Access to Public Information, Privacy, Data Protection and Retention, Surveillance
Bartnicki v. Vopper
Nominations Are Now Open for the 2024 Columbia Global Freedom of Expression Prizes. Learn more and nominate here.
Closed Mixed Outcome
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
This case is available in additional languages: View in: Español
The European Court of Justice (ECJ) in a preliminary ruling held that national legislation establishing mass surveillance of electronic communications for the purpose of fighting crime violated the right to privacy and the right to data protection. The decision follows requests from U.K. and Swedish courts after the ECJ’s earlier ruling in Digital Rights Ireland invalidating the EU’s Directive 2006/24/EC on data retention on the grounds that a general obligation to retain certain communications data constituted a serious interference with the fundamental rights to respect for private life and to the protection of personal data, and that national rules effecting such obligation were not limited to what was strictly necessary for the purpose of fighting serious crime. The Court reasoned that the EU’s Directive 2002/58 on privacy and electronic communications must be interpreted in light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (CFREU), namely the rights to privacy and data protection, and that national legislation which, for the purpose of fighting crime, provided for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication violated human rights law. The Court further reasoned that access of the competent national authorities to the retained data had to be restricted to fighting serious crime only, with prior review by a court or an independent administrative authority, and the data concerned had to be retained within the EU.
The U.K. and Swedish cases were each brought following the ECJ’s ruling in Digital Rights Ireland invalidating the Data Retention Directive on the grounds that the general obligation to retain certain communications data constituted a serious interference with the fundamental rights to respect for private life and to the protection of personal data, and that the rules established by the Directive were not limited to what was strictly necessary for the purpose of fighting serious crime.
Following this judgment, one of Sweden’s main telecommunications operators, Tele2 Sverige, stopped retaining communications data, on the basis that the applicable Swedish law (Chapter 6 of Sweden’s Law on Electronic Communications) no longer conformed to European fundamental rights law. Tele2 Sverige also proposed to delete the data which it had retained until then. Sweden’s National Police Board made a formal complaint to the Swedish Post and Telecommunications Authority (PTS) arguing that Tele2 Sverige’s decision would have serious negative consequences for law enforcement. The PTS ordered Tele2 Sverige to resume retention of communications data.
Subsequently, legal proceedings were instituted and the Stockholm Administrative Court of Appeal found arguments both in favor of and against the compatibility of Sweden’s Law on Electronic Communications and EU Directive 2002/58. The Court decided to stay the proceedings and refer the question of whether a general obligation to retain data in relation to all persons and all means of electronic communication and extending to all traffic data, without distinction, limitation, or exception by reference to the objective of fighting crime was compatible with Article 15(1) of Directive 2002/58, taking into account Articles 7, 8 and 52(1) of the European Charter of Fundamental Rights (CFREU) protecting the rights to privacy and data protection.
The ECJ’s ruling in Digital Rights Ireland also prompted proceedings in the U.K. and an application was made to the High Court requesting judicial review of the U.K.’s data retention regime as set out in the Data Retention and Investigatory Powers Act (DRIPA). Under this legislation, the Home Secretary was empowered to require public telecommunications operators to retain communications data for a maximum period of 12 months. The High Court ruled that this regime was inconsistent with EU law as it did not satisfy the requirements laid down by the ECJ in Digital Rights Ireland . The Home Secretary appealed and the Court of Appeal held that its provisional view was that the ECJ had not laid down specific mandatory requirements of EU law with which national legislation must comply, but that it had identified and described protections that were absent from the harmonized EU regime. Proceedings were stayed and the ECJ asked to give a preliminary ruling on whether the Digital Rights Ireland judgment laid down mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data in order to comply with privacy and personal data protection rights under European law.
The U.K. Court of Appeal and the Stockholm Administrative Court of Appeal, requested a preliminary ruling from the ECJ clarifying the interpretation of the European Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) read in light of Article 7 (right to privacy) and Article 8 (right to the protection of personal data) of the Charter of Fundamental Rights of the European Union (CFREU). More precisely, the national courts asked whether Article 15 of the Directive should be interpreted as precluding national legislation that provided, for the purpose of fighting crime, for general and indiscriminate retention of all traffic and location data of all subscribers and registered users with respect to all means of electronic communication.
The Court first had to examine whether and to what extent EU Member States’ national legislation on the retention of traffic and location data and access to that data by national authorities, for the purpose of combating crime, fell within the scope of EU law, and of Directive 2002/58/EC in particular. This Directive excluded from its scope “activities of the State” in specific fields, such as criminal law, public security, defence, State security. However, the Court stated that the Directive applied when the state activity involved providers of electronic communications services, and therefore the processing of personal data by those providers.
The Court then focused on the main question that had been referred by the national courts, namely how to interpret Article 15 of Directive 2002/58 so as to allow Member States to adopt legislative measures providing for the retention of data for a limited period when this was justified on grounds such as national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences for the unauthorized use of an electronic communication system, and when such restriction constituted a necessary, appropriate and proportionate measure.
The Court affirmed that the Directive on privacy and electronic communications was designed “to offer users of electronic communications services protection against risks to their personal data and privacy that arise from new technology and the increasing capacity for automated storage and processing data”. [para. 83]
Indeed, the confidentiality of communications was a pillar of the Directive and implied that, as a general rule, any person other than the user was prohibited from storing the traffic data related to electronic communications without the consent of the user concerned, The Court stressed that the only exceptions were those set out in Article 15 and that these must be interpreted strictly and could not be allowed to become the rule.
The Court said that national legislation imposing an obligation on providers of electronic communications services to retain traffic data when necessary in order to make that data available to the competent national authorities, raised questions relating to compatibility not only with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter, which were expressly referred to in the questions for a preliminary ruling, but also with the right to freedom of expression guaranteed in Article 11 of the CFREU. The Court emphasized the importance of the right to privacy, data protection and freedom of expression in any democratic society. “That fundamental right [freedom of expression], guaranteed in Article 11 of the CFREU, constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which, under Article 2 TEU (Treaty on the European Union), the Union is founded”. [paras. 92-93]
The Court then proceeded to analyze the limitations that can be imposed on the exercise of the rights and freedoms recognized by the CFREU, namely that they had to be provided by law and had to respect the essence of those rights. In other words, they must be proportionate, necessary and meet objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others.
The Court stated that the legislation under consideration provided for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, and that it imposed on providers of electronic communications services an obligation to retain that data systematically and continuously, with no exceptions. Indeed, “the data which providers of electronic communications services must therefore retain makes it possible to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to establish the location of mobile communication equipment. That data includes, inter alia, the name and address of the subscriber or registered user, the telephone number of the caller, the number called and an IP address for internet services. That data makes it possible, in particular, to identify the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. Further, that data makes it possible to know how often the subscriber or registered user communicated with certain persons in a given period.” [para. 98]
In light of this, national authorities were able to completely reconstruct a user’s private life, such as residence, everyday habits, movements, activities, social relationships, social environments frequented. The interference was then “very far-reaching and must be considered to be particularly serious. The fact that the data is retained without the subscriber or registered user being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance”. [para.100] In particular, the Court noted that this retention could have an effect on the use of means of electronic communication and, consequently, on the exercise by the users of their freedom of expression.
The Court said that the interference allowed by Directive was very serious and could only be justified if the objective was to fight serious crime, such as organized crime and terrorism. However, it went on, that in itself did not mean that such a fight justified national legislation providing for the general and indiscriminate retention of all traffic and location data Indeed, the laws affected all persons using electronic communications services, even those persons who were not in a situation likely to give rise to criminal proceedings. It was therefore evident that such restrictions on fundamental rights were not limited to what it was strictly necessary. The Court pointed out that while the conditions for restrictions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria that established a connection between the data to be retained and the objective pursued. In particular, such criteria must be shown to define the extent of that measure and, thus, the public affected.
In conclusion, the Court set out guidelines on the procedure to be followed by national authorities to ensure that those conditions were fully respected. It said that, except in cases of a validly established urgency, it was essential that the national authorities’ access to retained data was subject to prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should have been made following a reasoned request by the authorities submitted within the framework of procedures for the prevention, detection or prosecution of crime. [para. 120]
Moreover, the competent national authorities to whom access to the retained data had been granted, had to notify the persons affected, under the applicable national procedures, as soon as that notification was no longer liable to jeopardize the investigations being undertaken by those authorities. That notification was necessary to enable the persons affected to exercise their right to a legal remedy. The Court said that Member States must ensure that there was an independent review to ensure compliance with the level of protection guaranteed by EU law for the processing of personal data. This control was expressly required by Article 8(3) of the CFREU and constituted an essential element of respect for the protection of individuals in relation to the processing of personal data, in accordance with the principles established in Digital Rights Ireland and Schrems. If that were not so, the Court said, persons whose personal data was retained would be deprived of the right, guaranteed in Article 8(1) and (3) of the Charter, to lodge with the national supervisory authorities a claim seeking the protection of their data [para.123]
Accordingly, the ECJ held that, firstly, Directive 2002/58, read in the light of Articles 7 and 8 of the CFREU, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provided for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication. Secondly, Directive 2002/58 must be interpreted as precluding national legislation that permitted national authorities access to the retained data, unless the objective pursued by that access, in the context of fighting crime, was restricted solely to fighting serious crime, was subject to prior review by a court or an independent administrative authority, and required the data to be retained within the EU.
Advocate General Henrik Saugmandsgaard Øe’s Opinion
Advocate General Henrik Saugmandsgaard Øe had delivered his Opinion on July 19, 2016. The Advocate General’s Opinion to the Court functions as an independent and impartial opinion on the law applicable to the case but it is influential and often followed.
The Advocate General first opined that a general obligation to retain data identifying and locating the source and the destination of the information as well as data relating to the date, time and duration of communication and type of equipment could have been compatible with EU law but only if subject to strict requirements. He did not specify those requirements saying that it was for national courts to determine whether those requirements were met. Nonetheless, he added that national regulatory regimes had to comply with the respect for private life and the right to the protection of personal data under the CFREU. In light of human rights law, the fight against serious crime was a general interest capable of justifying a general obligation to retain data but the interference had to be strictly necessary, meaning that there were no less rstrictive measures that would be equally effective.
The Advocate General pointed out that any legal regime on the retention of communications data must respect the conditions set out in the judgment in Digital Rights Ireland with regard to access to the data, the period of retention and the protection and security of the data. Moreover, the general obligation to retain data needs to be proportionate, and the risks pursuing that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crimes.
The judgment from the Court followed the Advocate General’s Opinion but went further by indicating the procedural safeguards to be followed by national authorities to ensure that the rights to privacy and to data protection were fully respected.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The ECJ’s decision expands expression since it firmly declared that national legislation allowing for general and indiscriminate data retention for the purpose of fighting crime must comply with human rights law, specifically with the rights to privacy and the protection of personal data. Notably, the Court added that the retention of communications data in violation of the rights to privacy and data protection would have a serious chilling effect on freedom of expression. However, the effect of this decision may have to be reassessed because Directive 2002/58/EC is to be replaced with the Regulation on Privacy and Electronic Communication (the “ePrivacy Regulation”) which will complement the General Data Protection Regulation (GDPR) although is unlikely to come into effect at the same time on May 25, 2018. The ePrivacy Regulation is still going through the the ordinary legislative procedure and will then have to be approved by the Council of the European Union and the European Parliament.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.