In a judgment landed on 21 December, concerning joined cases Tele2 Sverige v Post-och telestyrelsen and Secretary of State for the Home Department v. Watson et al., the Court of Justice of the European Union declared that national legislation of Sweden and of the UK, mandating indiscriminate retention of telecommunication data for law enforcement purposes, was in violation of artt. 7, 8 and 52(1) of the EU Charter of Fundamental Rights and thus unlawful.
The case involved requests for a preliminary ruling issued by, respectively, the Administrative Court of Appeal of Stockholm, and the Court of Appeal of England and Wales, concerning the compatibility of Swedish and British national legislation implementing Directive 2006/24, better known as the Data Retention Directive, with the EU Charter of Fundamental Rights. It is worth reminding that following the adoption of the Treaty of Lisbon, by virtue of art. 6(1) TEU the EU Charter carries the same legal value of the Treaties.
Within the Swedish legal system, Directive 2006/24 had been implemented through two statutes, Law 2003:389 and Regulation 2003:396. Together, the statutes imposed an obligation upon public telecommunications providers to retain all the categories of data listed in art. 5 of the Directive, and specifically: data relating to the source of a communication, to its destination, as well as to its date, hour, and time; data necessary to identify the type of communication, the user’s communication equipment, and the location of the communication. Moreover, as required by the Directive, retention of the foregoing categories of data was mandatory for five types of communication: fixed and mobile telephony, internet access, internet e-mail, and internet telephony. With respect to the retention period, Sweden had opted for a time frame of 6 months, the minimum allowed by the Directive. Access by law enforcement authorities to the data thus retained was regulated by the Code of Criminal Procedure.
By contrast, the United Kingdom – instead of imposing a general obligation of data retention – had elaborated a system based on “retention notices”, through which the Secretary of State could compel a public telecommunications operator to retain all the categories of data listed in art.5 of the Directive for periods of time that could not exceed 12 months. However, the statute regulating the retention notices also included a long list of purposes justifying their issuance, only few of which were in fact connected to law enforcement: this constituted a deviation from the Directive, which required that the data be retained only “for the purpose of the investigation, detection and prosecution of serious crime”.
The issue before the Court was thus whether Swedish and British legislators had violated the wording of art. 15 of Directive 2002/58 (better known as the e-privacy Directive), which allows member States to require public telecommunication providers to retain categories of telecommunication data only “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security […]”, in light of relevant provisions of the EU Charter of Fundamental rights, and namely: art. 7 concerning the right to privacy, art. 8 concerning the right to data protection, and art. 52(1) concerning limitations of fundamental rights.
According to the Court, the stated law enforcement purpose of the national legislation of Sweden and of the UK does not, in itself, justify an infringement of the rights to privacy and data protection as determined by unrestricted systems of retention and access to personal data, carried out absent any form of judicial review. In the Court’s opinion, the measures laid down by Sweden and by the UK encroached upon the rights to privacy and data protection to an extent intolerable even in light of their law enforcement purpose: the data retention schemes in question, that is, were not proportional in the sense required by art. 52(1) of the EU Charter. The restriction on the rights to privacy and data protection they entailed were, therefore, unlawful.
The decision is consistent with the Court’s previous holding in Digital Rights Ireland, where – on essentially the same grounds – it had struck down the Data Retention Directive itself. The two judgments can therefore be read comprehensively as a strong stance from the Luxembourg court against legislation establishing systems of retention of personal data enacted in the context of the fight against terrorism, regardless of whether it is of national (as in Tele2 Sverige) or European (as in Digital Rights Ireland) derivation.
However, it would be misleading to infer the EU’s general approach to the use of personal data as a counter-terrorism measure from these two judgements alone.
On one hand, the Court itself in Tele2 Sverige acknowledged that measures involving the retention of personal data are in theory feasible in the context of fighting serious crime, provided that certain conditions are met (such as the requirement that the data be retained within the EU, and that access to such data be subject to prior review by a court or an independent administrative authority).
On the other, the activity of other Institutions of the EU, and especially of the Commission, shows a trend of increasing willingness to pursue measures that rely on the collection and retention of various forms of personal data in the context of the EU’s counter-terrorism effort – financial and travel information above all.
Concerning the latter in particular, on 27 April 2016 – in fact, simultaneously with the more well-known Data Protection package – the EU adopted a Directive on Passenger Name Records (PNR Directive), a long awaited Europe-only version of the PNR agreements currently in force with the USA.
The Directive, which must be transposed before May 2018, requires Member States to compel air carriers traveling between EU and non-EU destinations (with the option of extending such mandate to carriers flying within the EU as well) to transfer passenger name record data to ad-hoc units to be established in each Member State called Passenger Information Units (PIUs). Such data, according to the Directive, can subsequently be transferred to competent authorities “for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime”.
The Commission has also undertaken to assess the feasibility of an EU system of financial data collection, similar to the Terrorist Finance Tracking Program (TFTP) agreement in place with the United States. Pursuant to the TFTP agreement, US authorities may request their European counterparts to compel private financial institutions located in Europe and listed in an Annex to the Agreement (currently, such list is solely comprised of the Belgian cooperative SWIFT) to transfer data pertaining to specific transactions, with the exclusion of SEPA data.
The current proposal for an EU system of Terrorist Finance Tracking involves the inclusion of data concerning payments operated through competitors of SWIFT, as well as data relating to SEPA. The objective of the impact assessment, which has not yet been released and is expected for the summer of 2017, is therefore the evaluation of a system that is not parallel to the TFTP, but rather complementary to it.
Two patterns can thus be highlighted within current EU law discussions: on one hand, a renewed concern towards privacy and data protection, which the EU safeguards as fundamental rights; on the other, a growing interest in – and increasing unwillingness to abandon – the use of systems that rely on personal data in the context of counter-terrorism. Which will prevail will greatly depend, on one hand, on how the terrorist threat will keep unfolding in Europe, and on the other on future judgments of the Court of Justice where the judges will be compelled to either completely shut the door to such measures, or lay down clearer conditions for their enactment.
