Case Summary and Outcome

The U.K. Court of Appeal, relying on a ruling from the European Court of Justice (ECJ), held that surveillance data retained for the purposes of fighting crime should be restricted to serious crime and that access to retained data must be approved by a court or administrative body. The U.K. court had asked the ECJ for a preliminary ruling on whether the surveillance powers in the Data Retention and Investigatory Powers Act 2014 (DRIPA) violated EU law, in particular Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (CFREU). The ECJ had ruled that national legislation establishing mass surveillance of electronic communications for the purpose of fighting crime violated the right to privacy and the right to data protection. The U.K. Court of Appeal reasoned that DRIPA was inconsistent with EU law to the extent that, for the purpose of the prevention, investigation, detection and prosecution of criminal offences, it permitted access to retained data: a) where the objective pursued by the access was not restricted solely to fighting serious crime crime; b) where access was not subject to prior review by a court of an independent administrative authority.

Facts

The applicants, David Davis and Thomas Watson, respectively Conservative and Labour Members of the Parliament, applied for judicial review of the data retention powers as established under the Data Retention and Investigatory Powers Act 2014 (“DRIPA”). DRIPA was in force at the time of the application in 2015 but was replaced by the Investigatory Powers Act (“IPA”) in 2016.

The applicants were concerned about the width of the powers to retain and gain access to their data on a number of grounds, including, but not limited to, the confidentiality of communications between constituents. Non-governmental organizations, Open Rights Group, Privacy International and The Law Society of England and Wales were given permission to intervene as third parties in the case.

The two MPs claimed that Section 1 of DRIPA was contrary to EU law, in particular to the principles established by the ECJ in the case Digital Rights Ireland. They argued that the surveillance powers established under DRIPA violated Articles 7 and 8 of the CFREU, namely the right to privacy and the right to data protection, also enshrined in the European Convention on Human Rights (ECHR), both treaties to which the U.K. was a party.

The Court’s attention was drawn to the following EU law principles: a) the protection of the fundamental right to respect for private life required that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary. Consequently the legislation in question must lay down clear and precise rules governing the scope and application of the relevant measure and impose minimum safeguards sufficient to give effective protection against the risk of abuse and against any unlawful access to and use of that data; b) any legislation establishing or permitting a general retention regime for personal data must expressly provide for access to and use of the data to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences; c) “above all”, access by the competent national authority to the data retained must be made dependent on a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective
pursued, and which intervenes following a reasoned request from those authorities.

However, the High Court considered that the ECJ did not challenge domestic legislation in the Digital Rights Ireland case, rather that it  focused on the validity of Directive 2006/24/EC, which had amended the so-called Data Retention Directive (2002/58/EC).

In its judgment on July 17, 2015, the High Court said it had been told by solicitors for the applicants that the Stockholm Administrative Court of Appeals had referred on May 4, 2015 a question for preliminary ruling to the ECJ in the case Tele2 Sverige AB, asking two questions: 1) is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime compatible with Article 15(1) of Directive 2002/58/EC [the E-Privacy Directive] taking account of Articles 7, 8 and 15(1) of the Charter? and 2) If the answer to question 1 is in the negative, may retention nevertheless be permitted where access by the national authorities to the retained data is determined as described below; security requirements are regulated as described below; and all relevant data are to be retained for six months … and subsequently deleted…..?”

The Stockholm court had noted that the parties had differing views as to how the ECJ’s  judgment in Digital Rights Ireland should be interpreted and wanted to know whether the ECJ carried out a weighted assessment in that judgment of the scope of retention and the provisions governing data access, period of retention and security.

The U.K. High Court added that the principles as stated in the case of Digital Rights Ireland were clear and it did not consider referring the present case to Luxembourg was likely to promote the uniform application of the law throughout the EU.  Moreover, it said that the ECJ typically took two years or more to answer a question referred for a preliminary ruling and it was unlikely that an answer to a reference made now would be received before DRIPA had expired, or (far more probably) had been repealed and replaced by a new statute. “Either way, the answer would have become academic.”[para.113]

The High Court concluded that the applicants were entitled to a declaration that Section 1 of DRIPA was inconsistent with EU law in so far as, firstly, it did not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences; secondly, access to the data was not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.

The applicants were not satisfied with the ruling and appealed to the U.K. Court of Appeal. On November 20, 2015 the Court of Appeal decided to refer the case to the ECJ for clarification.

In Joined Cases Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Watson, on December 21, 2016, the ECJ rendered a landmark ruling by stating national legislation establishing a general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, and imposing on providers of electronic communications services an obligation to retain that data systematically and continuously, with no exceptions, for the purpose of fighting crime, violated the right to privacy and the right to data protection. More specifically, Directive 2002/58 on privacy and electronic communications had to be interpreted in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Therefore, national legislation such as the U.K.’s DRIPA violated human rights law. Secondly, access by the competent national authorities to the retained data had to be restricted solely to fighting serious crime, with prior review by a court or an independent administrative authority, and the data concerned had to be retained within the EU.

With the further clarification provided by the ECJ, the case then went back to the U.K. Court of Appeal which gave its ruling on January 30, 2018.

Decision Overview

The U.K. Court of Appeal firstly pointed out that a considerable amount of time had passed since it had referred the question for preliminary ruling on November 20, 2015 and that, therefore there had been several developments since the ECJ’s ruling in the joined Tele2 and Watson cases , the most important of which was that Sections 1 and 2 of the Data Retention and Investigatory Powers Act (DRIPA) had been repealed December 30, 2016 and replaced by the Investigatory Powers Act (IPA). Moreover, on November 30, 2017 the Secretary of State had proposed amendments to the IPA which were intended to address the ECJ’s judgment in these proceedings. The proposed amendments regarded, among other things, the restriction, in the context of fighting crime, to “serious crime”, the need for prior review by a court or independent administrative authority for access to retained data, ex-post facto notification and the issue of retention of retained communications within the EU.

The Court said that it was correctly agreed among the parties that the ECJ judgment established that where the purpose of the legislation is the prevention, investigation, detection and prosecution of criminal offences, firstly, the access to and use of retained communications data should be restricted to the objective of fighting serious crime and, secondly, access to retained data should be dependent on prior review by a court or an independent administrative body.

Accordingly, and in view of developments since the ECJ’s ruling including a reference to the ECJ on whether its ruling applied to measures taken to safeguard national security, the Court considered it appropriate that any declaratory relief should be expressly limited to the application of DRIPA to fighting crime.

As for retention in the EU, the Court noted that the ECJ ruling referred to the requirement that national legislation governing the protection and security of traffic and location data was precluded “where there was no requirement that the data concerned should be retained within the EU”. However the respondent MPs in the current case had not argued for an absolute, unconditional ban on transfers outside the EU, only that DRIPA did not contain adequate safeguards against communications data leaving the EU. In light of the uncertainty, the Court decided not to provide a definitive statement on this issue in the form of a declaration.

The Court accordingly granted declaratory relief by stating that Section 1 of DRIPA was inconsistent with EU law to the extent that, for the purpose of the prevention, investigation, detection and prosecution of criminal offences, it permitted access to retained data: a) where the objective pursued by the access was not restricted solely to fighting serious crime crime; b) where access was not subject to prior review by a court of an independent administrative authority.