In his famous book 1984, George Orwell wrote that “[h]e who controls the past controls the future”. Although the quote was made in a different context, it perfectly conveys the basic societal concern about any state surveillance. The state that controls sufficient data about past of its citizens, also controls their future. This powerful insight led many human rights activists to fight the Data Retention Directive and its national implementations all over the Europe. And although in a short run it will probably still take couple of years to entirely mitigate the consequences of this surveillance experiment, in the long run, it is important that the European highest “negative legislator” made such a strong statement on the privacy of Europeans. By doing this, the court greatly squashed the playing field of any future state surveillance legislation in Europe.
The decision of Digital Rights Ireland Ltd C‑293/12 & Kärntner Landesregierung C‑594/12 will be of course still subject to many diverging interpretations. From the first reactions of the scholars on the European blogs, it is already clear that two main issues will be debated. First, not everybody seems to agree that § 58 of the decision bans indiscriminate blanket data retention per se (without regard to any connection to threatening crimes). It is because some prefer to read conditions of the CJEU as a form of flexible “cooking recipe” rather than as a set of indispensable requirements. Second, some seem to question whether the Member States are at all bound by the decision in absence of any Union law on data retention. They argue that unless the European Commission will take a lead and attempt to enact a new legislation, the Member States will be left on their own to determine the its constitutional standards for such legislation.
I am convinced that the decision both bans the blank data retention of meta-data per se, and that Member States are indeed obliged to respect the human right standard set by Digital Rights Ireland also in their national laws automatically.
Blanket retention of meta-data
The CJEU in § 58 of the judgment states:
Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.
This paragraph seems to be an indispensable precondition, because it is followed by an another paragraph that basically suggests how to proportionally limit such retention. The Court states that “whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences”. It seems very unlikely that the Court would make an exact suggestion of this kind, if it would not perceive this condition as a crucial one.
Impact on the national laws
Some people argued that after the Directive was removed, the Union law also withdrew its “application tail” in the sense of Art. 51 of the EU Charter. This is, however, very supreficial and isolated reading. The Data Retention Directive was from the very beginning foreseen as a derogation from other acts of the Union's secondary law, in particular of the Directive 2002/58/EC and the Directive 95/46/EC. The former provides in its Art. 15 explicitly that “Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.” [the articles refer to the EU Charter and Convention];
This means that Article 15 of the Directive 2002/58/EC allows the Member States to adopt a national legislation in some specific areas (protection of public safety, etc.), which do not need to comply with standards of the directive, but must at least satisfy the standards of the EU Charter and those of the Convention. Consequently, national legislation, which was adopted relying on this exception, still operates in the area determined by the Union's law and is subject to its "Charter” limitations. Therefore annulment of the Data Retention Directive, which was based on this exception, only returns us to the situation before its adoption, but with more clarified maximal admissible ceiling.
By repealing the Data Retention Directive, the Court of the Justice of the European Union thus not only invalidated a single act of Union's secondary law, but also defined the scope of discretion, that is granted to the Member States in case they decide to derogate from the Directive on privacy and electronic communications according to Article 15 (see for further arguments the opinion of EISi before the Slovak Constitutional Court). This reading seems to be endorsed also by scholars such as Steve Peers and Hans Peter Lehofer.
Besides, it cannot be ruled out, that CJEU will one day create a doctrine, where applicability of Article 51(1) of the EU Charter will be automatically (at least temporarily) retained in the cases, when the whole secondary act of the Union law will be (unusually) repealed ab initio (see prof. Peers, here). Otherwise, the Court risks, that in the areas, where there is no full harmonisation, from which the act would be only a derogation (as in the present case), the national law will have to “heal” the consequences of an unconstitutional directive, without the possibility of invoking Union's human rights standard. If the national human right standards won't provide any means or won't share the value judgement of the EU Charter, there can paradoxically be a situation, where Union's law at first „drags” the Member States into a non-conforming legislation, and then it cannot „set them free” in any other way, than by adopting a new secondary act, which will automatically broaden also the sphere of the EU Charter's application again.
Slovakia setting precedent?
On 23 April 2014, the Slovak Constitutional Court preliminary suspended effectiveness of the Slovak implementation of Data Retention Directive. It did so in a pending proceedings (PL. ÚS 10/2014), which was initiated by European Information Society Institute (EISi) with support of thirty Members of Parliament. Although the case has been pending before the Court since October 2012, the Court decided to issue this preliminary measure and accept the case for the further review only now. Preliminary suspension of effectiveness means that the retention laws are still formally valid, but have no legal effect until the Court decides on the merits of the complaint. The Court, however, suspended only provisions that are mandating data retention, while leaving other general provisions on access to those information intact for now. This means that providers of electronic communication will soon be free of any legal obligation to store data about users. Any storage of the meta-data of users will thus need to be limited to general regime of the Directive 2002/58/EC and the Directive 95/46/EC until the Court finally resolves the case. At the same time, however, already collected data will not need to be destroyed, and it stays open to interpretation whether providers may or may not disclose these past data to state authorities upon request.
Prof. Peers equated Digital Rights Ireland decision with civil rights judgments of the US Supreme Court on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). The judgment really is a great and historical victory, one which many Europeans fought a long time. And although it took us nearly decade to repeal the Directive, and it might take us yet another one to clean up the post-Directive mess in the Member States, the end result will be certainly worth such an effort because it will predetermine the face of the privacy in Europe for more than few decades.
The author of this blog post, Martin Husovec, is a Strategic Litigation Counsel at European Information Society Institute (EISi), an institution that fought the data retention in Slovakia; he is also IMPRS-CI Doctoral Research Fellow at Max Planck Institute for Innovation and Competition and currently a visiting researcher at Stanford Center for Internet and Society. He can be reached at husovec.eu.