Lackadaisical approach to data privacy cannot last
European Court of Justice insistent that citizens are entitled to privacy protections
The Advocate General expressed a vigorous defence of personal privacy in the face of the “mission creep” of states and law enforcement agencies. Photograph: Getty Images/iStockphoto
People’s communications data cannot be gathered and held by governments without strong safeguards, firm time limits, transparent and vigorous oversight, and restrictions on how such data might be used.
These parameters for lawful data retention, given in the Advocate General’s opinion this week in a major privacy-related case before the European Court of Justice (ECJ), strongly reinforce that court’s landmark 2014 ruling in the case brought by Digital Rights Ireland against the Irish State.
They also, yet again, indicate the court is not for turning on its view that European citizens are entitled to significant privacy and human rights protections that bar governments and organisations from gathering, storing and sifting through large pools of digital data just because they are easy to collect and might at some point prove useful.
And, pointedly, the opinion begs the question of when our Government will get around to introducing legislation to replace Irish data retention legislation based on the overturned EU Data Retention Directive.
Yes, round and round we go, with the Government merely saying that the belatedly commissioned three-month analysis of the existing legislation by Justice John Murray has been extended without any specific deadline.
The lack of replacement legislation, especially so long after the most powerful court in Europe voiced its opinion, is at best lazy and neglectful. At worst, the delay poses serious consequences for the very type of case and conviction – “serious crime”, as the politicians have it – that appropriate legislation is intended to address.
This week’s opinion comes in two conjoined cases before the ECJ which query whether, within the DRI judgment, there is nonetheless legal ground to retain data within member states, and the scope states might have in doing so.
One, referred from Sweden, tackles the issue of whether one of the country’s communications networks had the right, in the wake of the DRI judgment, to refuse to retain user data any longer. The other, referred from the UK, asks whether member states may create their own data retention laws beyond the restrictions voiced by the court in the ECJ DRI decision.
The AG’s opinion is a close study of the issues in a given case before the ECJ and is produced as guidance to the ECJ but is not binding on the ECJ, which can take a completely different view.
However, in the vast majority of cases, an ECJ ruling follows the AG’s opinion, and often, as in the DRI case, goes even further. The court might be especially inclined to align with the AG in these conjoined cases that directly seek clarification of the intent of their own DRI ruling.
Especially when that ruling minced no words and expressed a vigorous defence of personal privacy in the face of the “mission creep” of states and law enforcement agencies. Surely relevant, too, is that the UK government in particular has enacted data retention laws that give broad powers of retention and access, with some of the most trivial restrictions and safeguards of any country, anywhere. That’s even before you consider the secretive snooping powers of the UK’s Government Communications Headquarters (GCHQ).
Under the set of UK data retention laws considered in the current case – supposedly enacted to combat serious crime – even local authorities can access and use communications data for the pettiest of crimes, such as failing to clean up dog poop.
Our Irish legislation had so few limitations that former Irish data protection commissioner Billy Hawkes once gave the example of a cyclist in the Phoenix Park travelling without bike lights but seen talking on a mobile. Because cycling without lights is a crime, gardaí could request the call records on every individual using a phone at that time within a wide radius of the Phoenix Park.
The AG’s opinion this week will offer little solace to those in Government and law enforcement who had hoped that the DRI ruling might be just advisory and aspirational but not binding on member states (though post-Brexit, it might cheer those in the UK who want more power to snoop, as the AG’s opinion would make aspects of the UK’s proposed “Snooper’s Charter” – Theresa May’s controversial investigatory powers Bill – unlawful).
According to the AG, the DRI judgment imposes safeguards and rights that exceed those framed in the EU Charter of Fundamental Rights alone.
States cannot create data retention regimes that go beyond the safeguards outlined in the DRI ruling, not even if they try to claim exemption on the grounds of “national security”.
And, as DRI chairman TJ McIntyre noted in a series of tweets, the opinion endorses that data only be accessed in the specific context of fighting serious crime, when of “strict necessity”, and according to the restrictions voiced in the DRI judgment.
“Very important indeed: treats all safeguards noted in DRI as mandatory,” he tweeted.
In the ECJ’s recent important privacy cases, the court has given its ruling shortly after the AG’s opinion is issued. Assuming that happens and the court echoes the AG’s opinion, the Irish Government will have no excuse to continue its lackadaisical approach to introducing lawful data retention legislation that meets the court’s strict guidelines.