In what circumstances is it possible for the EU to introduce a directive which limits the exercise of fundamental rights guaranteed by the EU Charter? This is just one of the many questions of constitutional significance which the Court is asked to address in Joined Cases C-293/12 and C-594/12.
In his Opinion delivered on 12 December 2013, Advocate General (AG) Cruz Villalón provides plenty of food for thought for the Court. For instance, the Opinion offers interesting yet contestable insights into the relationship between the rights to privacy and data protection in the EU legal order.
Facts and Findings
The joined cases are preliminary references from the Irish High Court and the Austrian Verfassungsgerichthof respectively questioning the compatibility of the Data Retention Directive (Directive 2006/24 EC) with EU law. The Data Retention Directive (DRD) requires the collection and storage of telecommunications traffic data (for instance, details on the maker and recipient of telephone calls and the duration of calls) for the purposes of the prevention, detection and investigation of ‘serious crime’. As such the DRD constitutes an exception to the general principle of confidentiality of electronic communications and other principles set out in the E-Privacy Directive (Directive 2002/58).
The two cases were joined for the purposes of the oral procedure and the judgment. As the questions asked by both referring jurisdictions were not identical, the AG focused his Opinion on the overlapping and complementary questions referred relating to the compatibility of the DRD with the provisions of the EU Charter as well as the proportionality of the legislative act.
Proportionality assessment pursuant to Article 5(4) TFEU
Having made a number of preliminary remarks which later influenced his assessment, the AG began by assessing the proportionality of the DRD in relation to its objectives pursuant to Article 5(4) TFEU. The Court had previously dismissed a claim that the DRD was adopted on an incorrect legal basis in C-301/06, Ireland v Parliament and Council. However, it remained unclear in that case whether the Court had ruled only on the validity of the choice of the legal basis for the DRD or whether it had also considered the question of the directive’s proportionality in light of its objectives . The AG therefore undertook this latter assessment. This task was made more difficult given the ‘dual functionality’ of the DRD. The ‘predominant’ objective served by the DRD is to harmonise national rules in order to ensure the proper functioning of the internal market. Indeed, it is legally justified on these grounds (Article 114 TFEU). However, the DRD also serves the additional objective of ensuring the availability of data for the purposes of the prevention and investigation of serious crime. The issue was therefore whether the proportionality of the Directive had to be assessed in light of both of these objectives or simply the primary objective .
The AG began by assessing the proportionality of the DRD in light of the objective of ensuring the functionality of the internal market. He found that the intensity of the DRD’s intervention with regard to fundamental rights (and in particular its ‘creating effect’ in certain Member States where there was no pre-existing legislation) was manifestly disproportionate to this objective. The paradoxical implications of this finding were not lost on the AG who observed that the reason for the DRD’s legitimacy in terms of legal basis – its ambition to ensure the functioning of the internal market – would be the reasons for its illegitimacy in terms of proportionality . While he queried whether this lack of proportionality with regard to the predominant objective could be remedied by taking into consideration the ‘background’ (secondary) objective , he ultimately left the question open by finding that the issue would not be decisive in the current case .
Compliance of fundamental rights limitation with Article 52(1)
The referring courts had alluded to a number of fundamental rights in their questions to the Court. As a preliminary point, the AG narrowed the rights concerned down to two rights – the Charter’s Article 7 right to privacy and the its Article 8 right to data protection – before concluding that the compatibility issue should be assessed primarily from the perspective of an interference with the right to privacy . He also categorised the privacy interference as a serious one  observing, inter alia, that the effects of surveillance are multiplied as a result of the importance of electronic communications in modern societies . He then went on to determine whether this particularly serious interference with the right to privacy was justifiable by examining, first, whether it was in accordance with the law and, secondly, whether it was proportionate.
In order to be ‘in accordance with the law’, a law must be sufficiently precise to circumscribe the limitation of the relevant fundamental right. Given that the EU had no competence to prescribe the conditions under which Member States should allow access and use of retained personal data, the DRD leaves it to Member States to set out the conditions governing access and use. However, the AG held that the EU must, when enacting legislation which interferes with the fundamental rights of individuals, ‘fully assume its share of responsibility’ by defining some of the safeguards applicable at least in the form of principles . For example, the AG suggests that the EU legislature should have provided a more precise description than ‘serious crime’  or subjected access to the data to oversight by judicial authorities or an independent body . Indeed, the AG held that without knowledge of the conditions for access and use of data collected the Court could not competently assess the compatibility of the interference with EU law [121 & 122]. As a result of this lack of accompanying principles, the AG concluded that the DRD is incompatible with Article 52(1) of the Charter.
He nevertheless went on to assess whether the legislation was proportionate, distinguishing the proportionality assessment conducted under Article 5(4) TFEU, which is a means to ensure respect for Member States competences, from that conducted under Article 52(1), which ensures the proportionality of a limitation to a Charter right. He noted that the objective pursued by the DRD is ‘perfectly legitimate’ . However, he then honed in on the necessity of the period of data retention set out in the DRD (between 6 months and 2 years). Importantly for privacy campaigners, he emphasised that the retention of data regarding the private lives of individuals is an anomaly which ‘can only be exceptional and therefore cannot extend in time beyond the period necessary’ . The AG argued that there is a line which separates the past from the present – ‘historical time’ from ‘present time’ – which should be relevant in assessing the proportionality of the temporal scope of the DRD . He had been unconvinced in the arguments before the Court in oral proceedings that there was a need to extend data retention into this ‘historical time’. As a result, he found that Article 6 of DRD, which sets out the potential retention time, was disproportionate.
Given that many Member States had in general implemented the DRD in a manner which was compliant with fundamental rights, the AG suspended the effects of the finding that the DRD was invalid pending the adoption by the EU legislature within a reasonable period of measures to remedy its legal flaws .
This eagerly anticipated Opinion is remarkable for many reasons. From a general perspective, it highlights the difficulties of clearly delineating the boundaries between EU and Member State competence. If the Advocate General’s Opinion is followed, it will also fend off a clash between the EU and several national constitutional orders. However, it is perhaps more noteworthy for those with an interest in the development of data protection and privacy law before the EU Courts.
Firstly, although the CJEU often treats data protection as a subset of the right to privacy, the AG recognises that data protection is subject to an ‘autonomous regime’ . However, he seems to envisage data protection as a right which applies to the ‘personal sphere’ rather than the ‘private sphere’ unlike the right to privacy. He does this by distinguishing between ‘data that are personal as such…to which the structure and guarantees of [the right to data protection] are best suited’  and ‘data which are in a sense more personal’ . The AG argues that use of ‘special’ personal data may ‘make it possible to create both a faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity’. While the AG was arguably correct to focus on the right to privacy in this instance, these hitherto unheard of categories of data are unconvincing. Taken in individual morsels, the data concerned in this case was not necessarily ‘intimate’: indeed, it could be quite innocuous. However, once aggregated it could paint a revealing picture of an individual’s life. It is precisely this type of aggregation of innocuous data which EU data protection rules and hence the right to data protection are designed to regulate.
Secondly, the AG made the questionable assumption that because the data were not retained by public authorities or under their direct control , the data retention posed a more serious threat to fundamental rights. The legal action currently pending against the UK before the ECtHR for breach of Article 8 ECHR as a result of its TEMPORA surveillance programme may indicate that States also misuse personal data when the stakes are perceived as being high. Perhaps more pertinently, in this era of liquid surveillance, any strict dichotomy between public and private data processing seems artificial, a point noted by AG Kokott in her Opinion in Promusicae.
Finally, the AG allowed a reference to ‘the right to informational self-determination’ of the individual to sneak into his Opinion. While this German constitutional construct has many merits, its role in the EU legal order has been limited thus far. The insertion of a reference to ‘informational self-determination’ in the EU Charter was rejected during its drafting not least because of the strong links it has to one national legal order and the perceived influence this would have on the future design of EU data protection law.
– See more at: http://europeanlawblog.eu/?p=2122#sthash.Zc9QlvNo.dpuf
An interesting and important post on a complex matter. The question of the relationship between data protection legislation and the right of privacy has long generated headaches (as does reading this judgment). The two plainly overlap; indeed, the latter is normally invoked as the interest which animates the former.
To some extent, of course, data protection (fashioned to regulate some of the problems generated by the collection, use, storage and transfer of personal data) can and does protect individuals’ ‘privacy’. When this claim is made it normally means, I think, not that data protection laws can or should resolve the wider questions that, especially in the US, are accommodated under the ever expanding umbrella of ‘privacy’ (abortion, contraception, homosexuality and so on), but whether personal information obtained by intrusive conduct or gratuitously disclosed by the media lies outside the scope of such legislation.
This is not a matter of mere academic interest; the application of data protection to matters that are considered by many to lie beyond its orbit is now a reality. The collection and use of personal data by the media is the most conspicuous example of this development, though the European Directive on Data Protection explicitly exempts the press from its purview.
But at the heart of this judgment is the extent to which Directive 2006/24 is compatible with the rights contained with Article 52(1) of the Charter of Fundamental Rights of the European Union. The court held that it is not ‘since the limitations on the exercise of fundamental rights which that directive contains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.’ Moreover, it held that Article 6 of Directive 2006/24 is incompatible with both Articles 7 (the so-called ‘privacy’ provision) and 52(1) (‘provided by law’) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years. This, the court held, was disproportionate to the need to collect such data.
There are, of course, a number of obvious distinctions between a data protection regime, on the one hand, and a civil action for ‘misuse of personal information’ on the other. Not only is the former restricted by who collects, uses, transfers etc data, but the remedies differ materially. Also, as the court observes there is the inescapable fact that ‘personal data’ has a significantly broader meaning under data protection legislation. Indeed, its relationship to ‘privacy’ is sometimes barely perceptible.
The court’s recognition of this conceptual divide is clear:
‘There are, however, data which are in a sense more than personal. These are data which, qualitatively, relate essentially to private life, to the confidentiality of private life, including intimacy. In such cases, the issue raised by personal data commences, so to speak, further ‘upstream’. The issue which arises in such cases is not yet that of the guarantees relating to data processing but, at an earlier stage, that of the data as such, that is to say, the fact that it has been possible to record the circumstances of a person’s private life in the form of data, data which can consequently be subject to information processing. It is in that sense that it is possible to argue that, when such data are involved, they raise an issue which essentially precedes that of their processing, relating primarily to the privacy guaranteed by Article 7 of the Charter and only secondarily to the guarantees concerning the processing of personal data referred to in Article 8 of the Charter.’ (Paras 65 and 66)
There is, as the post suggests, a great deal to digest here. And this is, as I say, a fairly Byzantine analysis of the law. Oh, for a clearly drafted ‘privacy’ Article (or better still, a British statute) …