CJEU Confirms – No General Data Retention Allowed

On 21 December 2016, an important decision came from the Court of Justice of the European Union (CJEU). In joined cases, C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others, (full case and press release) the court ruled against general data retention while allowing it in specific and controlled conditions. It said:

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.

The present judgment is a continuation of a saga that goes back to September 11, 2001. In the wake of the attacks on the United States, the governments on both sides of the Atlantic introduced measures to combat the perceived threat of terror. Among these measures were the EU 2006 Data Retention Directive. The directive required storing of telecommunications data for a period between 6 and 24 months. The data stored was ‘metadata’, i.e. information on what was accessed on the Internet or what telephone numbers have been dialled and when, not the actual copies of information.

In joined cases C-293/12 and C-594/12 Press and Information Digital Rights Ireland and Seitlinger and Others (press release available here), the Court declared the Directive to be invalid, saying that it

entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary

The main argument for invalidation was that the Directive was not compatible with the European Convention on Human Rights (ECHR). The result was only that the 2006 Directive had been made invalid, but nothing specific was said about whether Member States’ data retention laws are incompatible with other EU laws.

Following the invalidation of the 2006 Directive, a number of Member States retained laws that operated, essentially, on the basis of the Directive. In Sweden, the law required operators of electronic communications services to retain traffic and location data while laws in the UK required data retention for periods up to 12 months. The two joined cases referred to here relate to Swedish and UK laws, respectively.

Since the directive which provided a basis for data retention had been made invalid, the fallback provision is Article 15 of the ePrivacy Directive, which allows for rules of the 1995 Data Protection Directive to be derogated from when required by “national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences”. The question referred to CJEU by the Swedish court asks, essentially, whether general data retention obligation (i.e. an obligation to retain all data, without a specific purpose of threat) is compatible with Article 15 and with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights. If the answer is no, the second question asks whether retention may be, nevertheless, permitted in certain specific cases (“targeted retention”). The UK court’s reference is conceptually slightly different. It is asking if the 2014 Digital Rights Ireland judgment (invalidating the 2006 Directive) also introduces “mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the Charter.”

The Court ruled that Article 15 of the ePrivacy Directive, read in light of Article 7, 8 and 11 of the Charter, precludes

general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.

Ruling on where and how such retention may still be legal, it said that this is so

where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.

In other words, general data retention is illegal, specific data retention is allowed in cases where serious crime fighting requires so, where there is judicial oversight and where such data is not transferred out of the EU.

The main position of the Court is that, absent specific legislation on data retention, the provisions of the ePrivacy Directive must be interpreted narrowly. In analysing the case, the Court pointed out that the conditions of Article 15 of the ePrivacy Directive are exhaustive. Any derogations from the rules protecting privacy must apply only in so far as is strictly necessary. Only the objective of fighting serious crime justifies derogations from general data protection requirements and then only with proper court oversight. Since general data retention does not contain a proper link between data retained and a threat to public security, such retention does not satisfy the conditions. The Court does not preclude data retention in general but allows targeted retention under the conditions discussed.

There is no doubt that the most important point that the CJEU is making is that proper judicial oversight is needed in all cases where government proposes to undermine basic constitutional rights and EU-based privacy rules. As such, the decision is not surprising and is a continuation of the arguments put forward in the Digital Rights case. The decision will have significant impact on the just-adopted UK 2016 Investigatory Powers Bill, which has been heavily criticised.