Uitspraak
CourtThe Hague District Court
Date of judgment11 March 2015
Date of publication 11 March 2015
Case numberC/09/480009 / KG ZA 14/1575
Areas of lawCivil law
Particular characteristicsPreliminary relief proceedings
Indication of contents
The court hearing applications for provisional relief in The Hague rendered the Telecommunications Data (Retention Obligation) Act (
Wet bewaarplicht telecommunicatiegegevens) inoperative. This Act obliges telephone and internet service providers to store users’ traffic and location data. The Act infringes the right to respect for private life and the right to protection of personal data. The court held that this infringement is not limited to what is strictly necessary.
Wet bewaarplicht telecommunicatiegegevens) inoperative. This Act obliges telephone and internet service providers to store users’ traffic and location data. The Act infringes the right to respect for private life and the right to protection of personal data. The court held that this infringement is not limited to what is strictly necessary.
References to legislation
Telecommunications Act (Telecommunicatiewet) (https://wetten.overheid.nl/BWBR0009950/2020-10-01)
Telecommunications Act (Telecommunicatiewet) 13.2a
Telecommunications Act (Telecommunicatiewet) 13.2b
Telecommunications Act (Telecommunicatiewet) 13.4
Publication referencesRechtspraak.nl
Prg. 2015/107
Computerrecht 2015/88 with annotation by [A] LLM
NJF 2015/222
O&A 2015/59 with annotation by [B]
NJ 2015/461
Module Privacy en persoonsgegevens (privacy and personal data) 2016/1120
JBP 2015/71
SEW 2015, issue 5, p. 252
Judgment
The Hague District Court
Commerce Team – court in preliminary relief proceedings
case number / cause list number: C/09/480009 / KG ZA 14/1575
Judgment in preliminary relief proceedings of 11 March 2015
in the matter of
1. the foundation (
stichting)
stichting)
Stichting Privacy First,
with registered office in Amsterdam,
2. the association (
vereniging)
vereniging)
Nederlands Juristen Comité voor de Mensenrechten (Dutch Section of the International Commission of Jurists),
with registered office in Leiden,
3. the association (
vereniging)
vereniging)
Nederlandse Vereniging van Strafrechtadvocaten (Dutch Association of Defence Counsel),
with registered office in Goirle,
4. the association (
vereniging)
vereniging)
Nederlandse Vereniging van Journalisten (Dutch Union of Journalists),
with registered office in Amsterdam,
5. the private limited company (
besloten vennootschap met beperkte aansprakelijkheid)
besloten vennootschap met beperkte aansprakelijkheid)
BIT B.V.,
with registered office in Ede,
6. the private limited company (
besloten vennootschap met beperkte aansprakelijkheid)
besloten vennootschap met beperkte aansprakelijkheid)
SpeakUp B.V.,
with registered office in Enschede,
7. the private limited company (
besloten vennootschap met beperkte aansprakelijkheid)
besloten vennootschap met beperkte aansprakelijkheid)
VOYS B.V.,
with registered office in Groningen,
the claimants,
lawyer: F.F. Blokhuis LLM, practising in Amsterdam,
versus:
the State of the Netherlands(the Ministry of Economic Affairs and the Ministry of Justice and Security),
seated in The Hague,
the defendant,
lawyer: R.J.M. van den Tweel, practising in The Hague.
The parties are hereinafter referred to as ‘Privacy First et al.’ and ‘the State’, respectively.
1.The facts
Based on the documents and the court hearing of 18 February 2015, the following is assumed in these proceedings.
1.1.
Privacy First et al. are organisations which aim to protect human rights, including the right to privacy, (claimants under 1 and 2), associations representing professions with a right to confidentiality (claimants under 3 and 4) and telecommunications services and public telecommunications network providers (claimants under 5, 6 and 7).
1.2.
On 15 March 2006, Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (hereinafter: the Data Retention Directive) was published in the Official Journal of the European Union. The Data Retention Directive entered into force twenty days later.
1.3.
The Data Retention Directive sets out inter alia:
“Article 1
Subject matter and scope
1. This Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.
2. This Directive shall apply to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network.”
1.4.
Implementation of the Data Retention Directive in Dutch legislation led to the Act of 18 July 2009 amending the Telecommunications Act (
Telecommunicatiewet) and the Economic Offences Act (
Wet op de economische delicten) in connection with the implementation of Directive 2006/24/EC of the European Parliament and of the Council of the European Union on the retention of data processed in connection with the provision of public electronic communications services and amending Directive 2002/58/EC (Telecommunications Data (Retention Obligation) Act (
Wet bewaarplicht telecommunicatiegegevens), publication reference: Bulletin of Acts and Decrees 2009, 333, hereinafter: the ‘Wbt’). The Wbt entered into force on 1 September 2009. The Wbt sets out inter alia:
Telecommunicatiewet) and the Economic Offences Act (
Wet op de economische delicten) in connection with the implementation of Directive 2006/24/EC of the European Parliament and of the Council of the European Union on the retention of data processed in connection with the provision of public electronic communications services and amending Directive 2002/58/EC (Telecommunications Data (Retention Obligation) Act (
Wet bewaarplicht telecommunicatiegegevens), publication reference: Bulletin of Acts and Decrees 2009, 333, hereinafter: the ‘Wbt’). The Wbt entered into force on 1 September 2009. The Wbt sets out inter alia:
“SECTION 1
The Telecommunications Act is amended as follows:
(...)
section 13.2a will read:
Section 13.2a
1. In the present section, the following terms shall be understood to have the meanings assigned to them below:
a. data: the traffic and location data, (...) and the related data necessary to identify the subscriber or user;
b. unsuccessful call attempt: a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention.
2. Providers of public telecommunications networks or publicly available telecommunications services shall retain the data designated in the annex to the present Act in so far as said data are generated or processed in the context of the networks or services provided for the purpose of the investigation, tracing and prosecution of serious offences.
3. The data within the meaning of subsection 2 shall be retained by the providers for a period of twelve months, calculated from the date of the communication.
4. The obligation within the meaning of paragraph 2 shall relate to data regarding unsuccessful call attempts in so far as such data are generated, processed and stored, or logged by the providers in providing public telecommunications networks or publicly available telecommunications services."
1.5.
By an Act of 6 July 2011, Section 13.2a(3) of the Telecommunications Act was further amended. This subsection now reads (Bulletin of Acts and Decrees 2011, 350):
“3. The data within the meaning of paragraph 2 shall be retained by the providers for a period of:
a. twelve months in the case of data relating to telephony via a fixed or mobile network (...), or
b. six months in the case of data relating to Internet access, e-mail via the Internet and Internet telephony, (...) calculated from the date of the communication."
1.6.
On 8 April 2014, the Court of Justice of the European Union (hereinafter: the Court) declared the invalidity of the Data Retention Directive with retroactive effect (CJEU 8 April 2014, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others). In its judgment, the Court examined the validity of the Data Retention Directive in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (hereinafter: the Charter). The Court found that the interference caused by the Data Retention Directive with the fundamental rights laid down in Articles 7 and 8 of the Charter is wide-ranging, and it must be considered to be particularly serious. The Court furthermore observed that the material objective of the Data Retention Directive is to contribute to the fight against serious crime and thus, ultimately, to public security, and that the retention of data as required therefore genuinely satisfies an objective of general interest. The Court held that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter. The judgment states in this regard inter alia as follows:
"49 As regards the question of whether the retention of data is appropriate for attaining the objective pursued by Directive 2006/24, it must be held that, having regard to the growing importance of means of electronic communication, data which must be retained pursuant to that directive allow the national authorities which are competent for criminal prosecutions to have additional opportunities to shed light on serious crime and, in this respect, they are therefore a valuable tool for criminal investigations. Consequently, the retention of such data may be considered to be appropriate for attaining the objective pursued by that directive.
(...)
51 As regards the necessity for the retention of data required by Directive 2006/24, it must be held that the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 being considered to be necessary for the purpose of that fight.
52 So far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law, in any event, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (...).
(...)
54 Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (...).
55 The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (...).
56 As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population.
57 In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
58 Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.
59 Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
60 Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.
61 Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto; it merely provides that each Member State is to define the procedures to be followed and the conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and proportionality requirements.
62 In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits.
(...)
65 It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary."
1.7.
On 17 November 2014, the government responded in writing to the declaration of invalidity of the Data Retention Directive. In its letter, the government stated that the Wbt needed to be amended in the light of the judgment of the Court. The letter sets out inter alia:
"The government therefore intends to amend national legislation regarding the retention obligation for telecommunications data, so that:
- the application of the public prosecutor requesting that telecommunications data be provided can only be made after prior authorisation by the examining magistrate. As a result, the provisions of Article 126n/u of the Code of Criminal Procedure will be amended;
- access to the data for the purpose of the detection and prosecution of serious crimes will be differentiated on the basis of the severity of the offence. As a result, the provisions of Article 126n/u of the Code of Criminal Procedure will be amended;
- it will be examined whether the telecommunications data which are retained for the purpose of the detection and prosecution of serious offences can be encrypted to safeguard them against unauthorised access. This may lead to amendment of the Telecommunications Data (Security) Decree (Besluit beveiliging telecommunicatiegegevens);
- the providers will be obliged to retain the data to be retained on the territory of the European Union. As a result, the provisions of Sections 13.2a and 13.5 of the Telecommunications Act will be amended;
- ATAgentschap Telecom (Radiocommunications Agency Netherlands), addition by court in preliminary relief proceedings)
as supervisory authority may access telecommunications data retained or made available by the providers, with a view to improved supervision of the processing of the data to be retained and their destruction. As a result, Section 18.7(2) of the Telecommunications Act will be amended;
as supervisory authority may access telecommunications data retained or made available by the providers, with a view to improved supervision of the processing of the data to be retained and their destruction. As a result, Section 18.7(2) of the Telecommunications Act will be amended;
These modifications will be included in a proposal to amend the Telecommunications Act and the Code of Criminal Procedure, which will shortly be made available for consultation."
2.The dispute
2.1.
Privacy First et al. seek, after amendment of their claim, in essence:
principally:
I. that the Wbt, or in any event Section 13.2a and/or Section 13.2b and/or Section 13.4 of the Telecommunications Act, be rendered inoperative, or in any event that the State be ordered to do so;
II. that the State be prohibited from requesting data as referred to in Section 13.2a of the Telecommunications Act from providers of public telecommunications networks or publicly available telecommunications services, insofar as this is contrary to the criteria laid down by the Court in the judgment of 8 April 2014;
alternatively:
that the State be prohibited from enforcing the Wbt or parts thereof and from requesting data as referred to in Section 13.2a of the Telecommunications Act from providers of public telecommunications networks or publicly available telecommunications services, insofar as this is contrary to Articles 7, 8 and 11 of the Charter, Articles 8 and 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Article 10 of the Constitution of the Kingdom of the Netherlands, Article 15 of the e-Privacy Directive and/or Article 6(1) and (2) of the Treaty on European Union;
further in the alternative:
that the State be prohibited from enforcing the Wbt and from compelling providers of public telecommunications networks and publicly available telecommunications services to retain data as referred to in Section 13.2a of the Telecommunications Act and requesting such data, until the Wbt has been amended as proposed by the government in a letter of 17 November 2014 or an Act repealing the Wbt has been adopted.
2.2.
In this regard, Privacy First et al. have submitted the following arguments. The Wbt manifestly contravenes European legislation and cannot therefore be permitted to continue to apply. The Wbt implements the Data Retention Directive almost literally. The Court declared the Data Retention Directive invalid with retroactive effect on 8 April 2014. The Wbt infringes Articles 7 and 8 of the Charter in an identical manner to the Data Retention Directive.
The Data Retention Directive provided scope for everyone’s data to be retained. This scope has been utilised in the Wbt. The Court condemns the retention at random of data of all citizens, without any differentiation or distinction being made by person, location or data. The retention of all traffic and location data for six to twelve months, irrespective of the objective or purpose, therefore goes too far. There should be a limited and targeted selection of data. This does not exist in the Wbt. The Court also takes a serious view of the absence of any prior judicial scrutiny. Under the Wbt, it is still possible for investigating officers and public prosecutors to access the data, without any prior examination by a court. The Court furthermore raised objections to the data retention periods, as laid down in the Data Retention Directive, since no distinction is made on the basis of their possible usefulness, the objective pursued or according to the persons concerned and no objective criteria are given for limiting the data retention periods to what is strictly necessary. The Court also held that there are insufficient safeguards to ensure protection of the data against abuse.
In addition, the Wbt is in breach of Article 8 of the ECHR. The
storageof traffic and location data and the
accessof the competent national authorities to such data both constitute independent infringements of the right to privacy. The storage of such data also constitutes an infringement if only a limited part of the information stored is actually used. The retention of the large amount of data on innocent individuals which the Wbt encompasses constitutes a serious infringement of Article 8 of the ECHR, since those data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data have been retained, as the Court also finds. The Wbt contains insufficient safeguards against abuse and arbitrariness, and it is insufficiently clear and precise under what circumstances and conditions the authorities may implement the measures. The Wbt does not provide, for instance, that each individual request to access the data should be subject to the supervision of the authorities. Moreover, the Wbt is not ‘necessary within a democratic society’. The serious infringement of privacy is not proportionate in the light of the aim to be achieved, namely the detection of serious crime.
storageof traffic and location data and the
accessof the competent national authorities to such data both constitute independent infringements of the right to privacy. The storage of such data also constitutes an infringement if only a limited part of the information stored is actually used. The retention of the large amount of data on innocent individuals which the Wbt encompasses constitutes a serious infringement of Article 8 of the ECHR, since those data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data have been retained, as the Court also finds. The Wbt contains insufficient safeguards against abuse and arbitrariness, and it is insufficiently clear and precise under what circumstances and conditions the authorities may implement the measures. The Wbt does not provide, for instance, that each individual request to access the data should be subject to the supervision of the authorities. Moreover, the Wbt is not ‘necessary within a democratic society’. The serious infringement of privacy is not proportionate in the light of the aim to be achieved, namely the detection of serious crime.
The Wbt also interferes with the freedom of expression (Article 10 of the ECHR and Article 11 of the Charter). The fact that data of journalists can be requested gives rise to the risk that they will avoid certain topics or that sources will no longer dare to approach journalists. Clients will also feel less free to consult with their lawyer. There is a danger, therefore, of a “chilling effect”, with the government compelling providers of telecommunications services to violate the fundamental rights of their clients on a massive scale. Furthermore, their contractual freedom and entrepreneurial freedom are affected.
While the Minister of Justice and Security proposed an amending Act in the letter of 17 November 2014, the Wbt will continue to be enforced in its current form until such Act has entered into force. There is broad support for the position that the Wbt as currently drafted can no longer be maintained. This has been very clearly stated by the Advisory Division of the Council of State. It is also endorsed by the Personal Data Protection Authority (College Bescherming Persoonsgegevens, “CBP”) and leading scholars.
Added to this, the Wbt is barely effective and has been rendered largely obsolete by advancing technical developments. The necessity and effectiveness of the Wbt have yet to be demonstrated after more than five years of data retention. Many other EU Member States have already repealed the laws implemented on the basis of the Data Retention Directive or have rendered the retention obligation inoperative.
2.3.
The State has put forward a reasoned defence, which will, insofar as necessary, be discussed below.
3.The assessment of the dispute
3.1.
It is stated first and foremost that the claim is directed against the State as legislator and provides for a part of an Act of Parliament to be declared inapplicable. A civil court can only declare (parts of) an Act of Parliament inapplicable in preliminary relief proceedings if and insofar as it is
manifestly non-bindingbecause it is in conflict with provisions of treaties or of resolutions by international institutions that are binding on all persons. This criterion arises from Article 94 of the Constitution and established case law (cf. SC 1 July 1983, NJ 1984, 360) and suggests that great restraint be observed, all the more so since in preliminary relief proceedings such as the present proceedings it is only possible for a provisional judgment to be rendered. The restraint that should be observed is rooted in the distribution of competences between the various State bodies based on the Constitution. Acts of Parliament are adopted by the legislature. It is pre-eminently the task of the legislature to weigh all the arguments and interests at issue against each other, in which regard it enjoys a considerable degree of discretion. It is therefore inappropriate for an independent “full” examination to be undertaken by a civil court.
manifestly non-bindingbecause it is in conflict with provisions of treaties or of resolutions by international institutions that are binding on all persons. This criterion arises from Article 94 of the Constitution and established case law (cf. SC 1 July 1983, NJ 1984, 360) and suggests that great restraint be observed, all the more so since in preliminary relief proceedings such as the present proceedings it is only possible for a provisional judgment to be rendered. The restraint that should be observed is rooted in the distribution of competences between the various State bodies based on the Constitution. Acts of Parliament are adopted by the legislature. It is pre-eminently the task of the legislature to weigh all the arguments and interests at issue against each other, in which regard it enjoys a considerable degree of discretion. It is therefore inappropriate for an independent “full” examination to be undertaken by a civil court.
3.2.
The State has contended that the criminal court has already explicitly expressed an opinion on the legal validity of the Wbt (Amsterdam Court of Appeal 9 May 2014, ECLI:NL:GHAMS:2014:1835 and Amsterdam Court of Appeal 27 May 2014, ECLI:NL:GHAMS:2014:2028), so that it is difficult to conclude that the Wbt is manifestly non-binding. This contention does not succeed, since the criminal court examined whether a procedural defect took place on the grounds of Article 359a(1) of the Code of Criminal Procedure and whether the interests of the suspects were violated through application of the (amended) Telecommunications Act. There was no examination on the basis of civil law as to whether the Wbt is in conflict with provisions of treaties or of resolutions by international institutions that are binding on all persons in the judgments referred to.
3.3.
In support of their claims, Privacy First et al. have relied on the findings in the judgment of the Court of 8 April 2014, in which the Data Retention Directive was declared to be invalid. However, it is not in dispute that the declaration of invalidity of the Data Retention Directive by the Court does not automatically mean that the Wbt is similarly invalid. The declaration of invalidity of the Data Retention Directive has caused the Wbt to become autonomous legislation which should be examined in the light of its own merits, with due consideration also for the findings of the Court. It should also be noted that the proposed amendments to the Wbt as set out in the letter of 17 November 2014 play no part in the assessment, since the examination should be limited solely to the legislation as currently applicable.
3.4.
Article 51 of the Charter provides that the Charter applies when the Member States are implementing Union law. It follows from the case law of the Court that the term “implementation of Union law” within the meaning of this article should be interpreted as concerning actions of the Member States within the field of application of Union law (inter alia: CJEU 30 April 2014, C-390/12, Pfleger). As the Wbt complements the ‘e-Privacy Directive’ (Directive 2002/58/EC) and constitutes an obstacle to the free movement of services, it falls within the scope of application of the Charter. It is therefore necessary to examine whether the Wbt, as Privacy First et al. contend, constitutes an unacceptable infringement of Articles 7 and 8 of the Charter. Although the State, in this connection, has not disputed that the Wbt almost exactly replicates the contents of the Data Retention Directive, it has, rightly in the opinion of the court in preliminary relief proceedings, argued that the entire body of relevant domestic legislation should be taken into account when assessing the question as to whether the Wbt is consistent with Articles 7 and 8 of the Charter. This in the light of the fact that the objections to the Data Retention Directive set out by the Court in the judgment of 8 April 2014 relate, among other things, to the absence of certain safeguards for the security of and access to the stored data. These objections can equally be addressed by applicable provisions in other national regulations.
3.5.
Articles 7 and 8 of the Charter set out the right to respect for private and family life, home and communications and the right to protection of personal data. Privacy First et al. have argued that the mere fact that it is laid down in the Wbt that telecommunications data of persons shall be retained constitutes an unacceptable interference with Articles 7 and 8 of the Charter. It has been established that, as the Court also finds under points 32 to 37, inclusive, of the judgment, the obligation imposed (in this case by the Wbt) to
retain, for a certain period, data relating to a person’s communications constitutes interference with Articles 7 and 8 of the Charter. This is in line with the case law of the European Court of Human Rights, on which Privacy First et al. have relied. There, it is found with regard to Article 8 of the European Convention on Human Rights, for example, that
“The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of article 8 (...). The subsequent use of the stored information has no bearing on that finding.”(ECHR 4 December 2008, S. and Marper, appl.nos 30562/04 and 30566/04). Privacy First et al. therefore correctly assert that the
useof the data constitutes far-reaching interference in and by itself with the aforementioned rights. However, insofar as Privacy First et al. argue that the interference with the aforementioned rights is in any event unacceptable, this argumentation is not followed, since it is necessary to assess whether the interference is justified and proportionate.
retain, for a certain period, data relating to a person’s communications constitutes interference with Articles 7 and 8 of the Charter. This is in line with the case law of the European Court of Human Rights, on which Privacy First et al. have relied. There, it is found with regard to Article 8 of the European Convention on Human Rights, for example, that
“The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of article 8 (...). The subsequent use of the stored information has no bearing on that finding.”(ECHR 4 December 2008, S. and Marper, appl.nos 30562/04 and 30566/04). Privacy First et al. therefore correctly assert that the
useof the data constitutes far-reaching interference in and by itself with the aforementioned rights. However, insofar as Privacy First et al. argue that the interference with the aforementioned rights is in any event unacceptable, this argumentation is not followed, since it is necessary to assess whether the interference is justified and proportionate.
3.6.
The parties are in dispute in that context about the necessity and effectiveness of the retention obligation as laid down in the Wbt. In this regard, it must be noted, first, that this point of dispute pre-eminently falls under the discretion of the legislature, whose task it is to weigh all the arguments and interests against each other, with the result that the preliminary relief court will only undertake a limited assessment in relation to this point. The Court held that the fight against serious crime is of the utmost importance in order to ensure public security, that its effectiveness may depend to a great extent on the use of modern investigation techniques (point 51) and that the data which must be retained allow additional opportunities to shed light on serious crime (point 49). In addition, the State has demonstrated sufficiently in these proceedings that certain forms of crime are almost exclusively detectable through the use of historical telecommunications data, given that increasingly crime is being committed online or with the aid of the Internet. The State has argued, without being contradicted, that it would not have been possible to solve certain major criminal cases listed by it without a reliance on the retention obligation. The basic principle is therefore that the retention obligation is necessary and effective.
3.7.
The dispute between the parties is further focused on the question of whether there are provisions in Dutch legislation which sufficiently address the objections that resulted in the Court ruling that the Data Retention Directive is invalid. Just like the Data Retention Directive, the Wbt covers without any limitation all persons using means of electronic communication and therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link with serious crime. Nor is any relationship required between the data whose retention is provided for and a threat to public security (points 57 to 59, inclusive, of the judgment). Contrary to what Privacy First et al. maintain, it cannot be concluded from the judgment of the Court that such a broad retention obligation is in any event not proportionate in the light of the intended objective, since the Court goes on to consider whether the Date Retention Directive provides sufficient safeguards for access to the data retained. If what Privacy First et al. have maintained were to be correct, the Court would not have got around to addressing this question. Furthermore, the Court held (
“Having regard to all the foregoing considerations”, point 69) that the legislature has exceeded the limits imposed by compliance with the principle of proportionality. It follows from this that the outlined objections, taken together, led to that opinion.
“Having regard to all the foregoing considerations”, point 69) that the legislature has exceeded the limits imposed by compliance with the principle of proportionality. It follows from this that the outlined objections, taken together, led to that opinion.
3.8.
The above does not alter the fact that it is necessary to assess whether the interference with Articles 7 and 8 of the Charter is precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary. In this respect it is noted that a limitation of the data whose storage is provided for to the data of suspects is inconceivable in view of the objective of the Wbt, namely the effective detection of serious crime. In the case of a
first offenderit is not possible to make a distinction in advance between suspects and non-suspects. However, the need to provide safeguards and guarantees regarding access to these data is even greater since it concerns a very broad interference, underlining the importance of setting high standards in that regard.
first offenderit is not possible to make a distinction in advance between suspects and non-suspects. However, the need to provide safeguards and guarantees regarding access to these data is even greater since it concerns a very broad interference, underlining the importance of setting high standards in that regard.
3.9.
The State has correctly argued that the Telecommunications Data (Security) Decree (
Besluit beveiliging gegevens telecommunicatie) requires providers of telecommunications services in the Netherlands to apply a high level of protection and security and that this is subject to supervision by the Radiocommunications Agency Netherlands and the Personal Data Protection Authority (CBP). To this extent, therefore, the objection to the Data Retention Directive noted by the Court under point 67 of the judgment is addressed. However, it must be concluded from point 69 that a requirement that the data in question should be retained within the European Union is
“an essential component”of the protection of individuals with regard to the processing of personal data, since it is only through that requirement that the control by an independent authority of compliance with the requirements of protection and security, on the basis of EU law, is fully ensured. Such a requirement is absent in the Wbt. The State has also acknowledged that in practice (several small) providers retain their user data outside the European Union.
Besluit beveiliging gegevens telecommunicatie) requires providers of telecommunications services in the Netherlands to apply a high level of protection and security and that this is subject to supervision by the Radiocommunications Agency Netherlands and the Personal Data Protection Authority (CBP). To this extent, therefore, the objection to the Data Retention Directive noted by the Court under point 67 of the judgment is addressed. However, it must be concluded from point 69 that a requirement that the data in question should be retained within the European Union is
“an essential component”of the protection of individuals with regard to the processing of personal data, since it is only through that requirement that the control by an independent authority of compliance with the requirements of protection and security, on the basis of EU law, is fully ensured. Such a requirement is absent in the Wbt. The State has also acknowledged that in practice (several small) providers retain their user data outside the European Union.
3.10.
Furthermore, as the Court finds under point 60 of the judgment, legislation should lay down objective criteria by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection and criminal prosecutions concerning offences that may be considered to be sufficiently serious to justify the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. The court in preliminary relief proceedings is of the opinion that this is not the case in the Wbt. Although the Wbt establishes a clear delineation since access to the data is limited to the detection and prosecution of criminal offences for which pre-trial detention is allowed or of terrorist offences, this category also includes criminal offences which are not sufficiently serious to justify the interference. It should be remembered that the provisions of the Data Retention Directive were a response to the terrorist attacks in London and Madrid in 2004 and 2005. The material objective of the Data Retention Directive, and hence of the Wbt which is based on it, was to ensure that certain data are available for the purpose of the fight against
seriouscrime. Criminal offences for which pre-trial detention is allowed also include offences that are punishable by a sentence of imprisonment of at least four years. The State has argued that any decision to request the data is not taken lightly, and that no data will be requested in the case of a bicycle theft, for example, which is also a criminal offence for which pre-trial detention is allowed. However, it is a fact that the possibility to do so exists and that there are no safeguards to actually limit access to the data to what is strictly necessary for the purpose of combating serious crime, and only serious crime.
seriouscrime. Criminal offences for which pre-trial detention is allowed also include offences that are punishable by a sentence of imprisonment of at least four years. The State has argued that any decision to request the data is not taken lightly, and that no data will be requested in the case of a bicycle theft, for example, which is also a criminal offence for which pre-trial detention is allowed. However, it is a fact that the possibility to do so exists and that there are no safeguards to actually limit access to the data to what is strictly necessary for the purpose of combating serious crime, and only serious crime.
3.11.
The above is particularly important since the Wbt and related legislation do not make access to the data retained dependent on a prior review carried out by a court or by an independent administrative body. Contrary to what the State maintains, the Public Prosecution Service cannot be regarded as an independent administrative body. That the Court considers this a serious objection may be inferred from the use of the words
“above all”under point 62 of the judgment.
“above all”under point 62 of the judgment.
3.12.
All this leads to the conclusion that the Wbt in its current form interferes with the rights enshrined in Articles 7 and 8 of the Charter in a manner which is not limited to what is strictly necessary and must therefore be qualified as unacceptable. In view of the foregoing, the Wbt is manifestly non-binding. The court in preliminary relief proceedings is aware that rendering the Wbt inoperative may have far-reaching consequences for the detection and prosecution of criminal offences. However, this does not justify allowing the aforementioned interference to persist. Nor does the fact that the consequences of rendering the Wbt inoperative are potentially irreversible in itself prevent the relief sought from being allowed. Privacy First et al.’s principal claim, as set out under I, will therefore be allowed. In the light of the foregoing, Privacy First et al. have no further interest in the relief sought under II being allowed, since rendering the Wbt inoperative means that the basis for requesting the data concerned will cease to apply.
3.13.
As the party against whom judgment has been given, the State will be ordered to pay the costs of these proceedings as well as, partly suspended, the subsequent costs.
4.The decision
The court in preliminary relief proceedings:
- renders the Telecommunications Data (Retention Obligation) Act (
Wet bewaarplicht telecommunicatiegegevens) inoperative;
Wet bewaarplicht telecommunicatiegegevens) inoperative;
- orders the State to pay the costs of these proceedings, up to this point on the part of Privacy First et al. assessed at €1,914.84, of which €1,224 comprises lawyer’s fees, €613 comprises court fees and €77.84 comprises the costs of issuing the writ of summons.;
- orders the State also to pay the subsequent costs, assessed at a fixed amount of €131 for lawyer’s fees, plus €68 in fees and the costs incurred for giving notice of service of this judgment in the event that service is effected;
- declares this judgment to be immediately enforceable notwithstanding appeal;
- dismisses all other applications.
This judgment was delivered by G.P. van Ham LLM and pronounced in open court on 11 March 2015.