EU legal advisor sets out criteria for legitimate data retention laws

Out-Law News | 20 Jul 2016 | 10:30 am | 3 min. read

Telecoms companies can only be forced to store data relevant to the communications of their customers if it is "strictly necessary in the fight against serious crime", a legal advisor to the EU's highest court has said.

Advocate general Henrik Saugmandsgaard Øe, who is advising the Court of Justice of the EU (CJEU) on a case which relates to the legitimacy of UK data retention laws, said that imposing data retention obligations for the purpose of "combating 'ordinary' offences" is not justified under EU law.

"The fight against serious crime is an objective in the general interest that is capable of justifying a general data retention obligation, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not," the advocate general said.

The view, which is non-binding on the CJEU, contradicts that expressed by the UK government.

In his newly published opinion, Saugmandsgaard Øe said that further conditions also have to be satisfied before data retention obligations can be legitimately imposed on companies. He highlighted a previous CJEU ruling as setting out "safeguards" on matters such as access to data, the period of retention and the protection and security of data as relevant conditions to be applied.

The earlier CJEU ruling cited served to invalidate previous EU data retention laws on the basis that they disproportionately infringed on privacy rights.

In its 2014 judgment the CJEU said data retention laws should contain "objective criterion by which to determine the limits of the access of the competent national authorities to the data" as well as the data's "subsequent use for the purposes of prevention, detection or criminal prosecutions". The criteria would help determine whether prospective accessing of data would represent a justified intrusion of privacy, it said.

The Court also said data retention laws should explain that data can only be retained for as long as is "strictly necessary". It said the type of data collected and its "possible usefulness for the purposes of the objective pursued or according to the persons concerned" were factors that should help determine how long data retention periods should be.

The CJEU also criticised the previous EU data retention laws for not ensuring "that a particularly high level of protection and security is applied" by telecoms providers and for not requiring data is irreversibly destroyed at the end of the retention periods. It also said that provisions allowing telecoms providers to store data subject to the data retention regime outside of the EU, such as with an overseas-based sourcing provider,  fails to ensure proper security of the data.

In his opinion Saugmandsgaard Øe said data retention obligations must also be "proportionate, within a democratic society, to the objective of fighting serious crime". This means that "the serious risks engendered by the obligation, in a democratic society, must not be disproportionate to the advantages which it offers in the fight against serious crime", he said.

The CJEU has been asked by the Court of Appeal in London to answer questions relevant to the Data Retention and Investigatory Powers Act (DRIPA), which came into force in the UK in July 2014. The Act broadly requires telecoms providers to retain information about customers' communications and to disclose that information to law enforcement agencies when asked to do so.

DRIPA was introduced as a replacement for UK rules that previously implemented the EU's Data Retention Directive which was invalidated by the Court of Justice of the EU (CJEU) in 2014. However, a legal challenge against DRIPA, fronted by two UK MPs, was launched shortly after the new legislation came into force, with concerns raised that the faults with the Data Retention Directive had been repeated in DRIPA and that the Act infringed privacy rights.

In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal.

The Court of Appeal has asked the CJEU to rule on whether its previous judgment on the Data Retention Directive sets out "mandatory requirements of EU law applicable to a member state's domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the EU Charter".

Under Articles 7 and 8 of the EU Charter of Fundamental Rights everyone has a qualified right to privacy and the protection of their personal data.

DRIPA was introduced as stop-gap legislation and expires at the end of 2016 owing to a sunset clause. A new Investigatory Powers Bill has subsequently been proposed as a replacement. The Bill won approval from MPs in a vote earlier this summer.