Author: Marina CHRISTOFOROU

Data retention defines the policies of persistent data and records management for meeting legal and business data requirements. The primary aim of data retention is mass surveillance. In particular, by analysing the retained data, governments can identify individuals’ personal information, such as their location.  

The Madrid bombings in 2004 and the London subway bombings in 2005 required the creation of harmonised data retention law in the EU.  Unsurprisingly, this need met significant resistance by human rights organisations, privacy advocates, and citizens who were challenging a data retention law’s compatibility with their rights to privacy and data protection.  

Nonetheless, the Data Retention Directive was adopted in 2006 and places an obligation on providers of publicly available electronic communications services and of public communications networks to retain specific communications data for law enforcement purposes. Notably, the Directive requires the Member States to ensure that communication providers retain the necessary data as specified in the Directive in order, among other things, to trace and identify the source of communication, to determine the date, time, and duration of the communication and to identify the location of mobile communication equipment. Crucially, the data is required to be available to “competent” national authorities in specific cases “for the purpose of the investigation, detection, and prosecution of serious crime, as defined by each Member State in its national law.” 

Member States’ dissatisfaction with implementing this data retention policy was highlighted again by the European Commission in 2011 in a report that aimed to evaluate the Directive. Although the Commission recognised that data retention is a valuable tool for ensuring criminal justice and public protection, it also raised service providers’ concerns about the compliance costs and the civil society organisations’ argument that the Directive was infringing the fundamental right to privacy and protection of personal data. Since the introduction of the directive, the court was required to answer preliminary questions from Member States, explaining further the nature of data retention policy. 

 

Joined Cases C511/18, C512/18 and C520/18 La Quadrature du Net and Others [2020] 

In this case the court was referred preliminary questions from France and Belgium; the former questioned the legality of surveillance techniques introduced since 2015 to combat terrorist attacks and the latter questioned the legality of its respective data regimes. Both referrals queried whether the general retention of communications data in member states could be justified as a measure imposed under safeguarding national security mentioned in Article 15(1) of the e-Privacy Directive against Article 7 (Respect for Private and Family Life) and Article 8 (Protection of Personal Data) of the Charter. Due to the similar nature of both queries, they were joined, and a judgement was given for them at the same time.  

In its judgement, the court laid out conditions for general and indiscriminate retention of data in the case of a ‘serious threat to national security’. Such retention should be limited to ‘strictly necessary’ situations, be subject to safeguards and not be ‘systematic in nature’. In these cases, EU law was held to apply when national governments forced telecommunication providers to provide access including when done for the purposes of national security. By doing so even as a preventative measure, was not permitted under EU law, especially where there was no link between the conduct of the individual whose data is affected, and the objective being pursued by legislation. In its interpretation of Article 15(1) of the Directive, the court highlighted that the nature of the retention measure must be ‘strictly’ proportionate to its intended purpose and must be subject to review either by a court of independent body with binding authority.  

 

Case C-623/17 Privacy International [2020] 

This case, ruled on the same day as La Quadrature du Net, concerned the collection of bulk communication data by Security Intelligence Agencies. The facts of this case date back to 2001 (GCHQ) and 2005 (MI5) up until the passing of Investigatory Powers Act in 2016. During these years, the Secretary of State issued directions to electronic service providers using s.94 of the Telecommunications Act requiring them to provide the intelligence agencies with bulk communications data. Privacy International, an NGO, argued before the Investigatory Powers Tribunal (IPT) that such actions were going against EU law. The IPT’s provisional judgement stated that the matter fell outside of the scope of EU law seeing as it touched upon national security.  

The case was then referred to the CJEU who was asked to rule on two different questions. The first is that of whether such situation falls under the scope of EU law and the second is, if yes, should the Tele2 judgement apply. The CJEU held that the matter fell indeed under the scope of EU law and that the actions taken were unlawful. In paragraph 81 of the judgement, the CJEU also reminded the importance of the principle of proportionality and doing what is “strictly necessary”, highlighting that the United Kingdom exceeded such necessity in its actions. Following this statement, the CJEU proceeded to hold that the safeguards must be observed in such situations.  

 

The future of data retention in the EU 

The issue of data retention has long been pushed back and forth with privacy advocates or human right activists under the context of national security or similar “shields”. Police or governments request for information is usually for investigative purposes, but the slightest mistake could constitute mass surveillance in privacy advocates’ eyes. However, retaining and accessing personal data in the field of electronic communications to safeguard national security and deter crime has become a common practice among national security agencies throughout the European Union.  

A series of cases of C-623/17 (UK), C-511/18 (France), C-512/18 (France) and C-520/18 (Belgium) since 2015 indicate that data retention is warranted where there is a serious threat to national or public security, the nature of the measure must be ‘strictly’ proportionated to its intended purpose. The doctrine of ‘strict’ proportionality undoubtedly becomes an endorsement of national security grounds, but the proviso left a clear gap-hole though the ruling initially denied that such rules were incompatible with EU law. Recently, a decision made on 2 March 2021 of Case C-746/18 HK v Prokuratuur shows the consistent attitude of the EU, i.e., in the context of criminal law enforcement, access to data like GPS, which can be intrusive to an individual’s private life is only permitted if there is a serious crime or to prevent serious threats to public security. In the ruling, CJEU largely confirmed its previous ruling in Quadrature du Net case.  

The proviso of serious or strictly obviously provides for some countries an interesting reason and time to push back to CJEU’s view. For example, France is not willing to obey the decision of the La Quadrature du Net case which CJEU set a high threshold for retaining and accessing telecommunications data for law enforcement and national security purposes. Therefore, France has acted actively, trying to circumvent such issues on the grounds of “constitutional identity” and national authority. [1] 

Meanwhile, this issue will also cause the butterfly effect and make the EU fall into an embarrassing double standards situation. After all, the EU has extremely distrusted the United States’ data transfer through the Schrems II. 

So, in the future, will the grounds for national security be scrutinised repeatedly in the EU continue to be a crack of legal policy? Will it be controversial about who is more appropriate to carry out scrutiny in the law enforcement context? [2] For example, whether the reviewing body must be independent of the authority requesting to access such data? At least we can see that data retention will keep the CJEU busy in the late future. 

 

[1] Laura Kayali, ‘France seeks to bypass EU top court on data retention’, https://www.politico.eu/article/france-data-retention-bypass-eu-top-court/, accessed on 24 March 2021. 

[2] Thomas Wahl, ‘Conditions of Access to Retained Telecommunications Data for Law Enforcement’, https://eucrim.eu/news/ag-conditions-access-retained-telecommunications-data-law-enforcement/, accessed on 24 March 2021.

Hi guys, nice job on the article “Alexa, am I a data controller?”! We loved reading it and felt as though you truly walked us through the complexities arising from using smart speakers… it would dissuade more than one person to buy them!   

After a thorough reading, we questioned who exactly the owner is. Some of us believed it was powerful companies like Google and Amazon, others felt it was the average consumer buying the speaker. These different perspectives led us to discuss controllership as well as the household exemption. 

The first point we discussed was that of controllership and the extent it should have.  

A lot of focus is placed on the idea that smart speaker owners have little ‘control’ over their device. Arguably, since the owner can turn off the device/microphone and choose what information is being ‘listened’ to by the device (i.e. through trigger words), he may be found to have significant control over it. This could invoke the owner’s liability. This is the case where a third-party may visit the owner’s house, being unaware of the existence of a device, and have their data processed.  An example could be where the owner uses the device in a way that provides information about other individuals. For instance, saying ‘Alexa, call John from the XYZ law firm’ includes information about John’s profession or ‘Alexa remind me to buy a gift for Nick’s wedding’ provides information about Nick’s marital status. 

This element of ‘control’ may have the same meaning as ‘controller’ under the GDPR. The concept of owner entails someone using a product for one’s own use. Surely in a situation like this, they cannot be responsible for the processing of their own data, they are the data subject rather than controller. They are however, like you discuss, a data controller under the GDPR definition where other people’s data is concerned. As mentioned above, users may be regarded as “controllers” because they have collected information from friends or other people and “indirectly” submitted them to the manufacturer (i.e., Amazon). In this case, it will be inevitable to discuss the household exemption, but more on this later. 

We did however question an argument you put forward in the blog. You write that users should not be identified as controllers because it would dilute effective protection: “Making everyone responsible means that no-one will in fact be responsible”, but this is open to debate. Firstly, responsibility should not be evaded; giving users some responsibility can make them more cautious and careful when collecting information from others. Secondly, we agree that users’ responsibilities should be limited in situations of a data breach, but they should be held liable in proportion to their assistance. It is not suitable to use the concept of controller, as described under the GDPR, to hold them liable to the extent of a global tech giants like Amazon or Google.  

The second point in the blog that sparked our interest was the household exemption and your position on its breadth.  

According to s2(2) of the GDPR, the household exemption applies where processing of data is carried out in the “course of a purely personal or household activity”. It is questionable whether the scope of the provision should be extended to protect individuals who enable third-party data processing through smart speakers. 

It is true that in the event of a data breach, the injured party cannot retrieve anything from the owner. However, the concept of controllership does not stem from whether something can be retrieved but rather if there was assistance in obtaining the data. By owning a smart speaker and being negligent in restricting the collection of data (e.g., turning the microphone off), puts the owner in a liable situation.  

Logically, this facilitation should not enable an owner to be protected under the household exemption. They are liable for holding “decisive influence” (Fashion ID) over the collection of data, especially in their house. The transmission of data which is not their own is neither a personal nor household activity. 

Furthermore, the household exemption in relation to smart speakers should continue to be narrow due the large scope of information it can gather. Where most people will use these devices to monitor their daily lives (grocery shopping lists, etc); some might also use it for professional reminders. This use of the smart speakers would lead them to, technically, fall under the household exemption but, in practice, cover data that is not personal. This could even be brought further and lead one to wonder what happens when a smart speaker user divulgates professional information to the device and that information is covered by a non-disclosure agreement.  

It is for all these intricacies related to the household exemption and the implications that it has in relation to data that, unlike you, we believe that the scope of the exemption should remain narrow.