This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Subscribe
Jean-Yves Gilg

Editor, Solicitors Journal

When Big Brother goes too far

Feature
Share:
When Big Brother goes too far

By

A recent decision by the CJEU struck the right balance between security and privacy in the digital world, says Paul Stanley QC

We live in a digital world. Most people make mobile calls, send text messages and communicate online.

In the wake of disclosure
of the breadth and frequency
of US surveillance – not to mention concerns about private hacking – inadvertent loss of
data by internet companies,
and security breaches such as
the Heartbleed bug, this is a
topic of increasing concern.

We fear Big Brother. Yet at
the same time we also fear international terrorism and serious crime.

Everyone can see that there is
a balance to be struck. We want privacy, and we are wary of both deliberate surveillance and inadvertent loss of privacy
that may occur where data is insecurely stored. However, we also want security and we know there are people who exploit the anonymity of the digital world
to harm us.

Test case

In joined cases C-293/12 and C-594/12 Digital Rights Ireland (Grand Chamber, 8 April 2014), the European Court was required to consider how this balance should be struck.

More precisely, it was required, in two test cases, to consider whether it had been properly struck by directive 2006/24/EC. That directive required service providers to retain a substantial amount
of data about the users of telephone and internet services.

The data would identify
the user, numbers called, the location of the user when
online, and even the location
of a mobile telephone user (though not the contents
of communications).

Member states were authorised to require it to be kept for at least six months, and up to two years. It was to be kept for the purposes of “the detection and prosecution of serious crime”, though the definition of ‘serious’ crime was left to each member state.

The CJEU had no difficulty
in concluding that this measure constituted an interference
with rights of privacy and the protection of personal data laid down in articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Equally, it had no difficulty
in concluding that the objective served by the directive was legitimate, and that some interference with those rights was potentially justifiable.

The key question was whether the particular legislative scheme adopted was proportionate.

Off target

The CJEU concluded that it
was not proportionate. It relied on the following factors,
in particular:

n The legislation was not specifically targeted at particular people or situations: it was a dragnet, not a snare. It applied to everyone’s data, and lots of
it. The CJEU thought that the measure should have been better targeted. It should
have identified particular people, places or times,
in relation to which data needed to be secured.

  • The data dealt only with retention. It did not contain proper criteria specifying the circumstances under which national authorities should be permitted to access the data. Although the data was retained for a narrow purpose (dealing with serious crime), that was not reflected in adequate limitations on the use to which the data could subsequently be put. Most importantly, it did not provide an adequate system for judicial control over such access.
  • The time for which data should be retained was not linked to any objective factor relating to the purpose for which it was retained.
  • There were no adequate rules ensuring that the ‘vast quantity’ of ‘sensitive’ data that was to be retained should be protected from unauthorised access. In other words, quite apart from lacking rules governing the circumstances in which national authorities could legitimately access it, there were inadequate safeguards against its illegitimate theft by third parties.

The CJEU has not generally been regarded as an especially doughty champion of individual rights. In many cases, it has been willing to take a very flexible approach, and critics have felt that it gives insufficient weight to individual rights.

Digital Rights Ireland is, therefore, all the more significant, as it represents a rare case of important legislation being invalidated. This is not because the court was blind to the risks that the directive sought to address, but it was insistent
on a rigorous analysis of
the connection between
those risks and the rules adopted.

That is a welcome approach
to proportionality. SJ

Paul Stanley is a barrister practising from Essex Court Chambers

Related Topics