The internet and smartphones are symbols of our times. They define the self-perception of this generation in quite a similar way as debates about abortion did some thirty years ago. Hence the media attention when Advocate General Cruz Villalón found last Thursday that the Data Retention Directive violates the EU Charter of Fundamental Rights – a conclusion which the Court of Justice (ECJ) will confirm in all likelihood, considering the critical comments of the judges at the oral hearing in July. Thus, the final outcome in Luxembourg might confirm the recent position of the Advocate General (AG) and earlier findings of the German Federal Constitutional Court (FCC): a conditional yes with various distinctive strings attached, which effectively oblige the EU legislator to revisit the original compromise and to lay down strict conditions for the access to and the use of retained data.
I would applaud this outcome for its impact on both data protection standards and wider European law and politics. Due to considerations of legislative competence, the EU legislator had confined itself to rules governing data retention so far without substantive of procedural prescriptions for law enforcement purposes. Pedro Cruz Villalón considers this asymmetry to be illegal and you may illustrate his position with the literary figure of Victor Frankenstein, who had designed a pre-industrial android full of good intentions before loosing control of his creation to the harm of innocent people. This is not supposed to happen with the EU’s digital creation. Those who command the collection of data ‘which may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct … or even a complete and accurate picture of his private identity’ (para. 74) shall be instructed to control the use of the data. This is even more relevant in the case of data retention, which ‘might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious’ (para. 75), a courteous hint at potential NSA access to EU data.
Three Alternatives how to Control Access to Retained Data
While it is intuitively convincing to link data collection to data access, it is less evident that corresponding control powers should be conferred upon the EU institutions as the Advocate General suggests. There are alternative scenarios how data access may be regulated. I propose to distinguish three alternative control scenarios, two of which are less intrusive for the federal balance of power in Europe than the opinion of AG Cruz Villalón.
Firstly, control may be exercised, in line with the status quo, in the domestic arena. National parliaments and courts would decide upon conditions and limits for data access (as the Grand Coalition recently did within Germany when it decided to follow strictly the line, which the FCC had established in a ruling of 2010). The advantage of this solution is evident, since it respects and promotes national autonomy, which, conversely, presents the central downside of this first solution: whenever Member States become unreliable partners (like, irrespective of data protection, Hungary at present), the Data Retention Directive creates a potential monster which the EU is – like fictional Victor Frankenstein – unable to control.
Secondly, one may consider a midway solution, which leaves Member States room for legislative autonomy, while subordinating their action to judicial control on human rights grounds by the ECJ. This could be achieved by categorising national rules on data access as an implementation of Union law within the meaning of the Åkerberg Fransson judgment – a route which the Court had followed with regard to family reunion, when it indicated that national deviations are subject to EU human rights (paras. 102-104). This solution would uphold the privileges of national parliaments and limit the influence of national courts only. From a doctrinal perspective, it would be based upon a reading of Art. 52.1 of the Charter which conceives of national laws as limitations ‘provided by law’ which are capable in a combined assessment, together with the Directive, to meet the requirements for legal certainty which the AG rightly asks for (thanks to Mattias Wendel for sharing this thought with me). National legislative autonomy and supranational judicial oversight would go hand in hand.
Thirdly, AG Cruz Villalón proposes to oblige EU institutions to assume full responsibility for their digital creation by laying down the conditions for the access and the use of the collected and stored data (para. 120). In a domestic German context, a similar position had been advanced by the FCC which found that ‘well-defined limits for the use of retained data are inextricably linked to the obligation imposed by the stat to collect and store the data.’ If the ECJ follows this line, the EU legislator would have to revisit the Directive with prescriptions, among others, for law enforcement and criminal proceedings (paras 121-125) or an obligation to store the data within the territory of the European Union in order to obstruct abusive access, including by the NSA (para 78-79). The central advantage of this solution would be legal clarity with continental rules on the access to and the use of retained data. Moreover, EU law not only be perceived as a judicial control standard (as with solution No. 2), but be subject to political debates about appropriate conditions and limits for public data collection. Such debates might buttress pan-European public debates – just after EP elections next May.
Towards New Rules at European Level
I expect that ECJ to follow the opinion of the Advocate General (although it is increasingly less inclined to do so, especially in high profile cases). It presents the Court with an opportunity to assert prominently its authority as a human rights court. Assuming that this will happen, what would be the immediate consequences for European decision-making?
AG Cruz Villalón proposes to limit the temporal effects of the finding of invalidity. That is far from unusual and was spelled out, in similar ways, by the judgment on the Passenger Name Record Agreement and the seminal Kadi ruling on the implementation of UN Security Council Resolutions. Given that any renegotiation of the Data Retention Directive will prove to be a contentious legislative package, which deserves and requires political debates, also with the wider public, it would be wise for the Court to opt for an extended limit-limit for revision, such as one or two years (mirroring the FCC’s domestic decision on preventive custody). During this period, the ordinary legislative procedure would unfold. Brussels and Strasbourg would be in the limelight of the political debate how to delimit privacy and law enforcement in today’s world. This would be an excellent opportunity for European democracy in action.
In the context of these debates, it would have to be discussed whether EU Treaties comprise an overarching competence to regulate data retention comprehensively, including rules on the access to and the use of retained data. Remember that the ECJ had reaffirmed the EU’s legislative competence for the Data Retention Directive as a project to realise the single market in part since the Directive does not cover the data access. If this is about to change, Art. 114 TFEU might prove to be insufficient for the adoption of amended legislation, also considering that human rights considerations are not meant to extend the EU’s legislative competences. For that reason, it might be necessary to have recourse to harmonisation powers for criminal procedure, which have been buttressed by the Treaty of Lisbon. I am optimistic that a thorough assessment will confirm the existence of a broad legislative competence, whose activation and exercise will then have to be discussed and justified on political grounds.
Is the German Bundestag Bound to Implement Directive 2006/24/EC?
Assuming that the situation described above comes about, one question remains: Is the German Bundestag obliged to transpose Directive 2006/24/EC, even if the ECJ finds the latter to be incompatible with the Charter of Fundamental Rights? If that happens together with a limitation of the temporal effects, the answer is ‘yes’, since one of the core legal obligations which any directive brings about is implementation. That has been denied by the German legislator after the 2010 FCC ruling due to internal disputes within the former coalition – and prominent members of the incoming Grand Coalition have already indicated that the AG opinion constitutes a change of circumstance which would justify a departure from the compromise for minimal implementation in the new Coalition Agreement. If that happens the infringement proceedings, which the Commission has initiated, would be bound to succeed. That is not to say, however, that the Court should prioritise the case. It would be wise for judges in Luxembourg to either delay the case until after the adoption of a new Directive or to limit the verdict to a symbolic finding without penalty payments. Anything else would compromise the positive impact of the forthcoming ruling on the validity of the Data Retention Directive both for the standing of the ECJ and the ensuing political debate across Europe.