting terrorism and serious crime was important enough to be an objective of general interest to limit citizens’ rights to protection of personal data but added:

‘…however fundamental it may be, it cannot itself justify that national legislation providing for the general interest and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight.’

The CJEU held that for the retention and access to telecommunications data to meet EU law requirements:

1. The limitation of the exercise of rights and freedoms must be provided for by law; and
2. The limitations must be subject to the principles of proportionality; and
3. The limitations must be necessary; and
4. The limitations must meet the general interest recognised by the EU.

It can be argued that in their judgement the CJEU’s guidance to both Member State legislators and state investigatory bodies, the CJEU itself has lacked being specific as to essential criteria necessary and must be present to ensure when the objectives of fighting crime and terrorism meet the limitations as to the grounds of general interest that justifies the lawful retention of telecommunications data. The same can be said regarding providing guidance on what grounds would justify necessity. Throughout the judgement in Tele2 the CJEU repeat that to be compatible with the principle of proportionality conditions laid down in national legislation must not exceed the limits to what is strictly necessary. On what is regarded as strictly necessary the CJEU state national legislation must be based on objective criteria defining the circumstances and conditions under which competent authorities can access the telecommunications data. The Court added, presumably as a guidance, that access can only be granted:

‘…in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime.’

Adding:

‘[In] particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.’ ([2016] All ER (D) 107, paragraph 119)

To ensure these conditions are fully met the CJEU held that as a general rule an authorisation to access and disclosure of telecommunications data be reviewed by either a court or an independent administrative body with the court or body’s decision being made following a reason request by the authorities that the purposes are for the prevention, detection or prosecution of crime. This echoed the CJEU’s decision in Digital Rights.

While prima facie the guidance provided by the CJEU in Tele2,  seems clear and laudable, this guidance only applies to certain investigations into serious crime or terrorism, and would arguably be more pertinent to serious crime investigations rather than terrorism investigations. Understanding why the CJEU limits its guidance that at times seems at variance with national courts, especially those in Member States with a common law legal system like Ireland and the UK could be explained in the rules concerning statutory interpretation. In common law jurisdictions the courts apply one of three rules, the literal rule, the golden rule and the mischief rule. In essence the courts apply the literal rule where statutes are to be interpreted using the ordinary meaning of the language of the statute unless a statute explicitly defines some of its terms otherwise. In other words, the law is to read, word for word and should not divert from its true meaning. The golden rule applies where the courts see an application of the literal rule leading to an absurdity, then the courts may then apply a secondary meaning. The mischief rule should only be applied where there is ambiguity in the statute where under the mischief rule the court’s role is to suppress the mischief the Act is aimed at and advance the remedy.

However, these traditional statutory interpretation rules are not seen as applicable when interpreting national law with EU directives and considering the CJEU’s decision making. This could be due to virtually all of continental European states’ jurisdciaitons not having a common law legal system, with their courts’ role being solely statutory interpretation, which is what is seen with the CJEU. In these circumstances two methodological rules have been identified in CJEU case law, the interpretative priority rule and the presumption of compliance rule.

Regarding the interpretative priority rule, national courts must favour the interpretation of the national legislation which is the most consistent with the result sought by the directive. The aim here is to achieve an outcome compatible with the provisions of the directive that is consistent within all of the Member States. The presumption of compliance rule is a presumption that the national court intended to transpose the directive fully into national law with a court assuming that the national legislature intended to comply entirely with the requirements of the directive. The presumption of compliance rule can result in problematic consequences in the event the national legislation or the ruling by the national court contains inadvertent inconsistencies with EU law. This occurs where a specific objective of an enactment in national law contradicts the directive’s requirements as subsequently interpreted by the CJEU and there is no indication the national legislature realised the presence of the inconsistency.

Compared to national courts in common law jurisdictions who have traditionally been granted a much wider leverage in their statutory interpretation rules, the EU rules could be perceived as fettering the national court judges’ traditional decision making and limiting in relation to guidance provided in judgements regarding how EU law is applied. This is relevant not just to national legislatures, but also to agencies that particular EU law applies to. It is submitted that this is because common law jurisdictions are used to having both the ratio of the case and obitur dictum in their case reports where, in most cases, common law courts’ obitur is generally more extensive than that seen in case reports on European judgements. Accepting that obitur is not the decision only persuasive argument, a wider and more expansive obitur is also useful in guiding agencies’ actions when applying the law in circumstances that do not quite match those in the facts of a case report. As seen in both the CJEU’s decisions in Digital Rights and Tele2 the guidance provided is more limiting than that seen in Member States’ national courts with a common law legal system when interpreting non-EU national law. This may be due to the difficult task that in trying to harmonise EU law among 28 Member States and the variance of legal procedures among those states, the CJEU is trying not to be too prescriptive in its decision making that could result in either providing too wide or narrow an interpretation of EU law.

The impact these cases have had on EU Member States’ national law can be seen in the following. In response to the Digital Rights decision, the UK introduced the Data Retention and Investigatory Powers Act 2015 that required communications operators to retain telecommunications data up to a period not exceeding 12 months. It also allowed for authorisation of interception warrants to UK intelligence and policing agencies to access the communications data when necessary in the interests of national security, to prevent or detect serious crime or to safeguard the UK’s economic well-being. This was the UK statute that the CJEU in Tele2 found to be incompatible with EU law. In March 2015 a national Dutch court in The Hague followed the CJEU’s decision in Digital Rights and found Holland’s surveillance and data retention law fell under the EU law and the CFRF. As the Dutch law failed to conform adequately to articles 7 and 8 of the CFRF, along with the court also finding insufficient safeguards, the Court suspended the Dutch law.Applying the Digital Rights decision similar legal issues were found in the respective domestic statutory provisions regarding surveillance of communications post-Digital Rights by the respective judiciaries in Sweden, Romania and Belgium where their respective courts have held their legislation to be in breach of EU law. This raises the question of how can state bodies investigating terrorism and serious crime legally access telecommunications data?

FaceTimeskypewhatsapp

Especially since the introduction of the e-Privacy Directive in 2002  we have seen the growth in forms of communication and the ways in which people carry out transactions from banking online, shopping online (including booking travel), send messages and speak to each other in various messaging services including Skype and FaceTime where people can converse while seeing each other. There are also encrypted messaging services that have been used by criminals and terrorists from Telegram to WhatsApp. Recently the likes of WhatsApp has been the preferred form of communication by criminals and terrorists as it is encrypted and apart from sending written messages, with this App individuals can send recorded voice messages to each other as well as pictorial images. Once cannot compare the technological wizardry that was the Nokia mobile phone to the i-Phones we have now that are in essence pocket sized computers. As such it is time the EU looked to introduce legislation that allows for internet and communications service providers to retain their telecommunications data for at least up to 12 months and allow state investigative bodies investigating acts of terrorism and serious crime access to that data. Since 2007 there have bee too many examples of how effective access to this data has been in the arrest and subsequent conviction of terrorists and those committing serious crime.

No doubt some reading this will have concerns over the state conducting widespread surveillance on its citizens and cite the US’ NSA and the Snowden revelations. In the protestations of the potential for state surveillance of telecommunication data an anomaly exists as many mobile phone and internet users do not appear to be so hesitant in passing on personal data, including sensitive data to private companies, including communications and internet service providers. In his book ‘Dawn of the New Everything: A Journey Through Virtual Reality’  the former Facebook president, Jaron Lanier says that based on the information individuals provide who they become friends with, what they buy and the news they consume is based on these providers’ algorithms adding that internet companies monitor their users’ habits and interests, which they feed into those companies’ algorithms. Yet, once the state agencies say it wants communications and internet service providers to retain their data in order to gain access to that data when the circumstances exist in relation to serious crime and terrorism, many individuals express a deep concern that the state is turning into a big brother state monitoring their every movement. This is not the case as many senior security service and police officers regularly state, the resources in both staffing levels and equipment are limited and as such both the security services and the police literally cannot monitor the electronic communications of every citizen, they can only target those who pose a threat to state security or who are involved in criminality.

The interests of national security and personal rights are not exclusive issues, but are inclusive and in today’s society we must all accept that state bodies investigating terrorism and organised crime must be able to have access to telecommunications data to deal effectively with terrorists and criminals. As such it is time the EU stopped paying lip service to this notion and fully recognised this by introducing legislation that allows this while effectively balancing citizens’ rights.

My terrorism book cover

You can read more detail on these issues in my forthcoming book ‘Terrorism: law & Policy‘ and I am currently writing an article on this issue and the Irish Dwyer appeal case that will be published after the appeal hearing.