Our research project MATIS stands for Making Transparent the Invisible Surveillance: Digital investigative measures in the EU and their compatibility with EU data protection law. This research project is carried out jointly by the VUB and the University of Luxembourg. It is funded by the Flemish Research Foundation (FWO) and the Luxembourg National Research Fund (FNR). The principal investigators of MATIS are Paul De Hert (VUB/Tilburg University) and Mark Cole (Uni.Lu). The researcher is Juraj Sajfert (VUB/Uni.Lu). The aim of the project is to carry out fundamental research that would measure the intrusiveness, reach and legality of four selected digital investigative measures. One of those measures is access by law enforcement authorities to data retained by telecoms (the other three being law enforcement access to: first, financial data in the Anti Money Laundering/Countering Financing of Terrorism; second, Passenger Name Records; third, subscriber information through production orders, which is the most debated one, and covered by extensive case-law of the Court of Justice of European Union (CJEU)).
In the end of 2021, we tested some of our project findings about data retention in a roundtable with leading experts in the field. In the meantime, new cases kept coming to the CJEU, without adding much clarity to the issue.
This blogpost discusses the main insights of the roundtable and updates them with the recent findings on data retention of the CJEU in G.D. v The Commissioner of the Garda Síochána, and Others (C-140/20).
1. The data retention roundtable
The roundtable debate, which took place in December 2021, dealt with an ‘ever returning’ issue, since the 2014 Digital Rights Ireland judgment annulling the Data Retention Directive – whether and how data can be retained for law enforcement access. Academics have been reflecting on the impact of the ruling (e.g. see this Study) but it must be recognised that there is no golden rule as far as the notions of transparency, proportionality and necessity are concerned. Therefore, the debate over the retention of communications data for fighting crime by law enforcement authorities persists. Law enforcement authorities are also extremely reluctant to be transparent about the actual use of the access to retained data. This makes assessing its fundamental rights compliance a far more complicated exercise.
The discussion in the roundtable focused on the judgment in La Quadrature du Net and Others. In particular, its implementation in France and its broad interpretation by the Conseil d’Etat, which seems to allow for the access to data by law enforcement authorities for any of the purposes falling under the concept of “national security” instead of limiting it to combating serious crime. The Conseil d’Etat thereby endorsed the French Government’s unusual argument about the prevalence of the French constitutional identity.
The roundtable also noted that the Belgian Cour Constitutionnelle followed a different approach when applying the same CJEU judgment and simply invalidated the national data retention legislation. However, the Belgian Government is preparing a new legislative proposal, focused on the exemption for targeted surveillance provided by the CJEU, concerning geographical zones. The Belgian DPA has already pointed out that by applying this criterion to Belgium, which is one of the most densely populated countries in Europe, actions of law enforcement authorities are going to result in de facto general and indiscriminate data retention. Therefore, while from the procedural point of view, the new legislative proposal might be in line with the case of law of CJEU, ‘in spirit’ it is pushing the boundaries of the prohibition of data retention. In Belgium, as elsewhere, there is no transparency of data concerning the practices of data retention (e.g. how is it processed, what is the location and traffic data). Only once this data is available, it would be possible to weigh into the debate of proportionality.
A final issue discussed at the Roundtable was how the constitutional courts of other EU Member States react to the development of the CJEU data retention case law. The Supreme Court of Estonia, for example, relied on the CJEU judgment in Prokuratuur and concluded that the evidence to the criminal proceedings was not admissible. Positive developments also took place in Cyprus, where the Constitutional Court, when faced with the evaluation of the national legislation, followed the approach of the CJEU extensively, despite a more lenient one taken by the Cypriote Supreme Court in 2018 with regards to national legislation for data retention. On the other hand, the Danish and the Spanish courts found their national data retention laws compatible with the EU law.
Overall, the roundtable concluded that the narrative pursued by law enforcement authorities that ‘more data is better’ remains anecdotal, and for that to change more data and structural changes are needed. The detailed information on how data retention is used by law enforcement authorities could be prepared only if law enforcement authorities receive professional support. This could bring more transparency. However, at the moment, there is no institution who could work with national prosecutors in order to prepare statistical data and scientifically validated reports supporting the law enforcement narrative. We could overcome this obscurity by including the principle of accountability in data retention laws, and in particular, the duty to collect data about its use. What is more, in order to sustain the authority of the CJEU data retention case law, the narrow interpretation of ‘prevention of threats to national security’ and the permitted use of general and indiscriminate data retention for that purpose will remain of outmost importance.
2. Case C-140/20 G.D v The Commissioner of the Garda Síochána, and Others
The relevance of the issues and approaches discussed at the roundtable became visible when the CJEU adopted another data retention judgment on 5 April 2022. This preliminary reference arrived from the Irish Supreme Court concerning the case G.D. v The Commissioner of the Garda Síochána, and Others (C-140/20).
The first group of questions of the referring court concerned the issue of whether general and indiscriminate retention of traffic and location data for the purposes of combating serious crime is allowed under EU law (Article 15(1) of the E-privacy Directive 2002/58, and Articles 7,8, 11 and 52(1) of the Charter of Fundamental Rights). It is not a surprise that, in this part of the judgment, the Court had to repeat itself a lot. It should have been clear by now, as also our roundtable showed, that the answer to this fundamental question is a categorical ‘no’. Nevertheless, the judgment offers two important clarifications. The first and biggest added value of the present judgment is that it makes is beyond doubt that different objectives of data retention, in particular the prevention of threats to national security on one hand and the fight against serious crime on another cannot be convoluted. Paragraph 100 states that ‘the national authorities competent to undertake criminal investigations cannot access [generally and indiscriminately retained traffic and location data for the purpose of safeguarding national security] in the context of criminal proceedings’. Hence, for the purposes of combating threats to national security the law enforcement authorities could access the data that have been lawfully retained for fighting crime, but they cannot, for the purposes of fighting crime, access the data lawfully obtained for combating threats to national security.
The second important contribution of the present judgment is the exhaustive list of permissible data retention measures in the fight against serious crime and serious threats to public security (para 101). The Court allows four such measures: targeted retention of traffic and location data; general and indiscriminate retention of IP addresses assigned to the source of an internet connection; general and indiscriminate retention of data relating to the civil identity of users; and instructing service providers to undertake expedited retention of traffic and location data (quick freeze).
In the second group of questions, the Court dealt with a much simpler issue. The referring court wondered whether access to retained data by police may be authorised by another, autonomous unit of the police, whose decisions are subject to judicial review. To answer the question, the Court simply had to summarise its previous case law, from which it is evident that access to retained data must be ex ante authorised by a judicial or an independent administrative authority, and in any event a body separate from the law enforcement authority requesting the access.
The third set of questions dealt with the admissibility of evidence collected under national data retention laws, which are deemed unlawful under EU law after the invalidation of the Data Retention Directive, and in the subsequent judgments of the Court of Justice. Again, the simple task of the Court boiled down to the repetition of its previous case law in deference to the procedural autonomy of the Member States (paragraph 127). This, however, does not allow national courts to limit the temporal effects of the invalidity of national legislation adopted in violation of EU law.
In conclusion, while our roundtable provided some alternative ways to bring about more clarity to the data retention issue, the CJEU keeps reinventing the wheel. The judgment in Garda Síochána simply structures better the findings of its previous judgments. One might wonder how long the data retention questions will keep coming back to Luxembourg. A quick glance at the pending data retention cases (such as C-350/21 from Bulgaria, C-470/21 from France, C-548/21 from Austria) suggests that the saga will continue.
27 June 2022