European Court rules on the retention of personal data during protests
Catt v The United Kingdom, Application No. 43514/15
Date of judgment: 24 January 2019
Court: European Court of Human Rights, First Section
Background
The applicant had regularly attended demonstrations since 1948. In 2005, the applicant began participating in demonstrations organised by Smash EDO, whose object was to close down the activities of EDO MBM Technology Ltd, a company that manufactured weapons and other components. According to the judgment, serious disorder and criminality were features of a number of Smash EDO protests, and the protests therefore attracted a substantial policing presence. The applicant had twice been arrested at Smash EDO demonstrations for obstructing the public highway, but had never been convicted of any offence.
In March 2010, the applicant made a subject access request to the police under section 7 of the United Kingdom Data Protection Act, 1998 for information relating to him. Sixty‑six entries from nominal records for other individuals and information reports which incidentally mentioned him were disclosed from a police database known as the “Extremism database”. Most of the records related to demonstrations at the office of EDO MBM Technology Ltd, with thirteen entries relating to other demonstrations that had taken place in the United Kingdom. In the majority of cases, the information recorded about the applicant was his name, presence, date of birth and address; in some cases, his appearance was also described. Additionally, a photograph of the applicant taken at a demonstration in September 2007 was also disclosed to him.
In August 2010, the applicant asked the Association of Chief Police Officers (ACPO) to delete the entries from the nominal records and information reports which mentioned him. In September 2010, ACPO declined to do so without giving reasons. The applicant challenged ACPO’s refusal to delete the data, arguing that the retention of his data was not “necessary” within the meaning of article 8(2) of the Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention). In particular before the European Court, the applicant argued that that the systematic collection and retention of information about him in a searchable database amounted to an interference with his right to privacy. Furthermore, the applicant argued that the database on which the data was held did not provide sufficient safeguards; that the scope of the database may be adjusted arbitrarily by the police; that the data was retained for excessively long periods on the basis that the database as a whole may be useful; and that the data was subject to automated and manual processing.
Moreover, the applicant submitted that the retention was unjustified given that the data retained related to his involvement in proper and lawful political protest activity and had never been useful for any police functions, and accordingly that the retention of such data would likely have a chilling effect.
Assessment by the European Court
As a point of departure, the European Court noted that the mere storing of information amounted to an interference with the applicant’s right to respect for private life, as secured in article 8(1) of the Convention. The European Court then turned to consider whether the interference was justifiable, which in its assessment turned on whether the interference was necessary in a democratic society. The elements in this regard required the interference to answer to a pressing social need; be proportionate to the legitimate aim pursued; and whether the reasons adduced by the national authorities to justify the interference were relevant and sufficient.
In respect of the personal information held about the applicant, the European Court noted that personal data revealing political opinions falls amongst the special categories of sensitive data, attracting a heightened level of protection. The European Court further emphasised the importance of examining compliance with the principles of article 8 of the Convention where the powers vested in the state are obscure and create a risk of arbitrariness, especially where the technology available is continually becoming more sophisticated. Furthermore, the European Court took into account the fact that the complete records had not been revealed to the applicant when initially requested, which it noted had an impact on its evaluation of the available safeguards.
The European Court accepted that there was a pressing social need to collect the data about the applicant, and that it is in the nature of intelligence-gathering that the police will first need to collect the data before evaluating it. The European Court further agreed with the domestic courts that the police had an obvious role to monitor protests of Smash EDO where the activities of that group were known to be violent and potentially criminal.
However, the European Court held that there was not a pressing need to retain the applicant’s data. In this respect, it underlined that while there may indeed have been a pressing need for such data retention for a period of time after it was collected, the applicant was entirely reliant on the diligent application of the highly flexible safeguards to ensure the proportionate retention of his data, without their being any maximum time limit prescribed. Importantly, the European Court stated that: “Where the state chooses to put in place such a system, the necessity of the effective procedural safeguards becomes decisive … Those safeguards must enable the deletion of any such data, once its continued retention becomes disproportionate.”
Further to this, the European Court noted that whilst the applicant could and did request the disclosure and destruction of his data, this safeguard appeared to be of limited impact given ACPO’s refusal to delete his data or to provide any explanation for its continued retention. This was reaffirmed by the consideration that the absence of effective safeguards was of particular concern in the present case, as personal data revealing political opinions attracts a heightened level of protection.
The European Court went on to observe that engaging in peaceful protest has specific protection under article 11 of the Convention. In the present matter, the European Court highlighted the danger of an ambiguous approach to the scope of data collection, and considered that the decisions to retain the applicant’s personal data did not take into account the heightened level of protection for data revealing a political opinion. Accordingly, it concluded that the retention must have had a “chilling effect”. The European Court also drew attention to the failure by the state to show that the retention of the applicant’s data, in particular concerning the peaceful protests, was either absolutely necessary or served a particular purpose.
In its closing remarks, the European Court noted that it was not convinced that deletion of the data would be so burdensome as to render it unreasonable. It stated further that: “In general terms the Court would add that it would be entirely contrary to the need to protect private life under article 8 if the government could create a database in such a manner that the data in it could not be easily reviewed or edited, and then use this development as a justification to refuse to remove information from that database.”
The European Court therefore concluded that there had been a violation of article 8 of the Convention.
Order of the European Court
In the result, the European Court ordered as follows:
“For these reasons, the Court, unanimously,
1. Declares the application admissible;
2. Holds that there has been a violation of Article 8 of the Convention;
3. Holds
(a) that the respondent State is to pay the applicant, within three months from the date on which the judgment becomes final in accordance with Article 44 § 2 of the Convention, the following amounts, to be converted into the currency of the respondent State at the rate applicable at the date of settlement:
(i) EUR 27,000 (Twenty-seven thousand euros), plus any tax that may be chargeable to the applicant, in respect of costs and expenses;
(b) that from the expiry of the above-mentioned three months until settlement simple interest shall be payable on the above amount at a rate equal to the marginal lending rate of the European Central Bank during the default period plus three percentage points;
4. Dismisses the remainder of the applicant’s claim for just satisfaction.”
Concurring opinion of Judge Koskelo
While the concurring opinion agreed with the outcome of the case, it was of the view that the interference should have been found to be unjustifiable for failing to meet the requirement of being “in accordance with the law”. The concurring opinion noted that: “[T]here is no underlying statutory basis, and the basis in non-statutory law is about as vague as it can get. For the particular database in question, no further legal basis exists.” According to the concurring opinion, clear rules governing the scope of the measures were lacking, and the accessibility and foreseeability of the norms were therefore deficient. This in turn led to a dilution of the relevance and effectiveness of the safeguards against abuse and arbitrariness.
The concurring opinion reiterated the previous jurisprudence of the European Court that “it is not only essential to have clear, detailed rules governing the scope of measures, but also governing safeguards relating to the storage, use, duration of retention, access, as well as procedures for preserving the integrity and confidentiality of data and for their destruction”. The concurring opinion therefore concluded that it would have been more appropriate for the majority to focus its analysis more thoroughly and consistently on the assessment of the “quality of the law” aspect of the case, instead of leaving that issue open and resolving the case on the basis of the assessment of “necessity”.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].
