European Commission & Data Retention – a faulty basis for decision-making*?

Due to the sensitive nature of this summary, we shared it with the European Commission to allow for any corrections or clarifications that were deemed necessary before publication. The draft was updated on the basis of the feedback that was received, but not all suggestions from the Commission services were accepted by us. As a result, none of the analysis below should be read as necessarily reflecting the views of the European Commission. We are grateful to the Commission for its input.

On Tuesday 8 September 2015, EDRi had a meeting with the Police Cooperation Unit of the Directorate-General for Migration and Home Affairs (DG Home) of the European Commission. The two main purposes were:

• to exchange views on how the EDRi analysis of breaches by Member States of the the Court of Justice of the European Union (CJEU) data retention ruling from 8 April 2014 was received by the Commission and;
• to learn about any action planned by the Commission to tackle the data retention measures imposed by Member States that do not comply with the CJEU ruling, as detailed in documents submitted by EDRi to the Commission.

Summary of the meeting

In the eight years from the adoption of the Directive until its annulment last year, it seems that two sets of informal internal rules and decisions prevented the Commission from taking action to resolve the problems with the Directive. The Commission explained that it did not believe it was appropriate to take legal action against any Member State for excessive implementation of the Directive (as detailed in its evaluation report) as long as there were countries that had not yet implemented the Directive. The Commission was therefore unable to take action even when its own implementation report made these problems abundantly clear.

Even now, the Commission believes that the European Court’s ruling annulling the Directive is too ambiguous to allow it to take legal action to prevent any Member State from breaching any of its provisions. More generally, the meaning of “genuinely” and “necessary” (in the Charter of Fundamental Rights) is not clear from any Court ruling and would, therefore, not prevent the launch of a new Data Retention Directive (or Regulation) in the future. Legally, any such measure must be necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

Introduction

We wanted to learn about the steps that have been taken by the Commission when monitoring legislative developments in relation to data retention at national level, and which countries are under review by the Commission for possible legal action. We also wanted to obtain some more background information regarding the legal proceedings taken against Member States for not implementing the Data Retention Directive (Czech Republic [infringement procedure 2011/1143], Germany [infringement procedure 2011/2091], Romania [infringement procedure 2011/2089] and Sweden [infringement procedure 2007/1181]). A final related purpose of the meeting was to build on our relationship with the Commission in order to more effectively provide input on this and other related topics, such as Passenger Name Record (PNR) and surveillance, to facilitate future dialogue.

Access to documents request

The first topic that was discussed was the recent access to documents request submitted by EDRi member Bits of Freedom on the infringement proceedings mentioned above. The Commission services asked about when the submission was made, and promised to look into it and get back to EDRi to confirm that the application had been received. The Commission stated that the default in such circumstances was for documents to be made available, but could not comment further, as it had not seen the request.

Steps leading to infringement proceedings

The Commission services subsequently explained the mechanism of monitoring EU Directives. Basically, Member States must notify the European Commission of the transposition of a Directive into national law. Upon expiration of the deadline for transposition, if the Member State has not notified any national transposition measures to the Commission, the latter sends a warning letter inviting the Member State to notify it of planned national transposition measures.

Two situations can arise leading to non-implementation. On the one hand, it is possible that the transposition was not completed as a result of the lack of action of the Member State, in which case the Commission takes steps towards formal infringement proceedings (as in Sweden and the Czech Republic). On the other hand, it is possible that a judicial decision delayed the transposition (as in Germany and Romania). In this case, the Commission monitors the evolution of the issue and is more flexible regarding deadlines. The situation was somewhat more complicated in this case due to its political significance.

In the Czech Republic and Sweden proceedings, the Commission sent letters demanding implementation of the Directive. In the case of Romania and Germany, they had initially transposed the Directive, but their constitutional courts annulled them. Romania ended up having a different law and Germany did not pass any law at all. Ultimately, the CJEU annulled the Directive.

Respect for EU law in relation to data retention

As outlined in its Communication on the European Agenda on Security of April 2015, the Commission is now focusing on monitoring the situation at national level (rulings of national courts, legislative procedures and other relevant developments). The Commission services also closely follow the request for a preliminary ruling by the Swedish Court of Appeal pending with the European Court of Justice (case C-203/15).

The Commission explained that it did not feel that it was appropriate to take any legal action while the legislation was subject to legal proceedings. As there were Court of Justice proceedings almost continually from 2006 to 2014 on the subject matter of the Directive (Case C-301/06 (on the legal basis of the Directive), launched in 2006 and concluded in 2009; case C-461/10 (on the use of retained data for copyright enforcement purposes), launched in 2010 and concluded in 2012; and case C-293/12 (on the compliance with the EU Charter of Fundamental Rights), launched in 2012 and concluded in 2014), there was never an opportunity to raise issues regarding its implementation. Indeed, even after the Directive was annulled, there is another CJEU case (C-203/15, launched in 2015 and still ongoing).

The Commission also explained that it did not believe it was appropriate to take legal action against any Member State for excessive implementation of the Directive (as detailed in its evaluation report) as long as there were countries that had not yet implemented the Directive.

Finally, the Commission argued that the fact that a Member State does not implement a Directive cannot be taken as evidence that the Member State in question believes that the legislation is not necessary. The Commission said that if Member States had concerns about the legality of the Directive, they had a window of opportunities to raise them.

Consequently, according to the Commission, it was consistent for Cecilia Malmström, who is currently European Commissioner for Trade, and served previously as European Commissioner for Home Affairs, Member of the European Parliament (MEP), and Swedish Minister for European Union Affairs:

• to be a Minister in a Swedish government that failed to transpose the data retention Directive into national law (which raises questions as to how “necessary” the government believed the measure to be);
• to then become a Commissioner for Home Affairs and launch legal proceedings against Sweden for not transposing the Directive;
• and subsequently arguing that the Court decision annulling the Directive on the basis of lack of proportionality “confirmed” the European Commission’s analysis in its 2011 implementation report, on the basis of which it took no action to bring the situation into line with European law.

Respect for EU law of existing data retention legislation at Member State level

As a result of the annulment of the Directive, the Commission’s current main priority is to focus on the monitoring of what is being done by national courts and by the European Court of Justice.

The key points made by the Commission looking forward were:

In order to assess the compatibility of national law with EU law, the Commission needs a clear enough benchmark. This means that the Commission needs to know what the relevant EU law is. After the annulment of the Data Retention Directive, the benchmark at EU level for assessing any national data retention legislation is, in principle, Article 15(1) of the e-Privacy Directive (Directive 2002/58/EC). However this provision only contains very generic criteria, such as “necessary, appropriate and proportionate” and refers further to general principles of law and to fundamental rights. The obligation from the Charter of Fundamental Rights of the European Union for such measures to be

“necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”

and the European Court of Justice ruling on the data retention Directive are subject to varying interpretations and do not provide adequate benchmarks.

* The intervention of Cecilia Malmström MEP in the European Parliament debate before the vote on the Directive:

Good laws are not enacted under pressure of time and with a faulty basis for decision-making. I am very critical of the way in which the process relating to the proposal for a decision on the retention of electronic communication services data has been handled. This is a difficult issue on which to adopt a position. Reflection is required, together with a solid factual basis in relation to the privacy aspect, the technical consequences and the actual costs for telecommunications operators and thus consumers. This is an approach we owe Europeans.