CHAPTER 5: LEGAL CONSTRAINTS
surveillance” (Digital Rights Ireland, para 37), the survey evidence suggests
that this is putting it rather high.96
5.79.
(c)
There is a case for excluding the use of retained communications data in
relation to the most trivial of offences (5.67(e) above). But if the mark for
“serious crime” is set too high, damaging crimes will go needlessly unpunished
and public confidence in law enforcement will be reduced.
(d)
To limit retention to “particular persons likely to be involved, in one way or
another, in a serious crime”, and/or to “persons who could, for other reasons,
contribute, by the retention of their data, to the prevention, detection or
prosecution of serious offences” (Digital Rights Ireland, para 59), would not only
reduce the effectiveness of data retention in identifying targets but would carry
other risks, since to seek to apply such nebulous distinctions would be to court
allegations of prejudice, profiling and unlawful discrimination.97
The wider implications of the judgment also need to be reflected upon. Though Digital
Rights Ireland did not concern the bulk interception of content, it is arguable that its
principles (including in relation to prior independent authorisation) should apply in that
area with at least the same force.98 Indeed the CJEU stated in terms that the bulk
interception of content would be more intrusive, since unlike the Data Retention
Directive it would affect the “essence” of the fundamental right to privacy (para 39).
There may be implications also for other types of surveillance in relation to which types
of self-authorisation are practised, in particular by the security and intelligence
agencies. All this is subject to EU law being applicable: though to the extent that
Digital Rights Ireland may in the future be adopted or followed by the ECtHR, that
distinction will cease to matter.
Google Spain
5.80.
96
97
98
99
A further, more recent decision that may also affect any future data retention
legislation is the judgment in Case C-131/12 Google v Spain.99 The CJEU
determined, in brief, that a search engine (such as Google) was a data controller for
the purposes of the Data Retention Directive. As a result, it was obliged to protect the
fundamental rights of the owner of that data and in particular to protect the right to be
“forgotten” by responding to requests that certain data be destroyed or not made
available.
See, e.g., TNS-BMRB (2.27(a) above).
My experience as independent reviewer of terrorism legislation indicates that the universal exercise of
intrusive powers (e.g. to require screening at an airport) is accepted by almost everybody, whereas the
use of discretionary intrusive powers (stop and search; port detentions) may be perceived as
discriminatory and used (whether justifiably or not) to foment a sense of grievance in affected
communities.
Note however that the point is currently in dispute before the courts; and that it was ruled in the Liberty
IPT case (though by reference only to ECHR case law) that the existing UK system for authorising
interception warrants is unobjectionable: Liberty IPT Case, judgment of 5 December 2014, para
116(vi).
EU:C:2014:317.
91