Letter to the European Court of Justice and the Advocate General regarding the action brought on 6 July 2006 - Ireland v Council of the European Union, European Parliament (Case C-301/06): Introduction
In July of 2006, Ireland initiated an action
for the annulment of directive 2006/24/EC. Ireland argues that there is
no legal basis for a directive the purpose of which is "to ensure that
[...] data are available for the purpose of the investigation,
detection and prosecution of serious crime" (Art. 1). As "friends of the Court", we would like to express our
support of the action. However, while it is true that there is no legal
basis for the directive*,
it is first and foremost illegal on human rights grounds. We urge the
court to base its decision on the incompatibility with human rights
rather than the lack of competence. A decision on the compatibility
with human rights is essential to prevent member states from replacing
the directive with a framework decision that equally violates human
rights (as has happened in regard to the transfer of PNR data to the
USA). A decision merely on grounds of competence would mean that the
Court will be called upon a second time to decide on the legality of a
framework decision that is substantially identical to the present
directive. A decision on the basis of human rights is urgently needed
to uphold the privacy of telecommunications in Europe.
Human rights are decisive in determining the legality of
blanket traffic data retention. The European Convention for the
Protection of Human Rights and Fundamental Freedoms (ECHR)*
is binding not only for individual states but also for the European
Union (Art. 6-2 TEU). Because of Art. 6-2 TEU, directives must be
compatible with the ECHR and are subject to review, in this respect, by
the European Court of Justice (Art. 230 TEC).
The right to respect for private life and correspondence (Article 8 ECHR)
The principal provision providing the individual with protection
from the processing of telecommunications traffic data is Art. 8 ECHR.
This article warrants, among others, the right to respect for a
person’s private life and correspondence. In its jurisprudence, the
European Court of Human Rights (ECtHR) has repeatedly held that the
metering of traffic data without the consent of the subscriber
constitutes an interference with the rights to respect for private life
and correspondence.* This jurisprudence is based on traffic data being ‘an integral element in the communications made’.*
Just as the metering of telecommunications by government
officials, the state-imposed retention of traffic data by private
telecommunications companies is an interference with Art. 8 ECHR.*
The fact that the state uses private companies for the execution of its
retention programme does not affect this classification, given that
authorities have the right to access retained traffic data at any time.
Neither does the legal qualification of data retention legislation
depend on whether or not telecommunications companies may access
retained data for their own purposes as well. Finally, it is an
interference with Art. 8 ECHR if the state grants telecommunications
providers the right to voluntarily retain traffic data beyond the
period necessary for their business purposes,* because state authorities can in turn, assert the right to access such data for their own purposes.
Any interference with the rights guaranteed in Art. 8 ECHR
requires justification. According to Art. 8-2 ECHR, interferences must
be ‘in accordance with the law’. According to the ECtHR, this
expression requires that the measure should have some basis in domestic
law. It further refers to the quality of the law in question, requiring
that it should be accessible to the person concerned and formulated
with sufficient precision inline with the seriousness of the
interference.*
Sufficient precision is necessary to enable the individual concerned to
foresee the law’s consequences and adapt their conduct accordingly.
Additionally, domestic law must provide effective legal protection
against arbitrary or improper interferences by public authorities.
If an interference is in accordance with the law, Art. 8-2 ECHR
further requires the measure to be ‘necessary in a democratic society
in the interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or crime, for
the protection of health or morals, or for the protection of the rights
and freedoms of others.’ Keeping in mind the importance of the human
right being interfered with, such necessity for interference can be
assumed only if the interference corresponds to a pressing social need,
pursues a legitimate aim and is proportionate to that aim.*
The ECtHR has clearly stated that the aim pursued must be balanced
against the seriousness of the interference, and that the social need
must be sufficiently pressing to outweigh the human right in question.*
In examining the necessity of data retention, the first test is
that of effectiveness. Data retention is not altogether ineffective
because it can be assumed to support law enforcement in a certain
number of cases. Furthermore, no less intrusive but equally effective
alternatives are available.
The proportionality test finally requires the harm to civil
rights to be proportionate to the aims of the legislation in question.
Thus, the positive and the negative effects of the measure on
individuals and society as a whole must be balanced against each other.
This cannot be achieved by means of general considerations on the
interests and rights in question since it is impossible to establish an
absolute order or ranking of interests and rights. Instead, it is
necessary to determine how useful the measure will actually be and what
harmful effects it will actually have.
It needs to be kept in mind that law enforcement is not an
interest or a right in itself. Any other opinion would enable the
state, having the power to make the laws that are to be enforced, to
progressively erode human rights. Sanctions as a mere instrument of
retribution for criminal acts committed in the past cannot legitimise
restrictions on human rights. The same applies to other abstract aims
such as ‘criminal justice’ or ‘the defence of innocent suspects’. Art.
8-2 ECHR, while recognising the ”prevention of ...
crime” as a legitimate aim, does not mention the prosecution of crime.
Therefore, the prosecution of crime can justify an interference only
where it is effective in preventing crime. Criminal law is legitimate
only as a means of protecting individual rights, ie of preventing
damage being inflicted upon them. The degree to which an interference
with human rights is effective in furthering this aim needs to be
evaluated in order to effectively protect civil liberties. Thus,
restrictions on human rights for the purpose of fighting crime cannot
be accepted without examining the actual effectiveness of law
enforcement.
Traffic data retention can, in principle, be useful in
preventing infringements on any right. As far as cyber-crime (i.e.
crime committed by means of telecommunications networks) is concerned,
however, it is mostly the monetary interests of individuals that are
affected. Cyber-crime hardly ever poses a threat to society as a whole
or to the physical safety of individuals.
The benefit of retaining traffic data lies mostly in the
investigation of criminal acts committed in the past, whereas its
effectiveness in preventing damage is marginal. An analysis of relevant
empirical studies shows that strengthening law enforcement does not
have any apparent effect on the decision-making process of potential
offenders. The investigation and prosecution of crime has preventive
effects only insofar as prison sentences prevent offenders from
committing offences out of prison during their prison term, and where
proceedings result in the restoration or compensation of damage
suffered by victims of crime. It is unknown in how many cases traffic
data retention would be of use in this regard. However, what is clear
from general practical experience is that strengthening law enforcement
does not have any apparent effect on crime levels.
The existence of various ways of communicating anonymously, the
use of which is likely to increase as a reaction to traffic data
retention, raise fundamental doubts as to the benefit of data
retention. There is a range of methods for preventing either the
generation of traffic data or access to it by European authorities. For
example, it is easy for criminal offenders to use mobile phone cards
that have been registered in the name of another person or even bought
in a country that does not require registration. Only if the world
community co-operated closely would it be possible to prevent anonymous
telecommunication from taking place. Realistically, such co-operation
is, however, not to be expected. In any case, criminal offenders cannot
be expected to observe laws banning the use of anonymous
telecommunications. Therefore, traffic data retention cannot stop more
experienced criminals from preventing the generation of incriminating
traffic data.*
In summary, data retention can be expected to support the
protection of individual rights only in few and generally less
important cases. A permanent, negative effect on crime levels, even in
the field of cyber-crime, is not to be expected. The potential use of
data retention in fighting organised crime and in preventing terrorist
attacks is marginal or non-existent.
In determining the proportionality of data retention, its
negative effects need also to be taken into account. Generally, the
seriousness of an interference with human rights is to be judged
according to, the preconditions of powers granted, the number and
nature of individuals affected and the intensity of negative effects.
In doing so, the harmful effects that are certain to happen are not the
only ones that need to be taken into account. Serious risks (such as
abuse of power) need to be considered as well.
Regardless of the details of data retention schemes, they
gravely interfere with the rights to respect for private life and
correspondence guaranteed in Art. 8 ECHR. Not only specified
individuals but every person is subjected to having their
telecommunications usage recorded. In many situations, people cannot
reasonably avoid using telecommunications. Therefore, there is often no
escape from having the details of one’s telecommunications recorded,
even where communications are confidential (e.g. lawyer-client
communications).
Under a data retention scheme, every use of fixed-line or
mobile telephones, fax, text messaging, e-mail, WWW etc. is recorded as
to the identity of the individuals involved, the time and place of
communications and other details. Unmonitored telecommunications would
practically cease to exist. Data retention not only affects
communications taking place in public or business premises but for a
large part also affects communications in private homes, despite the
fact that monitoring a citizen’s behaviour in their home is generally
permissible only in exceptional circumstances. Traffic data is not
being registered anonymously or for statistical purposes, but its
purpose is being directed towards enforcement measures against
individuals. Therefore, the retention of traffic data can have most
serious consequences for individuals, ranging from embarrassing
interrogation or observation procedures, right up to life prison
sentences – possibly as a result of wrong presumptions. Furthermore,
access to retained traffic data is not costly for authorities, which
eliminates another traditional logistical restriction on the use of
surveillance powers.
As opposed to other powers granted for the collection of
personal data in democratic societies, blanket data retention does not
only affect data for which there is an expressed likely use in the
future. Citizens are monitored purely for unsubstantiated reasons of precaution.
Of the innumerable telecommunications taking place every minute, the
probability of a random communication needing to be re-visited and
established as fact by law enforcement is minuscule. Although powers
are known in democratic societies which are not subject to reasonable
suspicion, blanket retention of all telecommunications traffic data is
of a new quality, even compared to those powers. In other fields,
measures against non-suspects are permissible only in specific cases or
situations. Data retention, on the other hand, constitutes a permanent,
general registration of citizens’ behaviour. The users of
telecommunications services are neither responsible for creating a
source of danger, nor do telecommunications take place in an unusually
dangerous or endangered area.
Contrary to popular opinion, access to traffic data cannot be
considered less privacy-invasive than the surveillance of the content
of telecommunications. The information value and usability of traffic
data is extremely high and at least equals that of telecommunications
content. Firstly, traffic data can be processed much more effectively
than content data. Traffic data can be analysed automatically, combined
with other data, searched for specific patterns and sorted according to
certain criteria, all of which cannot be done as easily with content
data. Secondly, authorities often are, at least initially, interested
in obtaining traffic data only. An interest purely in the contents of
telecommunications does not occur in practice. Traffic data provides a
detailed picture of the telecommunications, social environment and
movements of individuals. The information value of traffic data can,
depending on the circumstances, be equal to or exceed that of
communications contents. It can therefore not be said that traffic data
is typically less sensitive than content data, and it is not justified
to apply a lower level of legal protection to traffic data than to
content data.
One of the harmful effects of data retention is an increase in
the likelihood of erroneous decisions in criminal investigations and
court procedures. In view of the difficulties in determining a user’s
identity for a given telecommunications service, at a given time, and
the fact that access to traffic data often affects a multitude of
individuals simultaneously, this instrument bears the specific risk of
leading to erroneous incriminations or suspicions. Furthermore,
retaining traffic data creates potential risks of abuse by state
agencies. Traffic data can be extremely useful for political control,
e.g. by intelligence agencies. Experience shows that the risk of powers
being abused, especially where they are exercised in secret, must not
be underestimated even in Europe. Furthermore, where the government
prevents the effective protection of personal data because of its
appetite for surveillance, it opens up the gates for misuse of the data
by third parties. Innumerable facts about the private life of prominent
members of the public could be obtained by analysing traffic data. In
the event of unauthorised access to retained traffic data, politicians
could be forced to resign and officials could be blackmailed. Last but
not least, traffic data is useful in gathering economical intelligence
by foreign states.
Where data retention takes place, citizens constantly need to
fear that their communications data may at some point lead to false
incrimination or governmental or private abuse of the data. Because of
this, traffic data retention endangers open communication in the whole
of society. Individuals who have reasons to fear that their
communications could be used against them in the future will endeavour
to behave as unsuspiciously as possible or, in some cases, choose to
abstain from communicating altogether. Such behaviour is detrimental to
a democratic state that is based on the active and unprejudiced
involvement of citizens. This chilling effect is especially harmful in
cases which attract abuses of power, namely in the case of
organisations and individuals who are critical of the government or
even the political system. Blanket traffic data retention can
ultimately lead to restricted political activity, bringing about damage
to the operation of our democratic states and thus to society.
Traffic data retention also causes increased efforts in the
development of countermeasures such as technologies of anonymisation.
Where the state indirectly encourages anonymous communications in its
pursuit of surveillance, it will ultimately damage its power to
intercept telecommunications even in cases of great danger.
Neither the positive nor the negative effects of traffic data
retention can be determined with certainty. This is due to the lack of
empirical knowledge on the subject available at present. In such
situations of uncertainty, democratically elected parliaments have a
certain margin of appreciation as far as the facts in question are
concerned. However, where political decisions have a significant impact
on human rights, parliaments are required to make use of all
information available to determine the relevant facts as well as
possible, and to make a rational decision on that basis. Furthermore,
for as long as the relevant facts have not been established,
irreversible restrictions on human rights cannot be considered
necessary in a democratic society, with an exception being justified
only if a measure is indispensable to protect important rights from
grave threats.
On this basis, blanket traffic data retention, being a measure
with a significant impact on human rights and civil liberties, may not
be instituted before having established its effects. The immediate
introduction of data retention is not indispensable for the protection
of important rights from grave threats. Determining the effects of data
retention is possible without actually introducing such a scheme. Since
data retention merely brings about a quantitative extension of the
amount of traffic data available, evaluating traditional powers of
access to traffic data can provide important information on the
prospective effects of data retention. Furthermore, for as long as
traffic data retention schemes are operated by some EU states, their
effects can be studied first hand, both by comparing national data over
time and by comparing data with states without retention schemes. Such
evaluations would reveal whether traffic data retention is actually
useful to agencies, in how many and which cases of crime prevention and
prosecution data retention has ultimately made a difference, whether
data retention is effective in fighting serious organised crime and
whether it has resulted in a decrease in crime levels or not.
Weighing the conflicting rights and interests on the basis of
what present knowledge is available, demonstrates a significant
disparity between the likely benefit of blanket traffic data retention
and its negative effects, both on individuals and on society as a
whole. Data retention is a disproportionate restriction of rights under
Art. 8 ECHR.*
While it threatens to inflict great damage on society, its potential
benefit appears, overall, to be little. Data retention can support the
protection of individual rights only in few and generally less
important cases. A permanent, negative effect on crime levels is not to
be expected. On the basis of present knowledge, it would not be
rational to assume otherwise. Consequently, parliaments that still
enact data retention legislation exceed their margin of appreciation
under Art. 8 ECHR. As a result, blanket traffic data retention is
incompatible with Art. 8 ECHR.
On the other hand, providing authorities with the power to
order the logging and disclosure of traffic data in regard to specified
communications (data preservation) is compatible with the ECHR,
provided that the power is subject to sufficient conditions and that
the cost to the telecommunications providers is borne by the
government. The Council of Europe’s Convention on Cybercrime* provides for such data preservation powers to be enacted.
Freedom of expression (Article 10 ECHR)
Art. 10 ECHR guarantees the right to freedom of expression,
including the freedom to hold opinions and to receive and impart
information and ideas without interference by public authorities. Both
facts and opinions fall within the scope of Art. 10 ECHR.* It is irrelevant which technical means are used to exercise the rights under Art. 8 ECHR.*
Thus, the use of telecommunications networks is covered by the
provision. It is also without relevance whether communications are of a
private or a public nature and whether they are individual or mass
communications.*
Although the protection afforded by Art. 10 ECHR is partly identical to
that of Art. 8 ECHR, both rights have different purposes and are
therefore to be applied independently of each other.
For Art. 10 ECHR to afford effective protection, indirect
obstructions to the freedom of expression must fall within its scope
where they typically and clearly hinder the free exchange of opinions
and facts. Data retention has this effect: Firstly, retaining all
traffic data on the population’s communications would have a disturbing
effect on the free expression of information and ideas as described
above. Secondly, if the state does not fully compensate
telecommunications companies affected, prices for their services will
rise significantly and formerly free services will partly cease to be
offered, thus decreasing the amount of information people can afford to
circulate. Therefore, data retention legislation interferes with the
freedom of expression.
Art. 10-2 ECHR states that the exercise of freedoms under Art.
10-1 ECHR can be subjected to restrictions where it is necessary in the
interests of, among others, national security, public safety or for the
prevention of crime. However, such legislation must fulfil the same
conditions as described above in relation to Art. 8 ECHR, most of all
the proportionality test.
Data retention legislation does not meet this requirement: The
free exchange of information is of paramount importance in a democratic
society. Traffic data retention has the effect of allowing
communications to be revisited at will, thus deterring both providers
and recipients of sensitive information. Particularly information that
is critical of governments is subjected to this effect. In comparison
to the marginal benefits of traffic data retention, its negative
effects on the freedom of expression are major. Therefore, blanket data
retention requirements are disproportionate and incompatible with Art.
10 ECHR.
The Protection of property (Article 1 PECHR)
Art. 1 of the first protocol to the ECHR (PECHR)*
guarantees the protection of property. Art. 1 PECHR applies to property
that has been acquired rather than to future income or earnings.*
Therefore, the fact that compulsory data retention would impose
financial burdens on service providers and result in a loss of profits
does not constitute an interference with Art. 1 PECHR.
The jurisprudence of the ECtHR recognises the customer basis of a company as property protected by Art. 1 PECHR.* A state measure that results in a loss of customers to companies therefore interferes with their property rights.*
Data retention requirements affect all telecommunications and Internet
service providers in a similar fashion and are therefore unlikely to
affect the customer basis of individual companies. Thus, their property
rights are not interfered with in this regard.
The Court also recognises that an unintended, state-induced de
facto deprivation of property is covered by the second sentence of Art.
1-1 PECHR*
if its effects are equal to those of formal dispossession. This is the
case if possessions cannot be enjoyed in any purposeful way as a result
of the measure.* A measure of that kind can only be deemed proportionate if the law provides for reasonable compensation.*
The machines and devices used by telecommunications service
providers to operate their businesses are the property of those
companies and thus protected by Art. 1 PECHR. Compulsory data retention
results in a de facto deprivation of service providers of that property
if devices previously used to provide services cannot be upgraded or
adapted to allow for traffic data retention and, as a result, become
practically worthless. The second sentence of Art. 1-1 PECHR
consequently requires adequate compensation to service providers who
suffer such losses where they are inevitable.
Apart from these extreme cases, data retention legislation
could manifest as laws controlling the use of property within the
meaning of the second paragraph of Art. 1 PECHR. A decision by the
European Commission on Human Rights, on a German statute requiring
employers to assist in the taxation of employees,*
demonstrates that state-imposed obligations can be qualified as an
interference with Art. 1 PECHR. Although the Commission did not have to
decide on the question because of its irrelevance in regard to the case
at hand, it examined whether the statute would be justified if it were
an interference with property rights. This is an indication that the
Commission would have qualified the law as an interference with the
right of property if it had had to decide on the question.
In principle, any legislation imposing or prohibiting specific
uses of property, controls the use of property within the meaning of
Art. 1-2 PECHR.*
However, it would be excessive to consider any law the compliance with
that may require making use of one’s property an interference with Art.
1 PECHR. An indirect interference with the right of property should be
recognised only where a law typically and clearly results in an
encroachment on the right of peaceful enjoyment of property.
An obligation to retain traffic data would force
telecommunications service providers to use their property in order to
comply with the law. Presumably, some devices would even need to be
used exclusively to retain traffic data, without serving another
purpose. Therefore, data retention laws would clearly control the use
of the service provider’s property and thus interfere with their rights
under Art. 1 PECHR.
According to Art. 1-2 PECHR, an interference can be justified
in the general interest. In this regard, the contracting parties enjoy
a wide margin of appreciation.* However, any interference must be proportionate.*
In the case of data retention requirements, it has been shown above
that the benefit of data retention is very limited. On the other hand,
the financial burden on the companies compelled to retain data is
substantial. The cost of retaining traffic data is by far exceeded by
the cost resulting from the ensuing obligations to administer, search
and transmit retained data to authorities requesting it. The total cost
of data retention is high and has been estimated to be in the United
Kingdom alone, industry-wide £100 million (€150 million) at the least.*
In view of its marginal benefit, data retention legislation can be
deemed proportionate under Art. 1 PECHR only if telecommunications
companies are fully compensated for costs they incur for compliance. As
member states are not required to compensate costs under directive
2006/24/EC, the directive is an improper invasion in the rights of the
telecommunications companies guaranteed under Art. 1 PECHR.
Summary
1. Directive 2006/24/EC constitutes a disproportionate and therefore
illegal invasion in the rights of citizens guaranteed under Art. 8 and
Art. 10 ECHR.
2. The directive is also an improper invasion in the rights of
the telecommunications companies guaranteed under Art. 1 PECHR as
member states are not required to compensate their costs.
Signatories
- APTI, Romania
- Arbeitskreis Vorratsdatenspeicherung, Germany
- Associazione per la Libertà nella Comunicazione Elettronica Interattiva, Italy
- Berufsverband Deutscher Psychologinnen und Psychologen e.V., Germany
- big brother awards - french chapter, France
- Bits of Freedom, Netherlands
- Deutsche Gesellschaft für Soziologie e.V., Germany
- Deutscher Fachjournalisten-Verband AG, Germany
- Deutscher Journalisten-Verband e.V., Germany
- Digital Rights, Denmark
- Electronic Frontier Finland, Finland
- Electronic Frontier Norway, Norway
- European Digital Rights, Europe
- Ev. Konferenz für Telefonseelsorge und Offene Tür e.V., Germany
- FFII Deutschland, Germany
- FITUG e.V. , Germany
- FoeBuD e.V., Germany
- German Unix User Group e.V., Germany
- Gesellschaft für Datenschutz und Datensicherung e.V., Germany
- Globenet/No-log, France
- Gustav Heinemann-Initiative e.V., Germany
- Humanistische Union e.V., Germany
- Imaginons un réseau Internet solidaire, France
- Internationale Liga für Menschenrechte, Germany
- Iuridicum Remedium, Czech Republic
- Komitee für Grundrechte und Demokratie, Germany
- Ligue ODEBI, France
- marsnet, France
- Netzwerk Freies Wissen, Germany
- Netzwerk Neue Medien, Germany
- Neue Richtervereinigung, Germany
- Open Rights Group, UK
- PPF-Canal Historique, France
- Privacy International, UK
- Progetto Winston Smith, Italy
- quintessenz, Austria
- Réseau associatif et syndical (RAS), France
- Statewatch, UK
- SuMa-eV, Germany
- Verband der Freien Lektorinnen und Lektoren e.V., Germany
- Verband Deutscher Zeitschriftenverleger e.V., Germany
- VIBE!AT, Austria
- XS4ALL Internet, Netherlands
References
|