Based in reality?
The GD judgment and CJEU case law on data retention give the impression of vindicating privacy rights under the EU Charter, argues Aisling Kelly. However, the CJEU’s suggested pathways fail to offer a real rule-of-law-based approach to this thorny issue.
The European Court of Justice delivered judgment in GD v Commissioner of An Garda Síochána & others on 5 April 2022. There were no major surprises. Some minor scuffles in relation to procedural law, and a shot across the bow of the French Conseil d’État, but really it was all over, bar the shouting.
The judgment confirms earlier case law (see La Quadrature du Net & Others) on the point that widespread and indiscriminate retention of mobile-phone data for the purposes of investigating crime is contrary to European law.
The judgment confirmed that there could be instances where retention of data would be permissible for the investigation of serious crime. Primarily, the court advanced two suggestions where this might be possible:
- Targeted retention of data per geographical area or category of persons (see paragraph 67). The idea here – and it is currently in either draft legislative format in Belgium and finalised law in Denmark – is that a member state designates an area that is statistically prone to crime and allows a net to be cast over that area for a limited period of time, say 12 months. That time period can be extended. The idea is that if you live, work, or wander into that area, your data on your mobile phone or device is capable of being scooped up through the wonders of technology.
- Expedited retention or the ‘quick freeze’ of data retention. The idea here is that the police obtain intelligence that a crime is about to be committed in a certain area, and can then apply to one or many telephone companies, internet-service providers, or one of the many other apps that retain data about your location. This is a phenomenon not unknown in modern policing. In the US, the use of a ‘geo-fence’ warrant is the idea that after the commission of an alleged crime, the police draws a box on a map around the crime scene and looks for all the data of the devices that were geolocated to that box. It is incredibly privacy intrusive, and only capable of being actioned by companies like Google, who store highly accurate location data. (More on these ideas below.)
So, a win for privacy rights?
Well, yes and no. What the court cannot do is to ban widespread and indiscriminate data retention simpliciter. It is still possible to retain data for certain periods, once done in accordance with the GDPR and the ePrivacy Directive for a set business purpose – for example, financial billing records for various time periods.
The case law is about who may access that data. The CJEU has made it clear it does not believe that state law-enforcement agencies should access it. However, what it cannot do is to prohibit state agencies accessing it for the purposes of national security. The reason being that the area of national security is outside the competence of EU law under the Lisbon Treaty.
It means that member states have the power to regulate the laws around national security as they see fit, according to their own constitutional law. Therefore, you have an incongruous situation where national authorities may use retained data for the investigation of national security events, but not for criminal matters.
This distinction between national security (being outside the competence of EU law) and law enforcement (inside the competence of EU law) is one only capable of making sense to an EU lawyer. In fact, Attorney General Paul Gallagher went so far as to say it would undermine public faith in EU law.
The proposition that threats to national security can be investigated with recourse to a deeper bucket of evidence – but serious crime cannot – is difficult to reconcile. The space between national security and serious crime is very blurred, especially in this age.
The CJEU talked about “national security protecting the essential functions of the State … through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country”.
Think about what that could be – online misinformation, organised criminal-gang activity, economic cartels, targeted cybercrime at critical infrastructure (like, say, the HSE), or election interference. These are all arguably instances that would satisfy the ‘national-security’ test (paragraphs 63, 64).
Defence of the realm
Take, for example, a bomb threat. That could be regarded as a threat to national security, or it could be regarded as an attempted murder of a group of individuals. Of course, one murder (as was the case in GD) is almost entirely unlikely to ever be regarded as a threat to national security.
Does this enhance EU citizens’ privacy rights? Or does it invite member states to recategorise singular investigations, or declare the country to be in a general state of elevated national security so that their agencies may avail of blanket access to electronic data in criminal investigations? The latter is certainly the option that many believe France has taken. The GD judgment was clear that the French approach was living on borrowed time.
The judgment may also counter-intuitively act as an incentive for member states to introduce national legislation on checks relating to the identity of people buying phones or accessing the internet. The court made it clear that this was allowed for the purposes of criminal investigation (paragraph 73).
One also has to bear in mind that the European Electronic Communications Code will allow EU member states to recategorise their surveillance laws to include electronic communication services previously outside the scope of intercept law. So, law enforcement in various member states may be allowed access to prospective data of your calls, emails, and messages in the investigation of crime – but not access to retained data. This law is also hugely privacy invasive.
Lastly, while not linked to the GD judgment, there are multiple ways in which peoples’ data is hoovered up, retained, sold and misused. The very existence of data brokers should be enough to wake us all up to our online behaviour. The fact is that data is retained, and sold, as a commodity. One may regard the ubiquity of data-harvesting to be a larger threat to privacy than time-limited retention of data for law-enforcement purposes.
Blunt tool
Nobody likes the idea of being under constant surveillance. And, of course, that is why privacy-aware people will turn off their location settings, use non-tracking web browsers, VPNs, and not visit websites like the Daily Mail! The CJEU knows this. The judgment (paragraph 46) points out that, just by retaining data, there is a risk of abuse and unlawful access. One has to agree. However, there are more meaningful ways to protect privacy rights, rather than this convoluted dance that the CJEU has proposed.
The member states argued that, instead of prohibiting the retention of widespread and indiscriminate data, proper safeguards should be introduced to address privacy concerns – for example, tight time limits and meaningful judicial oversight on the granting of the orders relating to digital evidence.
What is truly ‘meaningful’? For starters: a proper hearing, on notice to a target of the investigation, with the use of the in camera rule to be the exception, and a proper audit of the system by a board made up of privacy, law-enforcement, and human-rights experts. Mandatory transparency reporting from all state agencies would also go a long way towards ensuring that there was proper civil-society oversight.
Reality bytes
It is a deep shame that the rules on procedure within the CJEU do not allow for the court to hear evidence from experts before delivering judgment. The EU institutions invest heavily in the process of hearing from the public and subject-matter experts before any new legislation is drafted. So, too, do most national parliaments.
The issue with the data-retention line of case law is that no one has told the CJEU what is – and what is not – possible. In fact, Naomi O’Leary, an Irish journalist who was in the Grand Chamber and live-tweeted the hearing, made reference to a counsel stating that this information is available “at the press of a button”. This is just not factually inaccurate. And, in addition, no one contradicted this inaccuracy.
The two suggested pathways are unworkable.
The geographically limited retention idea is based on a misunderstanding as to how mobile devices capture location data. Yes, in theory, it may be possible to obtain IP addresses from some of the internet-enabled devices within an area. But in order for it to be possible, the area would have to be large, say, for example, a city. Additionally, it will not capture the location of people using a VPN or other obfuscation technology on their phones. It won’t capture devices that are not internet enabled.
The geographic-targeted retention of data is the equivalent of a sieve for law-enforcement purposes. It is not possible to capture data by flicking on a switch once someone walks past an invisible fence. In order to capture some users’ data, you must capture all users’ data. So, how is this any more protective of EU Charter rights?
The second proposal is equally misconceived. The idea that a law-enforcement agency can decide to request a ‘quick-freeze’ presupposes that it has the ability to identify all of the mobile-phone networks, internet service providers, and other tech providers in a particular location – and request them all to capture all of the users in a particular area, for a particular time, at the drop of a hat.
The EU has 27 member states and hundreds of thousands of police officers capable of submitting criminal orders for data. The technology providers do not have interoperability with each other. There is no central authority for the mobile-phone networks, the ISPs, and the million other apps on your phone that collect location data. How is that possibly going to work in real life? It is entirely unworkable from a practical perspective.
The GD judgment and CJEU case law on data retention in the sphere of law enforcement do not do what they set out to do – that is, protect the privacy of EU citizens. They suggest pathways that are based on poor understanding of technology, while also counter-intuitively inviting member states to introduce legislation to track the identity of mobile-phone users as a way around this conundrum.
If the CJEU were really interested in protecting EU citizens’ privacy rights within law enforcement, it would pay more attention to remedying the original complaint of these data-retention laws – that is, inappropriate judicial oversight – and less attention to designing pathways seemingly based on fantastical episodes of CSI.
Look it up
CASES:
LEGISLATION:
Read and print a PDF of this article here.
Aisling Kelly
Aisling Kelly is a barrister working in the area of law enforcement, national security, and technology.