Better Late than Never: Blanket Data Retention Struck Down at Last by the Portuguese Constitutional Court

The usually placid waters of the Portuguese legal order were shaken in mid-April 2022 by a judicial ruling with the potential to trigger a tsunami of criminal convictions reversions, which is already provoking a backlash on the investigation and repression of serious criminal offences committed online. In Case 268/2022, several provisions of the so-called “metadata law” (Law 32/2008), originally adopted to transpose the contentious EU data retention directive (Directive 2006/24/CE), were declared unconstitutional by the Portuguese Constitutional Court (PCC) as they breach the constitutional rights to privacy, data protection and to an effective legal remedy, as interpreted in accordance with the Charter of Fundamental Rights of the European Union (Charter). The ruling caused shock waves across the political spectrum and triggered a constitutional crisis (of sorts), with both the President of the Republic and the Prime Minister hinting on media outlets at the need of a mooted constitutional amendment in a field pre-empted by EU law. The Attorney General went as far as arguing the nullification of the ruling, an unprecedented request promptly dismissed by the PCC on procedural and material grounds (Case 382/2022).
Eight years into the data retention saga initiated with the landmark Digital Rights case at the Court of Justice, one first has to wonder why it took so long to remove from the books provisions stemming from what was once described by the then European Data Protection Supervisor as the “the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects”.
Ironically, much of the blame for the delay rests with the PCC itself. On 13 July 2017 (Case 420/2017), in a Chamber’s decision on an appeal from a lower court ruling that refused access to personal communications metadata in a child pornography case on grounds of unconstitutionality, the Court upheld the validity of untargeted retention of basic data, namely the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address was allocated at the time of the communication. In a blatant breach of its obligation to refer a preliminary question to the Court of Justice (Article 267 (3) of the Treaty on the Functioning of the European Union), it considered basic data – in which contentiously includes dynamic IP addresses – to be outside the scope of the Digital Rights reasoning against the lawfulness of bulk retention of metadata, a matter the Court of Justice only dealt with in La Quadrature du Net, in October 2020. Neglecting the fact that any national rules on data retention necessarily fall within the scope of Article 15 (1) of the E-Privacy Directive (Directive 2002/58), and must therefore conform to the requirements of the Charter as interpreted by the Court of Justice (see Tele 2), the PCC declared it was not bound by the latter’s case law and would, therefore, follow an autonomous hermeneutic path based on national, European and international fundamental rights parameters. The PCC went as far as relying on the controversial soft law guidelines enacted in 15 December 2015 by the Public Prosecutor’s Cybercrime Office, which, beyond concluding (against all evidence) that the Digital Rights ruling should not impair the bulk retention of metadata under Law 32/2008, stated, in an unbased Orwellian securitarian drift ostensibly aimed at criticizing the Court of Justice’s case law, that “data retention must be indiscriminate, on the one hand, and must include all citizens, on the other”.
The 13 July 2017 PCC ruling strongly empowered the unfettered application of provisions manifestly in breach of EU constitutional law. An ever-increasing reliance on metadata by criminal investigation authorities combined with judicial, administrative and legislative inaction created a perfect storm responsible for 163 000 judicial metadata requests to telecommunications operators recorded alone in 2020. This trend was not reversed by the Portuguese Data Protection Authority, despite it having declared on 18 July 2017 that it would not enforce penalties on telecommunication operators that decided to forego their obligations to retain personal data under the metadata law. This was an essentially hollow statement, as only after the PCC ruling of April 2022 did the Authority decide to use its corrective powers granted by the General Data Protection Regulation (GDPR) to impose on the telecommunication operators the deletion of data retained under the metadata law. Pledges for the amendment of the latter made in May 2017 by the Portuguese Data Protection Authority (Deliberation 641/2017) and in January 2019 by the Ombudsman went completely ignored by the legislative branch. The Portuguese Parliament even expanded the law’s reach in November 2021 to include access to retained data in credit card fraud cases (Law 79/2021). At the federal level, the European Commission stubbornly refused to take any action against the Portuguese State (or for that matter against the multitude of Member States still enforcing unlawful data retention schemes). It was against this increasingly bleak legal background that the Ombudsman, asked in December 2017 by a privacy advocacy group (D3), requested to the PCC the abstract constitutional review of the metadata law in an exceptionally well-reasoned legal opinion delivered in 16 September 2019.
The 19 of April 2022 ruling is arguably the most compelling ever adopted by the PCC concerning the relation between EU and national constitutional law (an English translation is in order). It is a 11 to 1 decision which, without ever admitting it (this is possibly the only major flaw of the judgment), in effect reverses its previous case law solving the conundrum posed by the unlawful resilience of the Portuguese data retention legal framework. The ruling is straightforward. The Court recognizes the regulation of data retention as falling within the scope of the Charter, and thus subjected to a constitutional review within the parameters set by the (ever abundant) Court of Justice’s case law on data retention. The metadata law was found to have two major structural flaws – both missed by the 2017 ruling of the PCC. Firstly, by not requiring metadata to be retained in the EU it jeopardizes both the exercise of data subjects’ rights, as well as the effectiveness of data protection authorities’ powers under the GDPR. Secondly, by not requiring data subjects to be notified their data were being shared with public authorities it effectively impairs access to legal remedies against unlawful access to personal data. Both legal requirements were established by the Court of Justice in Tele 2 (paras. 121-122). Although these flaws would be enough to strike down the metadata law in totum, the PCC also reviewed the lawfulness of data retention, only admitting, in line with the Luxembourg court, the bulk retention of basic civil identity data (La Quadrature du Net, para. 159), and, in cases concerning serious criminal offenses, such as child pornography (La Quadrature du Net, para. 154), the blanket retention of static and dynamic IP addresses – the latter of which the Court now conceptually acknowledges may well be qualified as traffic data, as stated in the German Federal Constitutional Court ruling of 17 July 2020. It is to some extent troublesome that the legislators who drafted the data retention proposals currently pending in the Portuguese Parliament did not take enough stock of the carefully crafted reasoning of the PCC on the extent of the legislative restrictions to the principle of confidentiality authorized on Member States by Article 15 of the E-privacy Directive. The extent of gap will be tested very shortly at the PCC, as the President of Republic already declared it will request the preventive (a priori) review of the constitutionality of the amended data retention legal framework.
When reviewing the metadata law, the PCC had essentially two options. It could have dismissed the case arguing it could not address the constitutionality of provisions which, as the Ombudsman recognized in its request, are inapplicable in the Portuguese legal order, as they manifestly breach the Charter. Such a constitutional review could theoretically be observed as hypothetical, similarly to the review of legal provisions revoked before entering into force. The PCC wisely pursued a different path. Even if the metadata law provisions were inapplicable in the domestic realm, they organically stemmed from a national source of law whose formal validity could never be affected by a ruling of the Court of Justice – EU law, as the PCC refers quoting the Spanish Constitutional Court’s Declaration 1/2004 (Constitutional Treaty), has primacy but not supremacy over national law (i.e. it trumps but does not revokes national law). That meant that the contested provisions on data retention could only be revoked by the Portuguese Parliament or by the PCC in an abstract review procedure. Given that the metadata law was being profusely applied in the Portuguese legal order (including by the PCC), the question could not be said to be (factually) hypothetical. Under the duty of sincere cooperation (Article 4 (3) of the Treaty of the European Union), the PCC was then obliged to do everything within its means to secure the uniform application of EU law in the Portuguese legal order. It followed this obligation by interpreting the relevant fundamental rights provisions of the Portuguese Constitution in accordance with the Charter, as interpreted by the Court of Justice – I fail to understand the criticism of six justices in a concurring vote on the use of the principle of consistent interpretation instead of the direct application of the Charter in a case that exclusively revolved around the technical revocation of inapplicable provisions of national law breaching EU constitutional law and, a fortiori, the Portuguese Constitution. The hermeneutic path taken by the PCC is, moreover, perfectly aligned with the obligation to apply EU law provisions in the conditions prescribed by EU law, which is based on the pluralistic constitutional assumption of the existence of a systemic compatibility regarding the protection of fundamental rights between the Portuguese and the European constitutional orders (Article 8 (4) of the Portuguese Constitution). Such a path obviously precluded the possibility of a decision on the limitation of the ruling’s effects, including those concerning res judicata (Article 282 (3) of the Portuguese Constitution), as the PCC expressly acknowledged by invoking, in Case 382/2022, the 5 April 2022 Commissioner of An Garda Síochána ruling of the Court of Justice.
In a nutshell, the PCC limited itself in Case 268/2022 to certify the obituary of provisions which (legally) were already dead in the water. Better late than never.