Judgment Approved by the court for handing down.
SSHD v Watson & Others
it is now the subject of a further reference to the CJEU, it would not be appropriate for this
court to seek to resolve the issue. Accordingly, any declaratory relief should, in my view, be
expressly limited to the application of DRIPA to fighting crime.
13.
In these circumstances I consider that it is appropriate to grant declaratory relief, limited to
the context of the prevention, investigation, detection and prosecution of criminal offences, to
the effect that DRIPA was inconsistent with EU law to the extent that it permitted access to
retained data, where the objective pursued by that access was not restricted solely to fighting
serious crime, or where access was not subject to prior review by a court or an independent
administrative authority.
Retention in the EU
14.
In these proceedings, the First Respondent contends that DRIPA does not contain adequate
safeguards against communications data leaving the European Union. It is submitted that the
Divisional Court rightly identified that domestic law is deficient in this respect but wrongly
concluded that on a proper interpretation of Digital Rights Ireland it is not necessary for
restrictions on passing on information about communications data outside the EU to be
embodied in statute. The First Respondent submits that the Divisional Court should have held
that the deficiency in domestic law was a further reason for holding that section 1 of DRIPA
is inconsistent with EU law (see Respondent’s skeleton argument before the Court of Appeal,
paragraphs 75, 76). Accordingly, the First Respondent issued a Respondent’s Notice to that
effect. I understand that this is also the position of the Second and Third Respondents.
15.
The dispositif of the judgment of the CJEU in the present case expressly refers to such a
requirement stating that national legislation governing the protection and security of traffic
and location data is precluded “where there is no requirement that the data concerned should
be retained within the European Union”. This may be taken as reflecting paragraph 122 of
the judgment where the Court states that the providers of electronic communications services
must, in order to ensure the full integrity and confidentiality of data, guarantee a particularly
high level of protection and security by means of appropriate technical and organisational
measures. It then states:
“In particular, the national legislation must make provision for the
data to be retained within the European Union and for the irreversible
destruction of the data at the end of the data retention period …”
16.
On this basis we are urged by the Respondents and the Interveners to grant declaratory relief
to that effect.
17.
Mr Eadie, however, submits that there is a deep uncertainty as to the precise meaning and
scope of these passages in the judgment of the CJEU. On their face, they appear to impose an
absolute, unconditional requirement. By contrast the argument before the national courts in
these proceedings has, to date, been on the basis that there was a lack of adequate safeguards.
Furthermore, it is clear from the IPT judgment that it is the position of Privacy International,
the claimant in those proceedings, that the obligation is not an absolute one. At paragraph 65
of its judgment the IPT records the submission of Privacy International in those proceedings.
“However, the Claimant submits that it is not an absolute bar,
because of the interpolation of paragraph 123 between paragraphs
122 and 125. That paragraph provides for there to be a review by an
independent authority of compliance with the level of protection
guaranteed by EU law, and Mr. De la Mare submitted that, by virtue
of the reference to Article 8(3) of the Charter, this was to be seen as