Judgment Approved by the court for handing down.
Davis & Ors v SSHD
90.
Mr Eadie was of course right to submit that the decision which the CJEU had to make
in Digital Rights Ireland was binary, namely whether the Directive was valid or
invalid. We do not accept that the case is authority for nothing more than that overall
verdict, any more than we interpret the judgment as meaning that each criticism or
concern which the Court expressed involves a fatal flaw in the legislation. But some
points are made with such emphasis that we understand the Court to have laid down
mandatory requirements of EU law.
91.
We put the following observations by the Court in this category:
(a)
The protection of the fundamental right to respect for private life requires that
derogations and limitations in relation to the protection of personal data must
apply only in so far as is strictly necessary. Consequently the legislation in
question must lay down clear and precise rules governing the scope and
application of the measure in question and imposing minimum safeguards
sufficient to give effective protection against the risk of abuse and against any
unlawful access to and use of that data (paragraphs 52 and 54);
(b)
Any legislation establishing or permitting a general retention regime for
personal data must expressly provide for access to and use of the data to be
strictly restricted to the purpose of preventing and detecting precisely defined
serious offences or of conducting criminal prosecutions relating to such
offences (paragraph 61);
(c)
“Above all”, access by the competent national authority to the data retained
must be made dependent on a prior review by a court or an independent
administrative body whose decision seeks to limit access to the data and their
use to what is strictly necessary for the purpose of attaining the objective
pursued, and which intervenes following a reasoned request of those
authorities (paragraph 62). [emphasis added]
92.
The supplementary submissions on behalf of the Defendant also make the point that
whereas the Anderson report is the product of a year’s work in gathering and
assessing a large volume of material, that “can be contrasted with the complete
absence of evidence before the CJEU in Digital Rights Ireland as to any individual
Member State’s domestic data retention and access regimes”. It is not clear to us how
much information the CJEU were given about the domestic regimes in Ireland and
Austria: but even if the answer is “little or none”, it does not detract from the binding
nature of the conclusions of the CJEU as to what is required in order for legislation to
comply with the Charter.
93.
We repeat that our task is not to say what safeguards we would ourselves consider
necessary or desirable, but to interpret the words of the CJEU. Nevertheless, we
should mention some arguments addressed to us about practicalities.
94.
The requirement that access to and use of the data must be strictly restricted to the
purpose of preventing and detecting “precisely defined serious offences” or of
conducting criminal prosecutions relating to such offences does not mean that access
must be limited to the data of people suspected to have committed serious crime. Mr
Regan (in paragraph 56 of his statement) said that investigations against serious
criminals would be ‘severely hampered if data could only be retained where the data