The Wall Street Journal headlines: “EU Court Opinion: Data Retention Directive Incompatible With Fundamental Rights”. The Opinion is strong, but in fact not yet an outright victory to privacy and civil liberties. The jury is out: the Opinion is a non-binding, but influential advice to the E.U. Court, that will deliver its final judgment come next spring. Now is a perfect moment to analyze the Opinion, as well as the institutional politics of the E.U. Court — critical in understanding the two-tier approach to surveillance and fundamental rights in Europe. The two-tier approach converges, after 60 years, when the E.U. accedes to the European Convention of Human Rights anytime soon. Amidst the Snowden revelations, these are the fundamental legal developments that will ultimately answer the question whether European law can end mass surveillance.
Apart from covering the Opinion, I feel it’s necessary to explain the two-tier approach to European fundamental rights law and surveillance policies. I’ve been to loads of conferences, talks, discussions and meetings in the last couple of months on surveillance in the U.S. and in Europe, where the complicated institutional nature of the E.U. is often misrepresented even by top U.S. lawyers. Exacerbated by the Snowden revelations, it’s essential to understand the institutional peculiarities of the E.U. and the Council of Europe, which often is the root cause for flawed and privacy intrusive E.U. laws, and clichés about “Europe” here in “America” (of course, clichés exist in the other way too). Data retention is the case in point.
Some background and history on the Data Retention Directive
Visiting from Europe, you always know that U.S. colleagues will seize any moment to confront you with the controversial E.U. Data Retention Directive (‘DRD’). Rightly so — the DRD obliges all European conventional telecoms and internet access providers to retain subscriber- and metadata of all their customers. For poorly defined intelligence and law enforcement purposes, any period between six months and two years. Within those broad parameters, E.U. member states get to decide decisive details such as exact retention periods, access criteria and use purposes.
Since the 90’s, long before 9/11, U.S. and U.K. authorities have continuously lobbied E.U. institutions and Member States to adopt data retention legislation, but it took the tragic London and Madrid events to get majority support in the E.U. for the DRD. Adopted in 2006, it took only three months to race the DRD through all E.U. institutions; (one of) the fastest adoption(s) in the long history of E.U. lawmaking. A clear case of policy laundering: what many Member States couldn’t achieve at the national level, was raced through at the E.U. level — even though all experts could tell you the DRD would hardly be effective, as web-based services to communicate don’t fall within the scope of the obligations. The outcome was a hastily drafted and, according to the Opinion, unconstitutional DRD in its current form.
The Opinion – intrusiveness of metadata, data collection a privacy harm, data retention possibly allowed coupled with stricter safeguards, fascinating political choices
I can’t provide a comprehensive summary here, but the Opinion (full text) appears a mixed bag from a privacy perspective. On the plus side, the Opinion recognizes that metadata is a “special personal data” category (s.65, meaning: deserving more protection than personal data). Metadata establishes “a both faithful and exhaustive map (…) or even a complete and accurate picture of his private identity” (s.74), the privacy interference/harm starts further “upstream” (s. 65), serving as “multiplier” (s. 73) given the central role of electronic communications in our private and professional activities. In addition, data collection in itself is surveillance and a privacy interference/harm; no access without collection, it’s an “intimate relationship” (s.121-124). These are all observations the entire privacy and security community has been screaming from every rooftop for years. And in this respect, the Opinion strikes directly against positions U.S. authorities and politicians take after the Snowden revelations.
OK – now keep in mind for a minute an extremely relevant detail: for the good part of the Opinion, findings about the “particularly serious” privacy interference/harms of data retention are based on quite strong European Convention of Human Rights (‘ECHR’) case-law of the Council of Europe (not the E.U.!).
What appears to be less favorable to privacy, but is already a great outcome for the digital rights coalition that filed the case, is that the Opinion outlaws this DRD. The Opinion seems to allow for a much stricter data retention laws coupled with safeguards in the law itself, such as a shortened retention period, access criteria and narrow use purposes. Here, the Opinion grounds its arguments in the interdependence of collection and data, as well as a ‘quality of law’ proportionality test of art. 52 of the E.U. Charter (not the ECHR!). The Opinion also mentions that it’s hardly possible for a Court to assess the privacy interference/harm without such safeguards in place (s.121), in fact opening up for future lawsuits.
So here’s the central, essential question: why has the Opinion used ECHR case-law for assessing the privacy interference/harm of data retention (art. 8 ECHR), but not for weighing in on the justification of the surveillance measure? Why the E.U. Charter ‘quality of law’ test, instead of the famous ECHR test whether a privacy interference/harm is ‘necessary in a democratic society’ (art. 8 ECHR)? The Opinion seems to favor a cautious, political approach, based in earlier case-law (of the E.U. Court!): broad discretion for the E.U. legislator, a marginal proportionality test for the E.U. Court (s.96). You might say, disappointing from a fundamental rights perspective, but this is exactly where fascinating political choices behind the Opinion emerge.
The E.U. and the Council of Europe – Europe’s two-tier approach to privacy and surveillance
The E.U. Court in Luxembourg is an entirely different entity than the European Court of Human Rights in Strasbourg (‘ECtHR’). The former is an E.U. institution, overseeing whether its 28 Member States comply with the E.U. treaties. Until 2009, the E.U. was first and foremost an economic union. The ECtHR of the Council of Europe, on the other hand, oversees the ECHR fundamental rights obligations of 47 Member States — including Russia and Turkey. The Council of Europe is a fundamental rights union established post World War II, and the ECHR is in fact celebrating its 60th birthday this year.
The ECtHR has since the 1950s developed strong case-law of state intrusions on the private life of citizens and organizations, against both the state and against other individuals/organizations. I’ve heard so many times here in the U.S. that “Europe regulates privacy for the private sector, but not the state” — an understandable but questionable viewpoint if you know your E.U. laws, and certainly false with regard to the Council of Europe Conventions.
Until 2009, the E.U. Member States controlled surveillance policymaking. The E.U. treaties gave hardly an inch of space for purely E.U. institutions such as the E.U. Parliament, E.U. Commission and E.U Court to regulate surveillance practices — the DRD was adopted under the reason of a level-playing field for telecoms and internet access providers. It left all the juicy details on retention periods, access and use for Member States to decide in national implementation laws (s.121 Opinion). The previous E.U. Court ruling on data retention of February 2009 [pdf of summary] did not yet rule on the fundamental rights aspects of data retention, precisely because of these dynamics (s.42 Opinion).
The 2009 case was started by Ireland and supported by the UK, because those governments wanted even longer retention periods that two years, which the E.U. Court denied on grounds of obstructing a level-playing field for industry across the E.U. – an economic rationale, nothing privacy back then. In other European nations, particularly those formerly under the Warschau Pact, data retention is fiercely resisted until this day. But E.U. membership forces DRD implementation, something the Opinion explicitly sees as problematic (s.46). Six countries have challenged the national law implementations of the DRD in their national Constitutional Courts. These cases have without exception led to court rulings withdrawing the national law or outlawing the principle data retention altogether. So next to Europe’s two-tier approach, the national level also has a huge influence. You see, generalizations about “Europe” usually fail.
The 2009 E.U. Treaty of Lisbon presents a paradigm shift: the E.U. institutions also have ‘competence’ in law enforcement policies, not in national security, which remains a Member State affair. In E.U. Court terms, four years is like yesterday, and as a consequence, until this day the E.U. Court has hardly any case-law on regulating surveillance, even though the ECtHR has.
The E.U. Lisbon Treaty also obliges the E.U. to accede to the ECHR. This would create a single European fundamental rights space, and strengthen fundamental rights obligations in E.U. policymaking fundamentally. The E.U. would be a more perfect Union, as they say. Negotiations started on 7 July 2010, a draft was negotiated on 5 April 2013 and as we speak, the E.U. Court of Justice is preparing a historical Opinion on the draft. The same Court, that is to finally rule on the DRD in the spring.
The Opinion amidst political sensitivities – and what’s next
And that’s why the DRD Opinion is fascinating. Amidst accession to the ECHR, The DRD case is one of the first moments in E.U. history that the E.U. Court can show how much it cares about fundamental rights in the E.U. Data retention could not be a better test case, as the DRD has clearly been the most controversial surveillance law ever adopted in the E.U.
So why is there no reference to the ‘necessary in a democratic society’ test of ECHR case-law in the Opinion? Here’s a possibility. The Advocate-General who drafted the Opinion, Cruz Villalón, throws the ball way up in the air with strong wording about the seriousness of the privacy interference/harm, but instead of smashing the ball home with ECtHR case-law plays it safe with E.U. Court case-law. It’s partly political: whether to smash the ball home is for the final E.U. Court to decide.
There has been one similar case before the E.U. Court, the Scarlet/Sabam case, on the legality of deep packet inspection filtering of all internet traffic for copyright purposes. Here, the very same Advocate-General Cruz Villalón drafted an Opinion based on E.U. case-law, and the Court decided to go much further, and outlaw the nuclear antithesis of privacy requested by the copyright industry (for various reasons, see s.47-53). Now the E.U. Court has a both more difficult and straightforward case to crack than with Scarlet/Sabam, at a time when metadata surveillance for law enforcement and intelligence purposes is frontpage news, every day.
The complicating paradox is, of course, that the real possibility of a limited new data retention directive (say, 6 months retention, strict access and use criteria, strong data security, etc.) would be a win for U.K. citizens — in practice it could be a data erasure directive that would return to the ground rule of the E-Privacy Directive that metadata should be “deleted or anonymized as soon as possible, unless”. While on the other hand, any data retention directive could be a bad outcome for citizens in Germany, Romania, Hungary, Austria, the Czech Republic, Cyprus (the countries with successful constitutional challanges to national data retention implementations).
Amidst other court cases launched in reaction to the Snowden revelations that will end up at the ECtHR, amidst institutional politics at the E.U. Court, amidst a two-tier but converging European fundamental rights space, there’s loads of interesting developments that might one day end mass surveillance in Europe.
Of course, the jury is still out.