Data privacy battle plays out before European court

Just as surveillance and data privacy have become a focus of global attention, the European Court of Justice (ECJ) is this week examining an Irish challenge to the Government's data retention law requiring the long term storage of Irish citizens' call and internet data.

The hearing, held on Tuesday, starts the process under which the court will decide whether the European Directive on data retention (2006/24/EC) is legal, or should be struck down.

The directive underlies Irish data retention legislation, which requires that phone companies and internet service providers retain detailed data of customers’ phonecalls and email, as well as internet usage, for two years.

Whatever the outcome – which is unlikely to be known for up to six months – the Irish case will have significant implications for Irish citizens’ internet and phone privacy and potentially, for half a billion people across Europe as well.

The case, launched in 2006 and referred the the ECJ by the Irish High Court in 2012, comes weeks after US whistleblower Edward Snowden revealed the extent of the surreptitious gathering of call and internet data by the US National Security Agency (NSA) and Britain's GCHQ. This may, or may not, influence an opinion, but public and legislative awareness of the issues at stake has probably never been higher.

What happens
this week?
On Tuesday, the Grand Chamber of the European Court of Justice in Luxembourg heard two joined cases on the validity of the data retention Directive. One is a case brought by privacy advocate Digital Rights Ireland (DRI) against the Irish State. The second is a more recent, but similar case from the Austrian Constitutional Court.

Together, the two cases ask whether the European data retention directive is in conflict with articles of the Charter of Fundamental Rights of the European Union. The ECJ told the parties in the case that it would focus on articles 7 and 8, which address personal data, the right to private correspondence and general privacy principles.

There are 17 parties, including the solicitors for both cases, the European Parliament, the Council of Ministers, the European Commission, the European Data Protection Supervisor, and nearly a dozen other European countries.

Each party made a written submission in response to a set of questions from the ECJ. On Tuesday, each party also made a 10-15 minute oral submission.

What is the Irish case about?
Going under the lengthy title Digital Rights Ireland Limited v the Minister for Communications, Marine and Natural Resources, the Minister for Justice, Equality and Law Reform, the Commissioner of An Garda Síochána, Ireland and the Attorney General, the DRI case, brought by McGarr Solicitors, challenges the constitutionality, and the implementation, of Ireland's data retention legislation, both the Criminal Justice (Terrorist Offences) Act 2005 and the State's 2006 implementation of the European data retention Directive.

This legislation requires Irish mobile phone companies and internet services providers to monitor and store information about (but not the content of) every individual’s phone calls (and therefore location data), texts, internet access and emails, and store them for two years.

The European directive allowed States to choose a period of retention between six months (the maximum period argued for by Europe’s data protection commissioners) and two years. Ireland is one of a handful of countries that opted for two years.

When the case came before the Irish High Court, it referred it on to the ECJ for its opinion on the validity of the European directive itself, before continuing with the case back in the High Court.

What does each side say?
The Government and law enforcement agencies argue that electronic data for phone calls and internet use can contain important evidence and that retained data have provided critical evidence in numerous criminal cases.

The general justification for holding a wide range of data for an extended period is that law enforcement may need to go back beyond the most recent six months of data that companies may retain for business purposes.

A common defence offered is that, if people have done nothing wrong, they needn’t worry about their personal data being stored. And, the State and law enforcement argue that, having recourse to such data, helps improve national and European security.

DRI argues that gathering and holding data on every individual (including children), especially beyond the period companies are allowed for business purposes in data protection legislation, constitutes mass surveillance, and is a violation of privacy and human rights. Current Irish legislation also offers inadequate protections and safeguards, it says.

Much detail about a person’s activities and movements can be deduced when such data is looked at in aggregate, says DRI. In addition, it argues that large stockpiles of data encourage “fishing expeditions” for suspects, warning that the lack of context for such data means it is to easy for incorrect inferences to be drawn. This increases the potential for individuals who have done nothing wrong, to be targeted as suspects.

DRI says Irish and European data retention legislation breaches the European Convention on Human Rights and the EU Charter on Fundamental Rights.

Why did the case go to the ECJ?
DRI asked specifically that the High Court refer the case to Europe. The High Court agreed to do so in January 2012, on the basis that the case involved fundamental privacy issues.

The case, at its most basic, pits personal privacy, human and civil rights protections against the steps needed to provide national and international security. However, it isn’t an either/or case: the role of the ECJ is to consider whether the directive is proportional, and correctly balances these competing needs. For that matter, DRI, in its Irish case, clearly accepts the need for law enforcement to have appropriate access to electronic data.

In its questions sent to the parties in the case, the ECJ phrased the issue this way: “Did the European Union legislature achieve ... a proper balance of the requirements bound up with the protection of fundamental rights and the public interest objective at issue ... ?”

What happens next?
After this week's hearing, the ECJ will consider the submissions of the various parties. In the coming months, an advocate general will then write up a preliminary opinion on behalf of the court.

The ECJ may accept that opinion – and usually does – but it is open to it to overrule an advocate general’s opinion.

What are the possible outcomes?
There are two.

1) The ECJ could uphold the existing European data retention directive. The DRI case will then return to the High Court, which will determine whether Ireland’s specific implementation of data retention is constitutional.

Several other EU countries – including Germany, Romania and Hungary – have struck down their State’s implementation of the data retention directive.

2) The court could strike down the European directive. The High Court would still need to assess the constitutionality of Irish data retention legislation, but that legislation would no longer have the force or mandate of a European directive behind it.

Ireland, like many other EU countries, had its own data retention laws (passed in 2005) before the EU Directive existed.

If the EU directive is struck down, new legislation would almost certainly have to be drawn up because of its wide-ranging privacy impact and the need for law enforcement to have clear permissions to access data. If the High Court ultimately finds the Irish law is unconstitutional, then it too will be thrown out and new Oireachtas legislation will need to be prepared, for the same reasons.