THE INTERPRETATION OF THE CHARTER OF FUNDAMENTAL RIGHTS OF THE EU IN DATA RETENTION CASES: NATIONAL IMPLEMENTATION AND POSSIBLE CHANGES OF POLICY *

: The Court of Justice of the EU has, on several occasions, ruled on the compatibility of so-called data retention measures with the Charter of Fundamental Rights of the EU. In particular, it has ruled that general and indiscriminate retention of certain electronic communications data is incompatible with Articles 7 and 8 of the Charter, be it in the form of EU secondary law or national legislation. Many Member States, however, still keep in place data retention measures contrary to these rulings, and progress in implementing the rulings is slow. At the same time, the rulings of the Court of Justice can also be interpreted as requiring a fundamental change in how these measures are used and how effective they can be.


INTRODUCTION
In a series of cases starting with the Digital Rights Ireland judgement, the Court of Justice of the EU (Court, Court of Justice, or CJEU) has reviewed a number of regimes within the scope of EU law regulating mass retention of data. These cases led to the invalidation of the Data Retention Directive and a finding of incompatibility of national data retention regimes which enable the bulk collection of data.
Firstly, this article presents the key points of the Court's findings. Secondly, it looks at the impact of the Charter of Fundamental Rights of the EU (Charter) (through the Court's interpretation) on Member States with regard to their obligations to implement the rulings. Finally, this article seeks to place the data retention cases into a wider policy context -i.e. the use of big data analytics in law enforcement and the necessity of practices such as data retention on a scale as formerly required by the Data Retention Directive.

DATA RETENTION: THE DIRECTIVE AND THE CASES
Under the E-Privacy Directive, 1 Member States were allowed to adopt data retention rules to safeguard the objectives listed pursuant to the limitations contained in its Art. 15 (1). The Data Retention Directive 2 was (according to its recitals) adopted in 2006 as a result of the differences between these regimes. 3 The possibility given to Member States by Art. 15 (1) of the E-Privacy Directive was thus curtailed to the extent that the Data Retention Directive harmonised the rules.
The core of the Directive was an obligation placed on providers of publicly available electronic communications services or public communications networks to retain certain data generated or processed by them while providing communication services for a period of up to two years. 4 Such data could then be accessed and used by national authorities. Additionally, in Art. 7 the Directive placed minimum requirements to be imposed on the above-mentioned providers .
The Directive was based on Article 95 EC (Art. 114 TFEU) as an internal market harmonisation of conditions for conducting business for providers of electronic communications, notwithstanding the fact that a large part of the reasoning in favour of data retention as a practice came from findings not concerned with the internal market in itself. 5 Accordingly, in Ireland v. Parliament and Council, 6 the Court of Justice examined the Directive in light of its case law on the correct choice of legal basis and rejected Ireland's claim. 7 While the Directive sustained this challenge, it was later proposed that the very reasons why it had been compatible with the internal market legal basis put it at odds with provisions on fundamental rights in the Charter. 8 Over time, a number of the highest courts in EU Member States examined the legality of national implementation rules 9 and the question of the Directive's validity found its way to the Court of Justice in the Digital Rights Ireland 10 case through Irish and Austrian courts and in the process gave the Court the opportunity to give interpretation on both Article 7 and Article 8 of the Charter.
The Grand Chamber judgement started with one of the referred questions (which, given the results of the proceedings, was eventually the only point necessary to examine) noting that: '[…] the referring courts are essentially asking the Court to examine the validity of [Data Retention Directive] in the light of Articles 7, 8 and 11 of the Charter.' 11 Both the Advocate General and the Grand Chamber agreed that the data retention obligation laid down by the Directive created a 'particularly serious' interference with fundamental rights under Arts. 7 and 8 of the Charter. As the Advocate General (AG) noted, there was no point in arguing whether the Directive constituted an 'interference' with the right to privacy, 12 however, in light of the particular context, it was necessary to inquire whether such interference was not even more worrying. 13 Even though the content of communication was not covered by the retention obligation, the collection and retention of personal data relating to the everyday communications of Union citizens according to the AG constituted a ' […] 12 Note that the use of the right to privacy instead of referring to both rights under Arts. 7 and 8 of the Charter here is merely reproducing the AG's approach, which follows from his analysis concluded in para 67 of his Opinion. 13 The AG bases this on the wording of the Directive itself in recital 9, as well as on the case law of the European Court of Human Rights (see the reference in para 60 on the notion that regardless of whether the data was used, the storage of personal data by a public authority constitutes an interference with fundamental rights; see para 33 of the judgement for a connected reasoning, with the use of Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others, ECLI:EU:C:2003:294 as the basis for this claim).
such right. 14 The Opinion also stressed the impact of the everyday use of digital mobile networks and Internet. 15 Thus, in spite of the particular character of communications data, the use of such retained data could '[…] make it possible to create a both faithful and exhaustive map of a large portion of a person's conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.' 16 The Grand Chamber subscribed to the concerns of the AG regarding the possibility to derive such information form retained data. 17 Indeed, the judgement similarly stated that '[such] data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.' 18 The Court found that there was no intrusion into the essence of either Art. 7 or Art. 8 of the Charter 19 and that the Directive satisfied an objective of general interest. 20 In the assessment of appropriateness of the regime for the fight of serious crime, the judgement quickly found that while there were possibilities which enable to circumvent the data retention regime and provide anonymised communication, the Directive was nonetheless appropriate to achieve its aim; the Court noted that the Directive '[allowed] the national authorities which are competent for criminal prosecutions to have additional opportunities to shed light on serious crime and, in this respect, [was] therefore a valuable tool for criminal investigations […].' 21 The key part of the judgement relates to the necessity of the data retention regime vis-à-vis the legitimate objective; the Court noted that while: '[…] the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques […]' that alone could not justify the interference caused by the Directive. Inspired by the case law of the European Court of Human Rights, 22 the judgement stated that: '[…] EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards […] against the risk of abuse and against any unlawful access and use of that data [.]' Two sets of objections present in the reasoning are summarised below.
Firstly, the Court strongly objected to the very broad scope of the retained data -all communications data pursuant to the Directive were to be retained without any differen- tiation, limitation, or exception 23 and covering (and interfering with the fundamental rights of) practically the entire European population. 24 A person's communication data could be collected and retained irrespective of whether that person had any link to the perpetration of serious crime; more precisely, there was no requirement for the data in question to have a relationship to either certain geographical area, time, circle of persons, or persons who could otherwise contribute to the investigation of serious crime. 25 Secondly, further objections related to, broadly described, the more practical aspects of the data retention regime. For example, concerning the retained data, the Directive did not contain ' […] substantive and procedural conditions relating to the access […] and their subsequent use […]' and did not expressly limit such access and use to what would be strictly necessary; 26 similarly, no limitation of the number of persons with such access was present. 27 In a similar reasoning, the Court found the lack of criteria for determination of an actual retention period unsatisfactory (with the 6-24 months provision being too vague). 28 Subsequently, the Court also took issue with the conditions under which data was to be retained by the communication service providers, citing the lack of rules designed to respond to the quantity and sensitive nature of such data, as well as the lack of provisions preventing unlawful access and use, 29 with no sufficient guarantees that data would be irreversibly destroyed upon the lapse of retention period or that such data would be kept within the EU. 30 Consequently  [.]' 37 Instead, the Court stated, not precluding data retention altogether, that a targeted form of retention would not run into these objections (this notion will be further examined in the second part of this article). 38 On the second point, the Court confirmed its approach regarding the practical aspects relating to data retention and restated some key points which the national legislation must comply with. 39 Eventually, the Court found that both national implementations were in breach of Art. 15 (1) of E-Privacy Directive as interpreted in the case. This line of reasoning was then again broadly (see part three of this article) confirmed in the Opinion 1/15 which concerned the legality of a negotiated agreement on the exchange of PNR (Passenger Name Record -set of data on passengers on EU-Canada flights) data. 40

IMPLEMENTATION OF DIGITAL RIGHTS IRELAND AND TELE2/WATSON BY MEMBER STATES
The Digital Rights Ireland case was suggested to be an opportunity to reformulate the European data retention framework in a way that would remedy certain issues that were not properly resolved during the adoption of the Data Retention Directive as well as to reframe the directive (or regulation if that were to be the way forward) to make it compliant with fundamental rights under the Charter. 41 Instead, no act has been adopted to replace the invalid directive so far.
The two judgements analysed above related to the interpretation of the framework laid down by the E-Privacy Directive; as a part of a privacy and data protection legislation overhaul, the E-Privacy Directive is to be replaced by a Regulation carrying the 35 Tele2/Watson, para 102; this clarified the wording of the E-Privacy Directive, which in its relevant part of Art. 15 (1) states that limitation on fundamental rights in the form of data retention may be adopted inter alia for the purpose of 'prevention, investigation, detection and prosecution of criminal offences'. 36  149 same (short) name -E-Privacy Regulation. The Regulation, according to the Commission proposal, 42 does not contain any specific provisions on data retention. 43 Instead, it works with a scheme similar to the one presented by Art. 15 (1) of the E-Privacy Directive: Member States are free to adopt (and keep, where those already exist) data retention measures as restrictions on scope of rights and obligations in the Regulation under its Article 11; the objectives pursued by such (legislative) measures are not expressly named in the E-Privacy Regulation, but must correspond to grounds enumerated in Art. 23 (1) a) to e) of the General Data Protection Regulation. 44 Furthermore, references are specifically made to the two judgements and the 'targeted' nature (which will be explained below) of any permissible data retention measure. 45 The rate of implementation of the judgements has been subjected to considerable criticism, especially from privacy-oriented NGOs. 46 The latest annual report of the EU Fundamental Rights Agency similarly states that the progress of national lawmakers has been rather limited, noting that Member States seem to be reluctant to change the existing frameworks. 47 The progress so far can be illustrated as follows. On the issue of conditions of access, delineation of crimes the prosecution of which enables the use of the retained data, storage within the EU and similar conditions relating to the practical operation of the system, several Member States are taking up the task given to them by the Court's ru-  legislation. 48 Several Member States, Slovakia included, have already repealed or reformed their data retention frameworks altogether. 49 On the other hand, for a large number of Member States, the remaining issue is the scope of the data retention obligations still present in national law as bulk data retention remains in place in many countries. 50 In Tele2/Watson, while refusing to condone general and indiscriminate data retention (see above), the Court has also ruled that the E-Privacy Directive read in light of the Charter of Fundamental Rights of the EU ' […] does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.' 51 Nonetheless, according to Eurojust, no Member State is currently close to achieving this model -while Germany reported an exclusion of a certain category of data relating to the church, that does not (while reducing the scope of data a little bit) remove the characteristic of a national data retention framework as a general one. 52 The current form of the Czech legislation resulted from a reaction to the invalidation of the original data retention provisions in the Electronic Communications Act by the Czech Constitutional Court even prior to the Digital Rights Ireland judgement. Parts of the original Art. 97 of Electronic Communications Act were struck down due to a number of shortcomings, including the lack of a sufficiently detailed description of authorities that could access the data, 53 the lack of a precisely delineated purpose for enabling access (where the national legislation did not limit access to the fight against serious crime), 54 the lack of notification of individuals, 55 or little to no provisions on security safeguards. 56 On the contrary, the bulk nature of collection and retention of data in itself was not taken as a reason to invalidate the provisions. 57

151
The current provisions of the Electronic Communications Act (which were not subsequently amended after Digital Rights Ireland) provide for a data retention obligation along the lines of the Data Retention Directive: legal or natural persons securing public communication networks or providers of publicly available communications services are required for a period of 6 months to retain traffic and location data generated or processed in the course of providing/securing the service or network, with qualification made (in line with the Directive) for content of communication and unsuccessful calls. 58 No other qualifications limiting the scope of the data retained are present.
It is clear that if the judgement of Tele2/Watson is to be taken literally, such a provision is clearly in breach of the prohibition on general and indiscriminate retention of communications data (which in itself should be enough for it to be incompatible with EU law). What is more, the Czech Republic was classified by Eurojust into a group of Member States, whose legislation does not correspond with the requirement of at most targeted retention of communications data (but as was noted above, no country still keeping a data retention obligation was apparently compliant with that standard), 59 but that have not even started a reassessment of their frameworks since the judgement. 60 It seems clear then that within the two sets of issues presented by the judgements, progress is being made in their implementation, but, only in one of them; the key problematic issue in complying with the CJEU judgements (whilst keeping some form of data retention) lies in the transition from general and indiscriminate retention of data to the 'targeted retention' model mentioned by the Court in Tele2/Watson.
As the Fundamental Rights Agency Report states, while Member States remain hesitant to implement the judgements, the number of proceedings against national data retention laws also decreased; nonetheless, the Czech data retention framework has recently been put under a challenge before the Constitutional Court, where a group of Members of the lower chamber of the Czech Parliament challenged inter alia the constitutionality of Art. 97 (3) and (4) of the Electronic Communications Act. 61 58 Art. 97 (3) of Act no. 127/2005 Coll., on electronic communications and amending certain related acts (Electronic Communications Act); translation of provisions author's own, as well as responsibility for any incoherences with the Czech version; para 4 of the Article further defines traffic and location data as data leading to the identification of source and addressee as well as the date, time, means, and duration of communication. 59 See note 49; it should be mentioned that even the countries that reported a repeal of their original data retention obligations have no data retention for law purposes only, but still may (and do) rely on data collected by private operators for private (i.e. business or commercial purposes). 60

TO REINVENT OR TO CIRCUMVENT: THE BROADER IMPLICATIONS OF DATA RETENTION RULINGS
As was stated above, the outcome of Tele2/Watson is a prohibition on general and indiscriminate retention of communications data such as the one in the invalidated Directive and national legislation implementing it on a similar scale; on the other hand, Member States may introduce legislation providing for targeted retention, which however must be based on 'objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences […]. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.' 62 64 While (as has been stated above) the wording of the agreement was not detailed enough for the Court concerning delimiting the data covered by retention, the Court did not take issue with the scope of the data retention obligation concerning its generality within the context of PNR and not electronic communications data. 65 This means that data retention measures concerning data other than electronic communications data 66 could be subject to a slightly less stringent scrutiny (or at the very least, an examination of whether the same approach as in the two judgements is warranted in a given context) -in practice, this could be rather easily applied if the Czech Republic became a part of a sharing system of intra-EU flights PNR data pursuant to the PNR Directive. 67 Consequently, it is primarily the retention of communications data that ought to undergo a fundamental change in approach.
The Court, as well as reports, have stated several times that the use of communications data is a valuable tool in the fight against serious crime and Member States consider it as well. 68 The effects of the use of retained data in law enforcement have, however, also been questioned on the lack of improvement of crime rates 69 and the possibility to circumvent the measure through e.g. anonymised SIM cards. 70 The switch to 'targeted retention' brings a completely new challenge: general and indiscriminate retention of data provided for a large set of data going to the past that could be analysed with the potential of discovering new connections or information that would have otherwise not been noticed. 71 This is a prime example of a situation where the methods of the so--called big data analysis can be put to use, potentially giving an enhanced perspective to investigations. 72 Instead, Member States (unless they want to give up their data retention measures) are required to switch to a method which seems to be less effective, notwithstanding the issues with the use of geographical criteria. 73 Law enforcement may thus have to adapt to using vastly different tools other than what was possible so far, and possibly reinvent certain approaches to investigation of serious crime.

154
The resulting situation is partly described in the second part of this article: the majority of Member States still retain legislation which is contrary to the rulings, and changes are made primarily on issues other than the general and indiscriminate scope. The other consequence of these developments can be seen in new potential initiatives to re-introduce some form of broad data retention, with a recent example in the field of fighting against terrorism being called an attempt at circumvention of the Digital Rights Ireland and Tele2/Watson rulings. 74

CONCLUSION
The rulings of the Court of Justice in Digital Rights Ireland and Tele2/ Watson show that the Court is willing to subject interferences with fundamental rights protected by the Charter of Fundamental Rights of the EU to very strict scrutiny and review in detail various aspects of data retention regimes. The effect of these cases is twofold -first, as described in the second part of this article, immediate reaction to the rulings and the need to implement the findings into practice which after Tele2/Watson implies repealing national frameworks providing for general and indiscriminate retention of communications data; second, as was the subject of the third part, the rulings on the permissible scope of retention of communications data require a more thorough reassessment of the procedures involved in the fight against serious crime.