Bulk retention of private-sector subscriber data for governmental purposes does not violate the Convention: Breyer v. Germany

Judith Vermeulen is a doctoral researcher and a member of the Law & Technology research group, the Human Rights Centre and PIXLES at Ghent University.

On January 30, 2020, in the case of Breyer v. Germany, the European Court of Human Rights ruled by six votes to one that the – legally required – indiscriminate storage of subscriber information by telecommunication service providers does not violate Article 8 of the European Convention on Human Rights. Amongst other things, the Court found that the interference at hand was rather limited in nature, thereby conveniently invoking Court of Justice jurisprudence which suited its point of view this time. Contrary to what judge Ranzoni argued in his dissenting opinion, the Court in Strasbourg was however not wrong in reaching this conclusion. The dissenter’s criticism regarding the insufficiency of the safeguards circumscribing the measure, on the other hand, was not without reasons.

Facts and proceedings at domestic level

In June 2004, Germany introduced a legal obligation for telecommunication service providers to collect and store ‘subscriber data’ of all their customers, including those whose details are not necessary for billing purposes or other contractual reasons and thus use so-called pre-paid (“pay-as-you-go”) mobile-telephone SIM cards. More specifically, section 111 of the Telecommunications Act (‘TA’) requires them to register, prior to activation of SIM cards, their telephone numbers, names, addresses, dates of birth, effective dates of contract and (in some cases) device numbers. Sections 112 and 113 TA further respectively contain an automated and a manual procedure for the authorities listed therein to access the data stored under section 111. In accordance with section 112, telecommunication service providers must “store, without undue delay, data collected under section 111 […] in customer data files” and “ensure that the Federal Network Agency is enabled, at all times, to retrieve data [therefrom] by way of automation within Germany ”. It further states that the agency may do so “only to the extent that knowledge of the data is necessary […] in order to process requests for information lodged by the bodies set out in subsection (2)”, which are all concerned with law enforcement or the protection of national security. The Federal Network Agency only examines the necessity “where there is a special reason to do so”. The service providers, in turn, are “to ensure by technical and organisational measures that no retrievals can come to their notice”. In contrast, section 113 stipulates a duty of the latter themselves to supply data to authorities entitled to receive it. While the latter are not exhaustively listed in that provision, information may be provided inasmuch as it is requested in an individual case and in order to prosecute criminal and regulatory offences, to avert danger and to perform intelligence tasks.

On July 13 2005, the Applicants, Mr Patrick Breyer and Mr Jonas Breyer, both German, filed a constitutional complaint against, among others, the aforementioned sections of the TA. The German Constitutional Court held that the challenged provisions interfered with the right to informational self-determination, which “guarantees the authority of the individual in principle himself or herself to decide on the disclosure and use of his or her personal data” (§14). Accordingly, it held that “[p]rovisions which give authority for government authorities to deal with personal data as a rule create a number of encroachments which build on each other” (§14). Within the context of section 111-113 of the Telecommunications Act more specifically, the following aspects were all considered to independently encroach upon the complainants’ fundamental right to informational self-determination: the duty of collection and storage, the duty to make information available as customer databases or on demand, the authority of the Federal Network Agency to retrieve the data and to transmit them to particular authorities and the prior request or demand for information by the authorities entitled to retrieve (§14). Importantly, the Constitutional Court held that the provisions of sections 112 and 113 are to be understood solely as the legal basis for the transmission and thus presuppose that the authorities entitled to receive information have independent powers of collection: “[i]t is only both legal bases together, which must operate together like a double door, which give authority to exchange personal data” (§14).

The Constitutional Court, thereinafter, assessed whether said interferences could be considered ‘justified’, applying a section-by-section (of the Telecommunications Act) approach (§15). As regards section 111, the Court, while it noted that the database essentially constituted a precautionary measure, found that the obligation to maintain it pursued the legitimate aim of, in particular, criminal prosecution and was ultimately justified owing to the relatively restricted nature of the information stored (§16). The stored data, merely “fulfil the function of a telecommunications number register” and “in themselves give no evidence as to the specific activities of individuals” (§16). The interference provided for by section 112 of the TA was on the other hand conceived as considerably weighty in view of the fact that said provision “very much simplifies data retrievals” and “the legislature has drafted the purposes of the data very broadly” (§18).

However, at the same time, it was pointed out that the information content of the data remains limited and “depends on further investigations whose lawfulness is to be evaluated under different provisions”, that the purposes for transmission “are central duties relating to the guarantee of security” and the relevant investigations require to be carried out “rapidly and without knowledge of the affected”, and that the subject of this case was only the transmission of data by an authority. Accordingly, the Constitutional Court eventually concluded that section 112 was proportionate (§19). In the context of the assessment of section 113 TA, the Court admitted that this provision “always permits information in the individual case if this is necessary to perform the above duties” (§21). Nonetheless, pointing out (again) that an additional legal basis for the retrieval of data was required and “in view of the information from the data in question, which in itself was limited, and their great importance for an effective performance of duties”, it considered its reach “constitutionally unobjectionable” (§§20-21). Lastly, the Court found that there are no objections to the fact that in view of the slightness of the encroachment no specific proceedings of legal redress relating to data retrievals under sections 112 and 113 are foreseen and that it remains possible to challenge them on the basis of general rules (§22).

Judgment

Before the European Court of Human Rights, the Applicants argued that the obligation to store their data under section 111 TA interfered with their right to privacy “as it forced them to disclose their personal data, which was subsequently stored” (§66). In their view, the interference was moreover “very serious” as “[t]he provision did not include any pre-requirements for storage but was generally applicable to all mobile-telephone users”, of which the vast majority “were innocent and did not present any danger or risk for public safety or national security” (§67). In Strasbourg, the Breyers did not specifically complain about sections 112 and 113.

In accordance with its well-established case-law, the Court first of all held that

“Article 8 of the Convention […] provides for the right to a form of informational self-determination, allowing individuals to rely on their right to privacy as regards data which, albeit neutral, are collected, processed and disseminated collectively and in such form or manner that their Article 8 rights may be engaged” (§75).

Thereafter, noting that none of its previous cases had concerned “the storage of such a data set as in the present case” (§76), it quickly found, as it had before, that the mere storing of data relating to the private life of an individual, and therefore section 111 TA, amounted to an ‘interference’ within the meaning of Article 8 of the Convention (§81). As regards its ‘justification’, it repeated that

“In the context of, inter alia, storage of personal information it is essential to have clear, detailed rules governing minimum safeguards concerning amongst other things duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for its destruction  (emphasis added)” (§83).

In that regard, the Court found section 111 to be sufficiently clear and foreseeable in so far as the amount of stored data was concerned, the duration of the storage as well as its technical side. An assessment of the safeguards concerning access of third parties and further use of the stored data, however, required a reading of section 111 in conjunction with section 112 and 113, in accordance with the ‘double door concept’ (§85). As these matters closely were related to the broader issue of necessity, the Court decided to assess them in that part of their reasoning (§85). Further, it found the interference to pursue “the legitimate aims of public safety, prevention of disorder and crime and the protection of the rights and freedoms of others” (§86).

For the measure to be ‘necessary in a democratic society’ for achieving those aims, it needed to answer a “pressing social need” and had to be “proportionate” (§88). In the Court’s view, the fight against crime, upholding public safety and the protection of citizens indeed constituted pressing social needs. With a view to evaluate the proportionality of the measure, the Court in Strasbourg thereinafter established the level of interference with the Applicants’ right to private life. Agreeing with the German Constitutional Court, it stated that this data neither included any highly personal information or allowed the creation of personality profiles or the tracking of the movements of mobile-telephone subscribers, nor concerned individual communications events (§92). The Court also cited the Court of Justice of the European Union, which found in Ministerio Fiscal that the access by the police, for the purposes of a criminal investigation, to subscriber information could not be defined as a ‘serious’ interference, in view of the fact that:

“Without those data being cross-referenced with the data pertaining to the communications with [the] SIM cards [i.e. traffic data] and location data, those data do not make it possible to ascertain the data, time, duration and recipients of the communications made with [them], nor the locations where those communications took place or the frequency of those communications with specific people during a given period (emphasis added)” (§55).

According to the Luxembourg Court, they do therefore not allow precise conclusions to be drawn concerning the private lives of the persons whose data is concerned (§55). Accordingly, also the European Court of Human Rights concluded that “the interference was, while not trivial, of a rather limited nature” (§95). Next, the Strasbourg Court went on to assess the available safeguards circumscribing the measure. As regards the rules laid down in relation to future possible access to and the use of the data stored, the Court found sections 112 and 113 TA to maintain sufficient limiting factors to render the interference proportionate. More specifically, both provisions were detailed enough to clearly foresee which authorities had been empowered to request information (§§98-99). Additionally, it was observed that the stored data was “further protected against excessive or abusive information requests by the fact that the requesting authority requires an additional legal basis to retrieve the data” (§100). The retrievals were also limited by a ‘necessity requirement’, which, as pointed out by the German Constitutional Court, in the context of the prosecution of offences meant “that there had to be at least an initial suspicion” (§100). Finally, with regard to the available possibilities of review and supervision of information requests, it noted that legal redress may be sought under general rules – in particular together with legal redress proceedings against the final decisions of the authorities – and that the possibility of supervision by the competent data protection authorities ensures review by an independent authority. These authorities “[were] not only competent to monitor compliance with data protection regulation but also may be appealed to by anyone who believes that his or her rights have been infringed through the collection, processing or use of his or her personal data by public authorities” (§105). Such supervision was made possible by the fact that each retrieval and the relevant information regarding the retrieval were recorded (§105). For all these reasons and in view of the margin of appreciation Member States have in these matters, the Court concluded that the storage of the Applicant’s personal data by their respective service providers pursuant to section 111 TA was proportionate and therefore ‘necessary in a democratic society’ (§§108-109).

Comment

Hence, in the opinion of the European Court of Human Rights, the retention for governmental purposes of private-sector subscriber data, indiscriminately and regardless of whether a ‘reasonable suspicion’ exists vis-à-vis the persons whose information is concerned, does not violate the Convention. In view of the Court’s jurisprudence in Big Brother Watch and Others v. the UK (see blogpost for this case), this hardly comes as a surprise. In that case, which related to the interception of communications (content) and related communications traffic data (data processed for the purpose of the conveyance of a communication on an electronic communications network, such as the source of a communication, its destination, date, time, duration etc.), the Court already found that bulk collection regimes do not per se fall outside the wide margin of appreciation which Governments have in choosing the means for achieving the legitimate aim of protecting national security. Indeed, if the untargeted collection of such information, which is to be considered far more intrusive in nature, may be permitted, then a fortiori the retention of subscriber data is permissible.

By contrast, the Court of Justice of the European Union had, in cases such as Digital Rights Ireland and Tele2 Sverige and Watson and Others, which both predate the Big Brother Watch and Others v. the UK judgment, held that the precautionary bulk retention by telecom service providers of traffic data and location data violated Articles 7 (right to respect for private life) and 8 (right to protection of personal data) of the EU Charter on Fundamental Rights. Its decision in that regard was, more specifically, based on the fact that it considered the retention of such data – as well as the subsequent access thereto by law enforcement authorities – to amount to a particularly ‘serious’ interference with said provisions. In particular, the EU Court stated – as opposed to what it thereinafter found in Ministerio Fiscal as regards subscriber data (see supra) – that:

“[such] data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them”.

Accordingly, it appears that the European Court of Human Rights relies on the Court of Justice’s jurisprudence in data protection matters only insofar doing so contributes to its finding of a non-violation, like in Breyer, while it does not where it seeks to apply a lower human rights standard, as in Big Brother Watch and Others.

In his dissenting opinion, judge Ranzoni criticized the European Court of Human Right’s judgment in Breyer for another number of reasons. According to him, the Court as well as the Constitutional Court in Germany overlooked the fact that the data in question, admittedly not sensitive in itself, “facilitates the identification of the parties to every telephone call or message exchange and [hence] the attribution of possibly sensitive information to an identifiable person”. However, in that regard, it must be pointed out that the extent to which such is, in the circumstances of this case, possible on the basis of subscriber information, remains considerably lower than in cases where traffic and location data of users of telecommunications services are indiscriminately stored. Indeed, in the former situation, it will always be the individual telecommunication event that will be the point of departure. It can, by contrast, on the basis of the subscriber information databases, not be established whoever a person has called, or from where to where he or she has done so, nor for how long or when. Therefore, the level of interference considered in Breyer and Ministerio Fiscal, should indeed be distinguished from the one at issue in Digital Rights Ireland and Tele2 Sverige and Watson and Others. The fact that the data storage reviewed in Breyer is indiscriminate, and therefore concerned everyone using mobile-communication service, including users of pre-paid SIM cards, alike “even though there was no evidence to suggest that their conduct might have a link to criminal or other offences”, is justifiable for the same reason.

Ranzoni further disagreed with the majority as regards “the assessment of safeguards and whether the existing ones, if any, are sufficient in order to effectively prevent the misuse and abuse of personal data”. He argued, more specifically, that, in the circumstances of the case, the double-door concept does not qualify as an efficient safeguard since the data retrievals, while based on broad and general provisions – which may suffice as legal keys to the door –, do not require an order by a judicial or an otherwise independent authority. As individuals are, moreover, not notified after their data has been retrieved, a “victim of the interference has no knowledge and cannot seek a review [thereof]”. The observation that redress can nevertheless be sought together with legal redress proceedings against final decisions by the authorities, moreover “only applies to information requests that have led to further telecommunication surveillance or other investigative measures”. It can be noted in that regard that the Court itself, in Breyer, held that “the level of review and supervision has to be considered as an important, but not decisive element in the proportionality assessment of the collection and storage of such a limited data set”, thereby seemingly accepting the insufficiency of the German system in this context. In view of the total sum of some 34 million data sets that were consulted under the automated procedure in 2015, the lack of a review mechanism nonetheless indeed seems questionable.