DATA RETENTION AG Opinion on compatibility of with EU law legislation in July 2014. DRIPA Sweden on telecommunication On 19 July 2016, Advocate General replaced the Data Retention (EC service providers to retain data Henrik Saugmandsgaard Øe issued Directive) Regulations 2009, under relating to electronic a non-binding opinion (‘Opinion’) which domestic companies can be communications. In that case, the that a national obligation on required to retain certain types of Swedish telecommunications communications providers to retain communications data (but not the provider, Tele2 Sverige, following actual content of a the decision in Digital Rights data relating to electronic communication) for up to 12 Ireland, notified the Swedish post communications may be compatible months, so that this may later be and telecommunications authority with EU law, subject to certain strict acquired by law enforcement and that it had decided to cease safeguards. In particular, the used in evidence. DRIPA also retaining data and proposed clarifies that anyone providing a deleting the data already retained. legislation must be accessible and communications service to Swedish law currently requires the obligation must respect the customers in the UK, regardless of providers of electronic essence of the right to respect for where that service is provided communication services to retain private life and the right to the from, should comply with lawful certain personal data of their protection of personal data. requests made under the subscribers. Regulation of Investigatory Powers In both the Swedish and the UK However, it can only be lawful if it is Act 2000. cases, the CJEU is essentially being necessary to fight serious crime, The Conservative MP, David asked to consider whether a and it must be proportionate. Rohan Davis (now the Brexit minister), general obligation to retain data is Massey, Partner at Ropes & Gray and the Labour MP, Tom Watson, compatible with EU law, in subsequently brought judicial particular the e-Privacy Directive LLP, discusses the Advocate review proceedings challenging the (2002/58/EC) and the EU Charter General’s Opinion and the validity of DRIPA as being of Fundamental Rights (‘Charter’). background to the case. contrary to EU law, as expounded in Digital Rights Ireland. The High Opinion Court found that Section 1 of The Opinion acknowledges that Background DRIPA, which empowered the Member State laws imposing In its judgment in Joined Cases C- Secretary of State to require retention obligations on 293/12 and C-594/12 Digital Rights telecommunications companies to communications providers may be Ireland, the Court of Justice of the retain communications data for useful in fighting serious crime, European Union found that the various purposes, was unlawful. such as terrorism, but that the Data Retention Directive The Secretary of State appealed retention of such big data poses (2006/24/EC) (‘Directive’) was the High Court decision and the “grave risks” to individuals’ rights, invalid. The Court of Justice of the Court of Appeal referred two which must be addressed by European Union (‘CJEU’) found questions to the CJEU. The examining the necessity and that the Directive amounted to a questions concern whether, in proportionality of such obligations wide-ranging and particularly Digital Rights Ireland, the CJEU and balancing such risks against serious interference with the had intended to lay down individuals’ rights to privacy and fundamental rights to respect for mandatory requirements of EU law data protection. This means that private life and to the protection of with which the national legislation Member State laws obliging such personal data, without that of Member States must comply, data retention may be compatible interference being limited to what and whether it had intended to with individuals’ fundamental was strictly necessary. expand the effect of Articles 7 rights under EU law, only where Since then, Member States have and/or 8 of the EU Charter of there are certain strict safeguards moved to introduce national Fundamental Rights beyond the in place. However, the Opinion legislation allowing for data effect of Article 8 of the ECHR, as clarifies that it is up to national retention. In the UK, this took the established in the jurisprudence of Member State courts to determine form of the Data Retention and the European Court of Human whether such safeguards have been Investigatory Powers Act 2014 Rights. met. (‘DRIPA’), which the UK At present, there is also a Swedish The Advocate General notes that Government announced it was case before the CJEU concerning both UK and Swedish retention introducing as emergency the general obligation imposed in laws require communications

12 Cyber Security Law & Practice - August 2016 DATA RETENTION

providers (e.g. telephony, electronic The ISPA rights enshrined in the Charter - limited to the recognised objective messaging and internet service responded to this means the essence of the rights (i.e. preventing, detecting and providers) to retain data enabling the Advocate to respect for private life and to conducting criminal prosecutions the identification and location of General’s protection of personal data should in respect of serious crime); (ii) Opinion by the source and destination of saying that it not be adversely affected. The access to retained data must communications, as well as the raised Opinion sets out that this require prior review from a court time, date, duration and type of “serious condition is likely satisfied in the or independent administrative each communication and the questions present case given that the UK and body which seeks to limit access to, equipment used (but not the about UK Swedish retention obligations do and use of, the retained data to data content of the communications retention not extend to the actual content of what is strictly necessary (and themselves). legislation” communications and equivalent where, in circumstances of extreme The Advocate General dismissed safeguards are implemented in urgency, access is granted without the notion that national data respect of any personal data such a review having taken place, retention obligations should be retained under the current EU data an ex post facto review must be excluded from the requirements of protection regime; undertaken without delay); (iii) the the e-Privacy Directive given that 3) pursues an objective of general retained data must be held by such obligations are intended to interest recognised by the EU - the communications providers within only grant access to Advocate General held that whilst their relevant national territory; communications data by police or the fight against international and (iv) retention periods must be judicial authorities for the terrorism and serious crime in based on objective criteria to limit purposes of public security, order to safeguard international retention of such data as is strictly defence, state security and state and public peace and security necessary and provide for its activities in areas of criminal law. would both constitute objectives of complete destruction when no Instead, given that inter alia the e- general interest to the EU, longer needed; and Privacy Directive directly provides combatting ‘ordinary’ (as opposed 5) is proportionate, within a for the possibility of Member to ‘serious’) offences and the democratic society, to the pursuit States adopting legislative measures smooth conduct of proceedings of that same objective - according for the retention of data for a other than criminal proceeds, were to the Advocate General, this limited period, such obligations not; means that that the serious risks must fall within the scope of the e- 4) is appropriate and strictly engendered by the retention Privacy Directive. necessary to achieve that objective obligation, in a democratic society, However, as above, the Advocate - the Advocate General determined must not be disproportionate to General opined that national that a general retention obligation the advantages which it offers in Member State laws can be could be appropriate on the basis it the fight against serious crime. The interpreted as being consistent would be liable to contribute to the Opinion highlights that the with the e-Privacy Directive and fight against serious crime retention of communications data the Charter, provided the retention (primarily because of the utility of risks interfering with individuals’ obligation: being able to examine the past by rights, most of whom will never be 1) has a legal basis - this means consulting data retracing the connected in any way to serious that the retention obligation must history of communications of crime, and explains that such be enshrined in legislative or certain individuals (even before retention may also seriously regulatory measures (i.e. not case they are suspected of being increase the risk of profiling and law, nor non-binding codes or connected with a serious crime)). ‘cataloguing’ of the entire guidelines etc.) which are As to necessity, the Advocate population of a country, which adequately accessible and General held that a measure would could have a detrimental effect on foreseeable (i.e. sufficiently precise only be strictly necessary if no individuals (whether or not to enable individuals to regulate other measures existed that were at content data is retained) and is their conduct), and must also least equally appropriate but less potentially open to abuse. provide ‘adequate’ protection restrictive, and provided the However, the Opinion makes no against arbitrary interference and retention obligation imposes comment as to the UK and clarify the scope and manner of certain safeguards. Such safeguards, Swedish regimes in this respect - exercise of the powers granted to according to the Advocate General, instead (as with each of the other the relevant authorities; broadly include that: (i) access and conditions), it leaves it up to the 2) observes the essence of the use of retained data must be courts of the relevant Member

Cyber Security Law & Practice - August 2016 13 DATA RETENTION

States to determine compliance rules are, maintain user confidence communications, but only if with this condition. in online services and avoid certain procedural safeguards are another round of lengthy legal met, such as the provision of a Comment proceedings,” he said. subpoena, court order, or search DRIPA actually expires at the end As for Brexit, even if the UK does warrant. of 2016, to be replaced by (the UK not become part of the EEA, it will Further, the US intelligence Government hopes) the not be able to ignore CJEU rulings community has broader powers to Investigatory Powers Bill (‘Bill’), on the lawfulness of data retention conduct surveillance on foreign the second version of which was rules within the EU as these will powers and agents of foreign laid before Parliament on 1 March impact on the EU’s assessment of powers suspected of espionage or 2016, amidst continued criticism the adequacy of data protection terrorism under the Foreign from industry. The Bill, which has safeguards in the UK. Failure to Intelligence Surveillance Act already passed through the House match the EU’s adequacy (‘FISA’). FISA enabled US of Commons and is currently at requirements will likely undermine intelligence agents to obtain Committee stage in the House of the UK’s ability to trade with the electronic surveillance to collect Lords, sets out the powers available Single Market and individual EU foreign intelligence from a to the police, security and countries. suspected foreign power for up to intelligence services to gather and In contrast to the EU’s approach one year without a court order access communications and to legislating retention of upon issuance of an order by the communications data, bulk telecommunications data, the US Attorney General’s office personal datasets and other United States does not have any showing the gaining of foreign information in the digital age, mandatory data retention laws intelligence information was the subject to what the Home Office similar to the former Data ‘significant’ purpose of the calls, ‘strict safeguards and world- Retention Directive. Furthermore, surveillance. The information leading oversight arrangements.’ It the US Constitution does not collected without a court order can replaced the first version of the Bill afford the same protections as the include telecommunication system introduced by the UK Government Charter’s right to respect for metadata, which is not considered in November 2015, which the UK private life and right to protection communications data under US Government said responded to the of personal data. Thus, with the law. Telecommunications concerns raised by various parties absence of any data minimisation companies have the ability to at that time. However, industry was or retention requirements, US challenge FISA surveillance orders still sceptical, with the Internet telecommunications companies are in a closed FISA court. The Services Providers’ Association free to retain data voluntarily. information collected under FISA (‘ISPA’), expressing The United States has enacted its could be used for interdiction or to disappointment that the Bill had own legislation to allow law develop the probable cause been fast-tracked, and the News enforcement access to necessary to support an arrest Media Association commenting telecommunications information. warrant, but could not be used as that it still did not include Notably, in 1994 the US enacted criminal evidence. adequate safeguards to protect the Communications Assistance journalists’ sources. for Law Enforcement Act Rohan Massey Partner Ropes & Gray LLP, London The ISPA responded to the (‘CALEA’), which requires [email protected] Advocate General’s Opinion by telecommunications providers to saying that it raised “serious adapt their technology to ensure The author would like to acknowledge questions about UK data retention the ability to comply with law the assistance of his colleagues Robert Lister and Matthew Coleman in the legislation.” ISPA’s Chair, James enforcement surveillance requests. preparation of this article. Blessing, said that the Opinion CALEA amends the Electronic “calls into question some aspects of Communications Privacy Act the Investigatory Powers Bill.” He (‘ECPA’), effectively allowing law called on the Home Office to enforcement to wiretap telephone, “ensure the legal framework broadband and VoIP traffic and around data retention is fully access stored communications. compliant with the final court Unlike the EU laws, the ECPA judgement. It is vital to give permits law enforcement to access industry certainty on what the the content of the

14 Cyber Security Law & Practice - August 2016