On November 20, 2015, the Court of Appeal reversed the Divisional Court’s Order of July 17 invalidating section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA). The Divisional Court had applied the Judgment of the European Court of Justice (CJEU) in Joined Cases C-293/12 & C-594/12, Digital Rights Ireland and Seitlinger and Others (Apr. 8, 2014) (“Digital Rights Ireland”) to find that sec. 1 of DRIPA violates EU law insofar as it does not make combating serious crime the only legal purpose for government access to communications data that telecommunications providers are required to retain, and does not establish “clear and precise rules” strictly limiting government access to that purpose. Further, EU law is violated in that sec. 1 of DRIPA does not require “prior review by a court or an independent administrative body … limit[ing] access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.” Judgment of the Court of Appeal, para. 2.
In reversing the Divisional Court, the Court of Appeal provisionally opined that Digital Rights Ireland does not impose any mandatory requirements on the legislation of EU Member States. Instead of issuing a decision, however, the Court of Appeal referred the question of the effect of Digital Rights Ireland to the CJEU.
Digital Rights Ireland’s failure to impose mandatory requirements
The Court of Appeal stressed that the issue in Digital Rights Ireland was whether the EU Charter of Fundamental Rights was violated by the Data Retention Directive (Directive 2006/24/EC) requiring Member States to adopt laws requiring that communications data be retained for the purpose of combating serious crime. Due to the differences in context, the vices that the CJEU found in an EU-wide directive could not be translated into specific requirements for the data retention laws of individual states. Although the Judgment did articulate principles and “critical observations” applicable to Member States’ law, these were too broad to constitute mandatory requirements. Nor was there a principled basis for the Divisional Court’s attempt to erect some, but not others, of the CJEU’s “critical observations” into mandatory requirements. Para. 79.
Retention vs. Access to Communications Data
The government argued that the CJEU’s Judgment finding that the Data Retention Directive violated the EU Charter was inapplicable to DRIPA because the EU Charter applies “only when [Member States] are implementing EU law,” and EU law does not regulate “access to retained communications data by the police or other law enforcement bodies.” Paras. 91, 94. To the contrary, the Court of Appeal noted that the parties agreed that “national rules requiring data retention are within the scope of EU law.” Para. 93. The Court then interpreted Digital Rights Ireland to “establish … that when evaluating the lawfulness of a retention regime for communications data it is necessary to evaluate the safeguards in respect of access to the retained data.” Para. 102.
Notwithstanding this disagreement with the government, the Court of Appeal reasoned that EU law, and, hence, the EU Charter govern Member States’ access to communications data only where providers are legally obligated to retain the data. Since “domestic access regimes do not treat access to data retained by a commercial service provider differently from other sources of data,” the principles that the CJEU laid down in Digital Rights Ireland cannot be translated into mandatory requirements for national access regimes.
Legal limits on the purposes of government access
The Court of Appeal interpreted Digital Rights Ireland to hold that the Data Retention Directive violated the Charter insofar as it did not mandate that the national laws transposing it strictly limit government access to the Directive’s stated purpose of combating serious crime. Erroneously, the Divisional Court read the CJEU as establishing the much broader proposition that combating serious crime is the only purpose for which any national law may authorize government access to communications data. Hand in hand with this, the Court of Appeal reasoned that the Divisional Court’s limitation on the purposes of government access contravenes the powers derogated to Member States by EU law. To bolster its position, the Court of Appeal noted that the appellants had conceded that Member States’ lawful access to communications data was not restricted to the single purpose of combating serious crime.
Prior Judicial or Independent Administrative Review
Before the Court of Appeal, the government contended that Articles 7 and 8 of the Charter afford exactly the same protections as the European Court of Human Rights (ECtHR) has interpreted Article 8(2) of the European Convention on Human Rights (ECHR) to provide. In Kennedy v. United Kingdom, (2011) 52 EHRR 4, the ECtHR held that Article 8(2) of the ECHR was not contravened by allowing warrants for the interception of the contents of communications to be approved by the Secretary of State. Hence, according to the government, the Divisional Court erred in interpreting Digital Rights Ireland to hold that Articles 7 and 8 of the Charter require prior judicial or independent administrative approval of government access to communications data.
Contrary to the government, the Court of Appeal reasoned that the right to the protection of personal data in Article 8 of the Charter “is more specific than [the right to respect for private and family life in] Article 8 ECHR and is not limited in its meaning and scope to that of Article 8 ECHR.” Para. 110. Very arguably, however, the Court of Appeal backtracked from recognizing that Article 8 of the Charter provides a basis for the CJEU to afford greater protection to personal data than the ECtHR. The Court of Appeal acknowledged that, “What is said in Digital Rights Ireland about prior independent authorization does seem … on its face, to go further than the current ECHR law,” only to state that, “This … reinforces our doubt that the CJEU in Digital Rights Ireland was intending to lay down mandatory requirements.” Para. 115. On this basis, the Court rejected the Divisional Court’s holding that DRIPA contravenes EU law by not mandating prior judicial or independent administrative review.
Referral to the CJEU
Instead of issuing a decision, the Court of Appeal referred the questions to the CJEU of whether Digital Rights Ireland (1) established “mandatory requirements of EU law to which the national legislation of Member States must comply” and (2) was “intend[ed] to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established by the jurisprudence of the ECtHR.” Para. 118. The Court was strongly influenced to seek a referral by the conflict between its provisional views and the invalidation of national legislation on the basis of Digital Rights Ireland by the Constitutional Courts of five EU Member States (Austria, Slovenia, Belgium, Romania, and Slovakia) and a lower court in the Netherlands. The Court also reasoned that its differences with the Divisional Court showed that there was “considerable doubt as to the effect” of the CJEU’s Judgment. Para. 117(1). A further factor favoring referral was that despite DRIPA’s scheduled expiration at the end of 2016, “the true effect of the judgment in Digital Rights Ireland will remain central to the validity of all future legislation enacted by the Member States in this field.” Para. 117(2).
The Court of Appeal requested expedited proceedings from the CJEU, and suggested that its referral be joined with the pending referral from the Stockholm Administrative Court of Appeals, Case C-203/15 Tele2 Sverige AB.