Judgment Approved by the court for handing down.
Davis & Ors v SSHD
(b) the Directive amended the e-Privacy Directive, which was also based on Article
95 EC. In so far as amendment of that Directive was within the scope of
Community (i.e. ‘First Pillar’) powers, the Data Retention Directive could not be
based on (what was at the time) a ‘Third Pillar’ provision of the EU Treaty
relating to police and judicial cooperation in criminal matters, without infringing
the separation put in place by (what was at the time) Article 47 of the EU Treaty;
(c) the provisions of the Data Retention Directive were essentially limited to the
commercial activities of communications service providers and did not govern
access to, or use of, data by the police or judicial authorities of the Member States
(paragraph 80 of the judgment). It regulated operations that were independent of
the implementation of any police and judicial cooperation in criminal matters and
harmonised “neither the issue of access to data by the competent national lawenforcement authorities nor that relating to the use and exchange of those data
between those authorities. Those matters………..have been excluded from the
provisions of that Directive, as is stated in particular in recital 25 to the preamble
to, and Article 4 of, the Directive.”
36.
At paragraph 57 of its judgment the CJEU said:“It must also be stated that the action brought by Ireland relates
solely to the choice of legal basis and not to any possible
infringement of fundamental rights arising from interference
with the exercise of the right to privacy contained in Directive
2006-24”
That challenge was to come in Digital Rights Ireland. Before coming to that case it is
convenient to set out the relevant UK domestic legislation prior to 2014.
Domestic legislation
Data Protection Act 1998
37.
As we have noted, the Data Protection Directive was implemented in the UK by the
Data Protection Act 1998. Section 6 and Schedule 5 provide for independent
oversight by the Information Commissioner. The eighth of the data protection
principles listed in Schedule 1 to the Act, together with the derogations in Schedule 4
to the Act, implement Articles 25 and 26 of the Data Protection Directive concerning
the transfer of personal data to third countries.
38.
The safeguards in the Data Protection Act applied to access to communications data.
However, there was no mandatory data retention regime. Security, intelligence and
law enforcement agencies making use of communications data were obliged to rely
solely on data routinely retained by communications companies for their own
purposes.
Regulation of Investigatory Powers Act 2000 (“RIPA”)
39.
Chapter II of Part I of RIPA set out the access regime pursuant to which certain public
authorities might obtain and use communications data. Access to communications
data required an authorisation by a designated person of an appropriate grade within a