Weber, DRI and Schrems: so what are “measures of mass surveillance”? And what should we do with them? A tale of two courts – Sophie Stalla-Bourdillon

While the Court of Justice of the European Union (CJEU) in its recent judgment Schrems v Data Protection Commissioner (discussed here), does not mention the words “measures of mass surveillance” it states that it is concerned about measures “authoris[ing], on a generalised basis, storage of all the personal data of all the persons”.

By way of comparison, in its Digital Rights Ireland (DRI) judgement – see my post here – the CJEU was dealing with an obligation imposed on providers of publicly available electronic communications services or of public communications networks to retain so-called metadata.

This included

“data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for Internet services”.

In other words, the CJEU in DRI was dealing with a data retention obligation which it said covered “in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime” (para 57).

Notably in its Weber judgement – which I previously mentioned in my posts here, here, and here – the European Court of Human Rights (ECtHR) was confronted with a measure of strategic monitoring defined as a measure

“aimed at collecting information by intercepting telecommunications in order to identify and avert serious dangers facing the Federal Republic of Germany, such as an armed attack on its territory or the commission of international terrorist attacks and certain other serious offences”.

There does not seem to be a clear distinction between content and metadata in Weber (although it is mentioned by the ECtHR that the Federal Intelligence Service was only authorised to carry out monitoring measures with the aid of catchwords).

The purpose of this post is to compare the above decisions of the CJEU and the ECtHR to try to understand what EU law (as interpreted by the CJEU) actually prescribes in the field.

Both in DRI (para. 39 a contrario) and in Schrems (para. 94) the CJEU held that:

“[L]egislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”.

When the essence of the right to respect for private life is compromised, no justification seems possible. Therefore, there is no need to apply the proportionality test. [In this sense the CJEU seems to be more restrictive than the ECtHR… but I wonder…. what does content of communications really mean? Should we be here only concerned with emails, be they webmails or not, or with other applications/services? And what if users actually consent to have the content of their communications monitored?]

At this stage it is worth mentioning a decision of the District Court for the Southern District of New York I commented upon in a previous post, in which it was made clear that AOL, a famous ISP, was looking at the content of its subscribers’ communications to screen the files attached to their emails in order to detect child pornography images. The District Court held in that case that by consenting to AOL’s terms of use the claimant had consented to searches by AOL as a government agent.

Are such monitoring activities possible under EU law?

While measures “authoris[ing], on a generalised basis, storage of all the personal data of all the persons” do not necessarily target the content of communications as such, if they only target metadata, reading both DRI andSchrems, it seems that it might be possible to justify them.

In DRI it is not entirely clear whether the CJEU adopted a very restrictive approach. The CJEU assessed the retention obligation in the light of the following safeguards (but did not expressly state whether the following safeguards were alternative or cumulative conditions):

• Was there any “differentiation, limitation or exception being made in the light of the objective of fighting against serious crime”? (para. 57).
• Were “the persons whose data [were] retained being, even indirectly, in a situation which [was] liable to give rise to criminal prosecutions”? Was there “evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime”? Was there “any exception, with the result that it applie[d] even to persons whose communications [were] subject, according to rules of national law, to the obligation of professional secrecy”? (para.58).
• Did the data retention Directive “require any relationship between the data whose retention [was] provided for and a threat to public security and, in particular, [was] (…) it restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences”? (para. 59)
• Did the Directive include “any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference”? (para. 60).
• Did the Directive “contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use”? (para. 61).
• Did the Directive “lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued”? Was “the access by the competent national authorities to the data retained (…) made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions”? (para. 62).
• As regards the data retention period, was there “any distinction being made between the categories of data [to be retained] on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned”? (para. 63). Was “the determination of the period of retention (…) based on objective criteria in order to ensure that it is limited to what is strictly necessary”? (para. 64).

In Schrems, the CJEU is less prolix. This might have been done on purpose as the CJEU decided to adopt an approach slightly different from that of the Advocate General (his opinion is discussed here) and to concentrate its analysis on the motivation of the Commission’s decision (rather than on the general adequacy of US law as such). (In this sense, this is a better approach as explained here).

The CJEU only mentions 3 key safeguards. (Does it mean that these safeguards and these safeguards only are the sole necessary conditions? If so, this would mean that on some occasions it may be possible to retain the metadata of individuals on a generalised basis without “evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime”).

Here are the 3 safeguards:

• “differentiation, limitation or exception being made in the light of the objective pursued” (para. 93).
• “an objective criterion (…) by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail” (para. 93).
• “legal remedies in order to have access to personal data relating to [individuals], or to obtain the rectification or erasure of such data” (para. 95). [See Alison’s latest post here on the recent conclusion of negotiations regarding the EU-US ‘umbrella agreement’ –which is meant to improve EU citizen access to the US courts, in case of privacy breaches by US authorities to whom their data has been disclosed by their home countries for law enforcement purposes.]

To conclude, does it mean that the English High Court in Davis (discussed here) was right?

Notably, in Schrems while the CJEU does stress the importance of an access regime, it does not expressly mention that “the access by the competent national authorities to the data retained [shall be] made dependent on a prior review carried out by a court or by an independent administrative body”.

This post originally appeared on the peep beep! blog and is reproduced with permission and thanks