CHAPTER 5: LEGAL CONSTRAINTS
is correct that to limit the categories of person whose data is retained, as the CJEU
appears to have wished, would be to destroy the whole concept of data retention and
cannot therefore have been intended, the Digital Rights Ireland constraints will still be
significant. To pass muster under EU law, the UK rules that replace DRIPA 2014 s1
and the Data Retention Regulations 2014/2042 will have to be prefaced at the very
least by consideration of:
(a)
limiting the use of retained data to specified categories of “serious crime”;
(b)
substantive and procedural conditions for access to and use of retained data;
(c)
prior authorisation by a judicial authority or independent administrative body;
(d)
variable retention periods, limited to what is strictly necessary;
(e)
provision for the physical security of data and its irreversible destruction when
the retention period ends;
(f)
special treatment for communications subject to professional secrecy; and
(g)
the retention of data within the EU.
5.77.
The Grand Chamber of the CJEU is the apex of the judicial pyramid where EU law is
concerned, and its conclusions are strictly binding. The extent to which current UK
law gives effect to the requirements of Digital Rights Ireland is disputed in the MPs’
case referred to at 5.75 above, which will be heard in the High Court in June 2015. In
the circumstances, it would be inappropriate for me to venture an opinion on its legal
compatibility.
5.78.
There are however powerful arguments against an over-broad interpretation of the
Digital Rights Ireland judgment. In particular:
95
(a)
What the Grand Chamber said about prior independent authorisation (5.68(f),
above), seems to go further than the case law of the ECtHR but without
explaining why. See, for example, Kennedy v UK (not cited by the Grand
Chamber), in which the ECtHR accepted prior authorisation of individual
warrants by the Secretary of State even where the interception of content was
concerned.
(b)
Though the CJEU was prepared to describe data retention as a “particularly
serious” infringement of fundamental rights, concrete examples of harm are not
provided and are not immediately evident.95 While there may be some for
whom the retention of data “is likely to generate in the minds of the persons
concerned the feeling that their private lives are the subject of constant
The CJEU’s suggestion that “it is not inconceivable that the retention of the data in question might
have an effect on the use … of the means of communication covered by that directive and,
consequently, on their exercise of the freedom of expression” (Digital Rights Ireland, para 28) appears
tentative and largely theoretical, at least where law-abiding people falling outside the specially
protected categories are concerned.
90