We hear most often about the surveillance by
security services of the U.S. but also European states need to get information
about what criminal organisations and terrorists plan and who participate in
them. On the other hand the total surveillance state raises justified
suspicions, in particular in post-communist countries. Moreover, information
does not always come from direct surveillance by the state, government agencies
would also like to have access to the most possible data collected and stored
by private actors for their own purposes. Although processing of data for
prevention and fighting crime does not belong under the general Data Protection
Regulation (GDPR), neither under the e-privacy directive, the collection of
data by private organisations does.
On
Wednesday the 15th January the opinion of the advocate general of
the European Court of Justice (ECoJ) was published in three such cases (joint
cases C-511/18 and C-512/18, C-623/17 and C-520/18). A French, a British and a
Belgian court requested preliminary judgments to interpret European law on data
protection. The topic was already handled before by the Luxembourg institution: I wrote on portfolio.hu (the English version is premium content) about the background and the advocate general’s opinion in
the Facebook case. Also, the directive about transferring passenger name
records (PNR) was declared invalid by the court, also because on exaggerated
intervention into privacy. Two further judgments (TELE2 Sweden and Watson) are
considered fundamental in the domain: the Court issued its judgment in December
2016 and declared that
Even for the purpose of fighting crime cannot the
general and indiscriminate retention of all traffic and location data of all
subscribers and registered users relating to all means of electronic
communication be provided for.
Three
conditions were formulated: collection has to be restricted solely to fighting serious crime, access should
be subject to prior review by a court or
an independent administrative authority and the data should be retained within the European Union. In a
subsequent case (Ministerio Fiscal, C-207/61), where different SIM-cards were
placed in a stolen mobile phone, it was, however, found justified that the
authorities should have access to the data of owners of all the SIM cards
activated with it.
Although in
the current cases we only know the opinion submitted by advocate general
Sánches Bordona and the judgment will come later, the three cases are linked
and this enabled the expert to examine the issue carefully and the three
opinions also referring to each-other. It is commonplace also that the Court
very often accepts the opinion, and even when momentarily they are not followed
completely, the considerations and principles outlined in them become part of
European legal thinking and can influence later cases.
The
advocate general formulated a very important principle by saying that: Although
terrorism takes into account, when justifying its means, only the (maximal)
effectiveness of the attacks against the existing order, the rule of law can
only measure effectivity by criteria which do not tolerate, during its defence,
the procedures and guarantees which lend the rule of law its legitimacy.
Would a state based on the rule of law
subordinate itself without further restrictions to the pure effectivity, it would
lose the characteristic which differentiates it and in an extreme case the
state itself would become also a menace. Nothing would ensure that, if tools to
fight crime would be at the disposal of the public authorities in an extreme
degree, by which they could ignore or weaken the fundamental rights, its
uncontrolled and completely free application would not harm finally the liberty
of everybody.
It has to
be noted that the European Court of Justice does not decide directly the cases
brought to it in the framework of a reference for preliminary ruling (there are
cases which it decides, like those brought against decisions of the Commission
or brought by the Commission against member states in infringement cases), only
gives guidance on how to interpret European law. This is, however, always done
within the limits of the circumstances of the concrete case. Therefore
different proposals for judgment were made in the three (actually four as two
were joined) cases now being discussed. The considerations leading to these
proposals designate together the framework in which further similar cases will
probably be judged.
The law to
be applied (whether it is the GDPR or the directive about data protection in
the area of fight against crime) seems to be a formal question, the legal
guarantees are, however, different between the area of general data processing
and the area of prevention of and fight against crime (precisely: prevention,
investigation, detection or prosecution of criminal offences or the execution
of criminal penalties). This latter is not even regulated by a European regulation,
but by a directive
which gives a wider liberty to member states to formulate their own rules (of
course within the limits set by the directive). Evidently, the GDPR also contains restrictions to the rights of the data subjects
taking into account the needs of fight against crime, national security and
similar purposes. The preconditions of restricting these rights are
nevertheless stricter. In spite of this, the handling of data of air passengers
(PNR) was deemed illegitimate even based on the directive on data protection in
fight against crime. The difference is – according to the opinion of the
advocate general – that there the data were directly processed by agencies of
the state while here the authorities wanted to access data collected by private
organisations for private (commercial) purposes.
The opinion
reinforces on one hand the conditions already established in the Tele2 and
Watson cases but emphasizes that even in the situation which is characterised
by a grave and persistent threat to national security, it is not justified to
oblige the providers to retain all data in general and without differentiation.
This is the same whether these data are accessed in real time or during their
subsequent storage. “It has to be prescribed that the pre-defined models and
aspects concerning the processing of data have to be concrete, reliable and
devoid of discrimination in a way to enable the identification of persons who
can reasonably be suspected to participate in acts of terrorism.”
The
advocate general explicitly adds another one to these requirements:
the obligation to inform the data subjects about
the fact that the relevant authorities process their data, unless this
information would endanger the procedures of these authorities.
This
information obligation has to be fulfilled when it does not endanger any more
the investigation in progress.
All this is
in conformity with Article 23 of the GDPR, which restricts the rights of data
subjects. The opinion extends, by the way, quite logically, the concept of
preventing and fighting crime to national security, territorial defence, public
security, the prevention of illegal use of electronic communication devices and
any other purposes prescribed in the GDPR (probably, although this is not
explicitly mentioned in the opinion, in the abovementioned Article 23 of it).
It is
interesting that only one case turns around a concrete processing of data, in
the others the plaintiffs demand the annulation of the laws regulating the
surveillance. In Belgium the law now under challenge was voted exactly after
the annulation of its predecessor by the Constitutional Court following the PNR
case while in France it is the law of internal security.
The
European Court not only does not decide the individual legal case (as mentioned
above) but also tasks the national court which deals with the case itself to
decide whether the requirements the ECoJ formulates are fulfilled in the
concrete case. In these cases it also leaves to the national court to ascertain
whether the laws in question limit the intrusion to the cases whose gravity renders
the access indispensable and whether the conditions posed above are complied
with.
Beyond
that, it allows also to retain the legal effect of the law – even when it is
annulled – if this is justified by the fight against threats to national or
public security. The effect can, however, be only maintained for the period
absolutely necessary to remedy the established incompatibility with Union law.
It is
finally worth mentioning that the case law of European Court of Human Rights is
also taken into account in legal proceedings concerning fundamental rights. The
latest publication of the Strasbourg-based court on
surveillance was issued in September 2019. The practice of this body is limited
to judge the procedures of state actors and it raises objections only if
fundamental rights are infringed and is thus sometimes more permissive than the
European Court of Justice. It allowed for example mass collection of data, if
the appropriate safeguards were provided. The advocate general tries also to
reconcile this contradiction by prescribing appropriate conditions and
requirements in the cases in question. Thus, we will know a lot from the final
judgments of the Court about when, how and why state actors can monitor us and
what will be the guarantees of our rights.
The Hungarian version of this article appeared on portfolio.hu
The Hungarian version of this article appeared on portfolio.hu
Comments
Post a Comment