The European Court of Justice has issued a preliminary ruling on a data retention case brought by UK MPs and privacy rights groups seeking to challenge the government’s data retention regime under DRIPA.
The advocate-general’s opinion, published today, suggests governments may be able to apply general metadata retention obligations without falling foul of EU law — but it sets the bar for doing so at combating serious crime, and places renewed emphasis on respecting fundamental privacy rights.
The AG’s opinion is not legally binding but is highly influential, feeding into the deliberations of the ECJ judges who will pass final judgement — and whose opinion will undoubtedly influence and shape European legislation in this area.
The UK’s much criticized Data Retention and Investigation Powers Act was passed as emergency legislation back in 2014 by the then coalition government, followed the ECJ striking down European data retention powers earlier that year. It includes a stipulation that telecoms companies retain their customers’ communications metadata for up to a year.
UK MPs including Labour’s Tom Watson and the Conservative’s David Davis successfully challenged DRIPA in the High Court, which last summer ruled the rushed legislation was unlawful under European law. Although the Home Office appealed that ruling, and the case was referred to the ECJ to request a judgement on whether DRIPA’s data retention regime is compatible with European law.
It’s worth noting that Davis has since withdrawn his name from the challenge — unsurprisingly so, given he’s since been appointed to a cabinet position under new Prime Minister Theresa May. (May was Home Secretary at the time of DRIPA, leading to the unusual situation of one of her new cabinet appointees having an active European legal challenge to her Home Office policies… A situation that clearly wasn’t compatible with Davis’ new role as Brexit Minister in May’s government.)
In his opinion today, the ECJ’s advocate general Henrik Saugmandsgaard Øe writes that:
He goes on to detail what would be necessary in order to meet his test of “strict requirements” — including that a general obligation to retain metadata “must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference”; and that it must “respect the essence of the right to respect for private life and the right to the protection of personal data” laid down by the European Charter of Fundamental Rights.
The objective of any data retention legislation must also be “in the pursuit of an objective in the general interest”, he writes.
However he specifies that combating any crime would not be a good enough justification in his view; rather the bar is set at “serious crime”:
“[T]he general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights,” he adds.