Data Retention in Greece: Where the Legislator falls behind, the (Greek) Courts take the initiative!

04/03/2017

            Arianna Sekeri             

          Attorney at Law, LL.M, MSc., CIPP/E - Data Protection & Privacy Counsel -                                   Information Security - TMT / IP Law Expert


Where the Legislator falls behind, the (Greek) Courts take the initiative!

The future of Greek Law 3917/2011, incorporating into national legislation the data retention provisions of the annulled Directive 2006/24/EC, to be decided before the ECJ

Following the annulment of the Data Retention Directive, back in 2014, by the ECJ, there was a lot of discussion among European Member States as well as national stakeholders, regarding the future of national legislations transposing the annulled Directive, for the ECJ's Decision did not make national data retention legislations automatically invalid.

Having said that, the ECJ's Decision was clear on one thing: "blanket" data retention legislations, imposing data retention obligations in a too general and far-reaching way, were at risk of being declared invalid by national courts.

With all European Member States awaiting guidance or some form of action on the matter from the European Commission, harmonization of data retention rules in the EU remains in jeopardy.

While some European Member States (e.g. Ireland, Austria, Belgium, Bulgaria, Germany, Romania, Slovakia, Slovenia) decided to take immediate action and invalidate or amend their national legislations, others (e.g. Danemark, Italy, Sweden, The Netherlands, UK) decided to confirm their data retention national rules or even worse stay silent on the matter.

Greece falls in the latter aforementioned category, as Law 3917/2011 transposing Directive 2006/24/EC into Greek Legislation remains in full force, and the Greek legislature appears to be postponing taking a firm decision on the matter.

In fact, the risk of Law 3917/2011 being declared invalid by national courts, becomes even greater when ones considers, that Law 3917/2011 is, in essence, a copy & paste of the annulled Directive.

Case C-475/16, currently pending before the ECJ, concerns a request for a preliminary ruling that was lodged from the Protodikeio Rethymnis (Greece), on 17 August 2016, regarding criminal proceedings, brought against a Greek national that are pending before the national court.

Here are the questions referred to by the Greek Criminal Court:

1. Pursuant to Articles 19 TEU and 263, 266 and 267 TFEU and the principle of sincere cooperation (Article 4(3) TEU) under which Member States and their competent authorities are obliged to take all general and specific measures to remedy an infringement of EU law, as well as to comply with the judgments of the Court of Justice of the European Union, in particular concerning the validity of erga omnes acts of EU institutions, are Member States required to repeal or amend accordingly a legislative measure incorporating a directive which has been annulled by the Court of Justice of the European Union on the grounds that it is contrary to the provisions of the Treaties and the Charter, in order to ensure the implementation of the judgment of the Court of Justice, and thus to address and prevent any future infringement of the Treaties and the Charter?

2. With reference to the previous question, can Article 266 TFEU (formerly Article 233 EC) be interpreted in such a way that the concept of 'institution or body' also includes (on a broad or analogous interpretation) the Member State which has incorporated a directive into its national law that was annulled because it is contrary to the Treaties and the Charter or, in such a case, is it possible that Article 260(1) TFEU be applied by analogy?

3. If the answer to the above is essentially affirmative, i.e. if there is an obligation on Member States to take all general and specific measures to remedy the infringement of EU primary law by repealing or amending accordingly the legislative measure incorporating a directive which has been annulled by the Court of Justice of the European Union, because it is contrary to the Charter or the Treaties, does this obligation extend to national courts, i.e. are they obliged not to apply the legislative measure incorporating the annulled directive, in this case, Directive 2006/24/EC 1 (at least in part) that is contrary to the Charter or the Treaties, and therefore not to take into account evidence obtained under the latter (the directive and a national measure of transposition)?

4. Does the national legislation transposing Directive 2006/24/EC, which was annulled by the Court of Justice of the European Union in its judgment in Digital Rights Ireland and Others 2 (C-293/12 and C-594/12, EU:C:2014:238), as being contrary to the Charter, fall within the scope of EU law, as required by Article 51(1) of the Charter of Fundamental Rights, from the mere fact that the national legislation transposes Directive 2006/24/EC, irrespective of the subsequent annulment of this directive by the Court of Justice of the European Union?

5. Since Directive 2006/24/EC, which has been annulled by the Court of Justice of the European Union, was introduced in order to implement a harmonised framework at the European level under Article 15(1) of Directive 2002/58/EC on data retention by service providers for the purposes of the prevention, investigation, detection and prosecution of criminal offences, so that no obstacles are put in the way of the internal market for electronic communications, is the national legislation transposing Directive 2006/24/EC within the framework of Article 15(1) of Directive 2002/58/EC, in order to fall within the scope of EU law, as required by Article 51(1) of the Charter?

6. Given that, were an EU Member State national to be convicted of a criminal offence, as in this case, that would inevitably entail restrictions on the exercise of the rights of free movement granted under EU law, although justified in principle, does this sufficiently justify the relevant criminal proceedings in their entirety being regarded as falling within the scope of EU law, as required by Article 51(1) of the Charter?

If the answer to the above is essentially that the Charter of Fundamental Rights is applicable, under Article 51(1), then:

7. Is it compatible with Articles 7, 8 and 52(1) of the Charter that data retained under Directive 2006/24/EC and/or Article 15(1) of Directive 2002/58/EC is accessed and used by the police in the course of criminal investigations in cases of urgency - in particular, in cases of crimes where offenders are apprehended in the act - without prior approval by a judicial body [or independent administrative body] on the basis of specific substantive and procedural requirements?

8. Under Articles 7, 8 and 52(1) of the Charter, in the course of criminal investigations by the police or other not purely judicial authorities, which seek to obtain access to and make use of data retained under Directive 2006/24/EC and/or Article 15(1) of Directive 2002/58/EC, particularly when investigations are not intended to prevent, detect and prosecute precisely defined crimes categorised by the national legislature as serious, does the consent of the person to whom the data relates remove the requirement for prior authorisation of access to and use of such data by a court [or independent administrative body] on the basis of specific substantive and procedural requirements, given also that the requested data inevitably include data of a third party (e.g. person calling/being called)?

9. Is a prosecutor's permission, only with respect to the access to and use of data retained under Directive 2006/24/EC and/or Article 15(1) of Directive 2002/58/EC during criminal investigations, compatible with Articles 7, 8 and 52(1) of the Charter, when given without prior approval by a court [or independent administrative body], which is granted on the basis of specific substantive and procedural conditions, particularly when investigations are not intended to prevent, detect, and prosecute precisely defined crimes categorised by the national legislature as serious?

10. Having regard to the judgment of the Court of Justice in Digital Rights Ireland and Others, paragraphs 60 and 61, and the term 'serious crime' contained in Article 1(1) of Directive 2006/24/EC, is that term an autonomous concept of EU law and, if so, what is its essential content on the basis of which a specific crime must be considered serious enough to justify the access to and use of data retained under Directive 2006/24/EC?

11. Having regard to the judgment of the Court in Digital Rights Ireland and Others, paragraphs 60 and 61, and irrespective of whether the term 'serious crime' in Article 1(1) of Directive 2006/24/EC is autonomous or not, do Articles 7, 8 and 52(1) of the Charter outline general criteria based on which a specific crime must be considered serious enough to justify the access to and use of data retained under Directive 2006/24/EC and/or Article 15(1) of Directive 2002/58/EC, and if so, what are these criteria?

12. If the answer to the previous question is essentially affirmative, then should such a review of proportionality consist ultimately of an assessment of the characteristics of the investigated offence, (a) by the Court of Justice of the European Union, alone or (b) by the national court, under the general criteria laid down by the Court of Justice of the European Union?

13. Having regard to the judgment of the Court in Digital Rights Ireland and Others, paragraphs 58-68 and the operative part, is access to and use of retained data which takes place in the course of criminal proceedings under a general data retention scheme established pursuant to Directive 2006/24/EC and/or Article 15(1) of Directive 2002/58/EC, which meets the requirements of paragraphs 60, 61, 62, 67 and 68 of the above judgment, but not the requirements of paragraphs 58, 59, 63 and 64 of the same, compatible with Articles 7, 8 and 52(1) of the Charter?

[Namely, when the retention status, first, requires prior approval by the court based on specific substantive and procedural conditions and, in particular, for the prevention, detection and prosecution of precisely defined crimes contained in the list drawn up by the national legislature and categorised by the latter as serious, and ensures the effective protection of retained data from the risk of abuse and against any unauthorised access and use (see paragraphs 60, 61, 62, 67 and 68 of the above judgment) and, secondly, allows data retention (a) without distinction to all persons who make use of electronic communications services, without previous evidence showing that the person (defendant or suspect) whose retained data are requested might have been involved, even indirectly, in a serious crime before the incident upon the occurrence of which the data were requested from the communications services providers, (b) without the requested data being relevant prior to the occurrence of the investigated event (i) to a specific time period and/or a geographical area and/or a group of specific persons who might be involved, in one way or another, in a serious crime, or (ii) to persons who might, for other reasons, contribute to, by retaining their data, the prevention, detection or prosecution of serious offences, (c) based on a time period (12 months in this case) specified without any distinction between the categories of data specified in Article 5 of that Directive, based on their probable usefulness for the intended purpose or in accordance with the persons concerned; see paragraphs 58, 59, 63 and 64 of the above judgment]

14. If the answer to the above question is essentially that access to and use of such data does not comply with Articles 7, 8 and 52(1) of the Charter, then should the national court disapply the national measure for the incorporation of Directive 2006/24/EC annulled by the Court of Justice of the European Union or the measure that is based on Article 15(1) of Directive 2002/58/EC, as being contrary to the Charter and, accordingly, take no account of the data retained and acquired on that basis?

15. Having regard to Directive 2006/24/EC, and, in particular, its sixth recital that 'legal [...] differences between national provisions concerning the retention of data for the purpose of the prevention, investigation, detection and prosecution of criminal offences present obstacles to the internal market' and the purpose of Article 1(1), which is to 'harmonise Member States' provisions', the remaining recitals, especially [3, 4, 5, 11 and 21], and the judgment in Ireland v European Parliament and Council of the European Union, C-301/06, EU:C:2009:68, paragraphs 70 to 72, does maintaining the law transposing Directive 2006/24/EC into national law constitute an obstacle to the establishment and functioning of the internal market, even after its annulment by the Court of Justice of the European Union, where a later measure of EU law on the harmonisation of the relevant field has not yet entered into force?

16. In particular, does maintaining the law that transposes Directive 2006/24/EC into national law, even after its annulment by the Court of Justice of the European Union or the national law referred to in Article 15(1) of Directive 2002/58/EC constitute an obstacle to the establishment and functioning of the internal market, for the reasons that, cumulatively or alternatively:

(a) the relevant national law provides objective criteria and substantive conditions on the basis of which the competent national authorities can obtain access to and then use the retained traffic and location data, etc., for the purposes of the prevention, investigation, detection and prosecution of criminal offences, but which criteria and requirements refer to a specific list of criminal activities that is drawn up by the national legislature in its discretion and is not harmonised at the EU level,

(b) the relevant national law on the protection and security of retained data defines technical terms and conditions, but those terms and conditions are not harmonised at the EU level?

17. If the answer to at least one of the above questions is affirmative, should the national court, in accordance with EU law, disapply the national measure for the transposition of Directive 2006/24/EC, which has been annulled by the Court of Justice of the European Union, as being contrary to the establishment and functioning of the internal market and consequently take no account of the data retained and accessed on the basis of Directive 2006/24/EC or national law under Article 15(1) of Directive 2002/58/EC?

It remains to be seen what the judgment of the Court of Justice of the European Union will be and how it will affect Greek national legislation on data retention as well as on obtaining access to and use of such retained data by national competent authorities for the purposes of the prevention, investigation, detection and prosecution of (serious or otherwise) criminal offences.

____________

1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).

2 EU:C:2014:238.