The never ending data retention
Regarding the history of the case it is important to note that in April 2014 the Court of Justice of the European Union (CJEU) declared invalid the Data Retention Directive that unified the time frame of the retention of selective data by Internet and telephone services and determined the accessibility of data by authorities in the member states. According to the decision, the directive had exceeded the limits of proportionality concerning the right to privacy and protection of personal data, as it failed to establish guarantees that counterweigh such limitations. Despite the annulment of the directive, the Hungarian act allowing data retention still remained in force. The Hungarian Civil Liberties Union (HCLU) started litigation against Telenor in order to force the Hungarian Constitutional Court (CC) to repeal the unlawful act.
In Hungary the Hungarian Act on Electronic Communications establishes that providers must retain telephone and Internet communications traffic data for six months. It is important to know that this rule concerns "only" the time frame of data retention, caller identity, caller location, the frequency of communications and other data of this kind but not the contents of communications. However, such data allows for drawing accurate conclusions regarding the private lives, everyday habits, travel patterns and social environment of concerned persons, even without knowing the contents of communications. Therefore, data retention of this kind constitutes a serious intervention into the private sphere of concerned persons as well as an infringement of fundamental rights related to the protection of personal data.
In both European and national law, data retention is sought to be justified by the need to prosecute serious crimes and the fight against terrorism. At the same time, in accordance with the ruling of the CJEU, the Hungarian act defining the rules of data protection is not compatible with Hungarian constitutional requirements, either, for breaching the limits of the proportionality criteria. One of the most important arguments in this vein is that everyone's data are retained, independently from whether they relate to any serious crimes or terrorist actions.
Due to the reform of the Hungarian law and, specifically, the jurisdiction of the Constitutional Court, HCLU cannot directly refer to the CC to establish that the legislation on the obligation of data protection is against the Fundamental Law of Hungary. Instead, it has to initiate a long process consisting in the following steps:
1. HCLU requests in writing the Internet or telephone service providers to eliminate any retained traffic data
2. the service provider refuses this request based on the current Hungarian legislation
3. HCLU brings court action against service providers concerning the elimination of data
4. during the trial, HCLU requests the judge to directly refer to the CC: a positive aspect of this move is that it can take place already during the first instance proceedings, and the CC has to decide upon the claim within strict deadlines (with urgency and no later than in 90 days)
5. should the judge refuse doing so, given the current Hungarian legislation, HCLU would certainly lose at trial and data would remain intact
6. an appeal would be submitted, and HCLU would lose at second instance, too
7. (HCLU might submit a revision request at the Curia, and in the meantime) the HCLU will finally be able to refer the case to the CC.
The role of service providers is not obvious. It is because of the need to refer the case to the CC that HCLU is forced to undertake litigations against the service providers; the problem lies in the current regulation and not with the service providers that retain a huge amount of data to meet their legal duties and not out of their own will, especially since this entails enormous costs. Most probably, service providers are not happy at all with this obligation. At the same time, in contrast with some international examples, none of the service providers contacted in Hungary agreed to submit a joint application at the courts.
From sending the first letter to submitting an application to the Constitution Court, the whole process may take as long as two or three years, and the Constitutional Court is not tied by any deadlines in case of a constitutional complaint. It can be assumed that, in the meantime, new EU legislation will be passed on the matter, which may be a regulation as opposed to a directive, providing for uniform rules across member states, so that the Hungarian act will have to be repealed. However, HCLU is not willing to just wait for this development.
In the beginning, the case
went just as planned. The court of first instance accepted the request of HCLU (see step 4 of the procedural steps) and referred the case to the Constitutional Court, as in its opinion the regulation imposing data retention should have been applied in the case, however the judge perceived the regulation to being contrary to fundamental law. Because of the procedural rules of the judicial initiative it was obvious that the Constitutional Court will not be able to sit around for as long as it wishes, having to make a decision in 90 days at the latest. HCLU first turned to the Constitutional Court in 2007 in this case, we can handle another three months – we thought.
The judge referring to the Constitutional Court drew on the arguments of HCLU in its initiative explaining why the right to privacy is limited by the internet and telephone service providers retaining all of our traffic data for half a year without any guarantees in place.
Some examples to the missing guarantees:
· everyone’s data is retained independently from whether they relate to any serious crimes or terrorist actions,
· the authorities can request data from the systems in bulks without having to provide any kind of justification,
· the concerned persons’ right to being informed is not protected and the data cannot be requested to be removed from the system.
Most importantly, according to the initiative the data retention obligation does not meet the criteria of necessity and proportionality, and accordingly, the act unconstitutionally limits the fundamental rights to privacy and protection of personal data.
In the case the Hungarian Constitutional Court should have determined whether the Hungarian act complies with Hungarian constitutional requirements, namely, whether the data retention regulations violate the Constitution or the fundamental rights to privacy and protection of personal data. Notwithstanding the Hungarian legal criteria, the Constitutional Court has a duty (according to the HCLU), or a possibility (according to the Constitutional Court) to examine whether a regulation violates international treaties.
Called for upon by HCLU, renowned international NGOs and academic professionals submitted amicus curiae (literally, friend of the court) briefs, which are submissions offering arguments and information that have to be taken into account when making the decision, and which are not otherwise necessarily known by the decision-maker, the Constitutional Court in this case. Two of the submissions therefore were concentrating on the EU legal aspects of the case. The international legal environment was favorable for the Constitutional Court to declare the data retention regulations invalid, similar to several other member states (e.g. Netherlands, Slovenia).
Nevertheless, the Constitutional Court decided
not to decide on the merits of the case, allowing personal information of Hungarian citizens to be collected without specific purpose and without the necessary guarantees in place that protect the data, in contrary to other, luckier EU citizens (links). The Constitutional Court did not pass a decision on the merits, therefore the judgment does not examine whether the data retention obligation is constitutional or not. The court’s petition was rejected due to non-compliance with procedural requirements.
The Constitutional Court’s decision builds on the logic that in case of a norm control in a concrete case, two conditions have to be met: a concrete case in progress before the judge shall serve as the factual ground of the petition, and the petition shall aim to examine the legal regulation that shall be applied in the case [17].
“The Constitutional Court pointed out, that “the proceeding judge may only submit a petition on the legislative piece or provision thereof, he or she is (would be) bound to apply in the course of the adjudication of the concrete case. Accordingly, a direct link between the contested norm and the concrete case in progress serves as the basic condition thereto. In case the judge’s petition contests a legislative piece or a provision thereof that is not related to the concrete case in progress (as it was suspended subject to the petition being filed), and will apparently not be applied therein, there is no place for examining whether it is constitutional […] The judicial initiative as the individual or concrete method of norm control is narrower than the posterior norm control in that the judge may only contest the legal regulation of provision that is applicable in the case, and the judge shall give detailed reasoning to prove that the legal regulation or provision is in fact applicable in the given case.”
If you are interested in all of the conditions a judicial petition has to meet to avoid the Constitutional Court rejecting it based on formal reasons, you can read more about it in this decision. Let’s just say, the Constitutional Court is not striving to minimize the amount of unconstitutional legal regulations the courts are applying.
After laying down the prerequisites, the Constitutional Court determined that the judicial petition only applies to the specific provision – and therefore the judge is only requesting the Constitutional Court to examine the provision – that subscribes the data retention obligation. The Constitutional Court however was on the opinion that in this case it is not this provision that shall be applied, but rather two other ones: firstly, the provision that provides the individual’s right to information about his or her processed personal data, secondly, the provision that prevents the individual in exercising their right to erasure. The right to information and the right to erasure both derive from the right of informational self-determination. The essence of this right is that the individual should be in control over, and should be deciding what happens with their personal data. It is self-explanatory, that this includes not only the individual’s right to obtain information on the data controllers processing their personal data, the legal grounds on which they do so and the nature of the data, but also the right to request the data controller to delete the information which constitutes their personal data. For instance, someone who signed the government mandated household utility cost cut form, and has been receiving six spam letters from Fidesz, the government and CÖF on a daily basis, may reasonably suppose that their personal data has been misused, and may ask for their personal data to be removed (and no further letters to be sent).
The Constitutional Court further determined that whereas in the examined case the wrong provision was contested by the judge (not the provisions that prevent the plaintiff’s request to be executed) the relevant provisions cannot be subject to examination without being specifically contested. As a reminder, the plaintiff’s request was for the court to order Telenor to inform them of which personal data it holds on them in line with the data retention regulations, and to request the data to be removed.
From the above the Constitutional Court came to the conclusion that the judge’s petition is incorrect, and therefore did not decide on the merits of the question imposed by the judge, namely whether the data retention obligation set out by the Hungarian legislation violates the right to protect personal data and privacy. The case was supported by two amicus briefs submitted by the UK based Open Rights Group and Privacy International and a coalition of internationally renowned academic scholars. The interventions highlighted the EU law aspects of the case. The Constitutional Court remained silent as to whether the Hungarian legal provision violates international treaties pursuant to these interventions. The Constitutional Court notes at the end of the decision, that according to its opinion, the individual has the right to request information on their personal data, but even so, they do not have the right to ask for removal.
The mistakes of the Constitutional Court’s decision
are enormous. You do not need to be a constitutional judge, or even a law graduate, to be able to accept the following logical sequence. If the law did not oblige the service provider to keep traffic data and to provide the authorities access to the database, it would not even come into question that the individual would like to acquire information on the data, and request its removal. The essential question is exactly what the judge asked: does the legal regulation prescribing data retention unconstitutionally violate the right to the protection of personal data and privacy?
Whereas the Constitutional Court believes that the request for information cannot be rejected and the absence of the right to erasure could be unconstitutional, why did it not decide in the real questions on fundamental rights that precede?
The Constitutional Court’s answers this by suggesting that the judge does not need to consider the data retention obligation itself in the concrete legal case. This is not only nonsense, but also contrary to the practice laid down by the Constitutional Court on its own scope, which is quoted in this decision as well.
It is nonsense, as in order to decide whether the individual has the right to ask the service provider to delete their traffic data, the judge first has to consider whether the service provider lawfully retains the data in the first place. If the service provider does not lawfully retain the data, then it is apparent that the data has to be erased. If the provider retains lawfully the data, the individual’s right to erasure can be further examined.
It is contrary to the practice of the Constitutional Court, because what happened here? The Constitutional Court applied law, not only once, but twice. Once when the CC determined which legal regulations the judge should and should not apply, and once when it passed its decision on the request concerning the right to obtain information on personal data:
“From the referred legal provisions the Constitutional Court determines that the individual (the user under the Act on Electronic Communications) according to Section 154. § (7) of the Act on Electronic Communication is entitled to be informed on the purpose the service provider processes their personal data, and what personal data is processed, including the data under the legal provision contested by the petitioner.” [23]
What is the problem? The Constitutional Court in the course of considering whether the judge’s petition was in line with the formal requirement, determined that “the decision on the petition on the merits cannot result in the Constitutional Court taking over the tasks – of legislative bodies and the Courts” [14]. The problem in the specific case is that the Constitutional Court took over the task of the courts by the reasoning in which the CC decided to reject the petition and not pass a judgement.
Furthermore, the Constitutional Court does not at all address the question of violating international treaties, whereas the Court would have the opportunity to, and be obliged to do so out of its own initiative. The decisions of the Court of Justice of the European Union, the member states’ constitutional courts and the submitted amicus observations provided legal support for this.
The Constitution Court’s cowardice
hurts all of us, who made a phone call, sent a text message or read an e-mail in the last six months. We do not know what is behind the Constitutional Court finding its way out of having to pass a decision, but we do know what the consequences are. If we decide to look for the ‘why’, we can look in many directions. It was never a secret that this was a test case ran by the HCLU, so it is possible that this was the revenge of the Constitutional Court for the constitutional judge profiles (). This is contradicted by the fact that the assigned judge was dr. Miklós Lévay, who’s decisions were not addressed by the study, and perhaps this would not give a reason to mess with 10 million people’s privacy. It is more likely that the fight against crime and terrorism is politically sensitive enough to want to avoid conflict and not have to declare that authorities currently perform their related tasks by violating fundamental rights. In case of a real decision the Hungarian Constitutional Court would have been the amongst the few or first to stand ground on data retention following the EU decision, which would have been professionally unacceptable.
We don’t give up
we just have to steer back to plan B, which is rather time-consuming. The following scenarios have some likelihood, in chronological order:
– the judge of the case writes a new petition in line with the Constitutional Court’s decision, in which it specifies the provision preventing the individual in practicing their right to erasure and requests the Constitutional Court to pass a decision
– following the rejection, the judge does not submit a new petition, but passes a decision in the case: orders the information to be provided on the personal data, but does not order Telenor to erase the data
– we file an appeal, the court of appeal turns to the Constitutional Court as well and the CC will have 90 days to pass its decision
– if the judge does not turn to the Constitutional Court or the Constitutional Court does not pass a decision on the merits again, we lose the case on second instance
– after this, HCLU can file a constitutional complaint representing the plaintiff against the judicial decision. The Constitutional Court can then drag its decision on for as long as it wishes, as this procedure does not have a deadline.
In the meantime the European Union might adopt binding regulations for all member states as part of the data protection regulation reform.
Let us all thank the Constitutional Court.