The Court of Justice of the European Union (“the Court”) has issued a second judgment on the compatibility of data retention measures with the fundamental rights of persons guaranteed by the Charter of Fundamental Rights of the EU. The joint cases of Watson (C-203/15) and Tele2Sverige (C-698/15) have confirmed the previous findings of the Court in the case of Digital Rights Ireland (DRI).

In the aftermath of the invalidation of the Data Retention Directive in the DRI judgment, most of the national laws transposing the Directive were kept in force by invoking an exception provided under the Privacy Directive. In doing so, Member States failed to abide by the general principles of Community law, and in turn, the respect of fundamental rights.

The Tele2Sverige case was initiated by a telecommunications service provider that followed the Court’s decision in DRI and stopped to retain data, because it considered that the national law was in breach of EU law. The Swedish authorities did not agree with this interpretation and the Court was thus given the opportunity to clarify the relationship between national data retention law and EU law.

The Watson Case on the other hand originates in the UK, and refers to the UK Data Retention and Investigatory Powers Act 2014 (DRIPA).

In summary, the Court found that national legislation which, for the purpose of fighting crime, allows general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, is in breach of Article 7 (Right to Private Life), Article 8 (Right to the Protection of Personal Data) and Article 11 (Right to Freedom of Speech) of the Charter of Fundamental Rights of the EU.

Moreover, the Court found that national legislation in the field of the Privacy Directive regulating the access of competent national authorities to retained data is incompatible with the three fundamental rights mentioned above, as long as:

1. the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime;
2. access is not subject to prior review by a court or an independent administrative authority; and
3. there is no requirement that the data concerned should be retained within the European Union.

The judgment highlighted the following issues:

(1) Indiscriminate retention of metadata interferes with freedom of speech

The Court of its own motion looked at the compliance of national data retention measures and emphasised that the importance of freedom of expression must be taken into consideration when interpreting Article 15(1) of the Privacy Directive “in the light of the particular importance accorded to that freedom in any democratic society”. That fundamental right constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which the European Union is founded.

(2) The exception to the “principle of confidentiality” must not become the rule

The Court referred several times to the “principle of confidentiality of communications”. It explained that “as a general rule, any person other than the users is prohibited from storing, without the consent of the users concerned, the traffic data related to electronic communications.” The only exceptions relate to lawfully-authorised persons and to the technical storage necessary for conveyance of a communication.

The Court also affirmed that the retention of traffic data is permitted only to the extent and time necessary for the billing and marketing of services and the provision of value added services.

(3) A very far-reaching and particularly serious interference

The Court observed that the national data retention law at issue in the main proceedings “provides for a general and indiscriminate retention of all traffic and location data … and that it imposes on providers of electronic communications services an obligation to retain that data systematically and continuously, with no exceptions”.

The Court further emphasised that this kind of undiscriminating gathering of data represents a “very far-reaching” and “particularly serious” interference in the fundamental rights to private life and protection of personal data. Moreover, “the fact that the data is retained without the subscriber or registered user being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance”.

The Court noted that such a far-reaching interference can only be justified by the objective of fighting serious crime but that this does not justify in itself “general and indiscriminate retention of all traffic and location data”. The measures must thus be strictly necessary to achieve this objective.

(4) Targeted data retention is permissible subject to certain conditions

Fundamental rights do not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime. However the retention of data must be limited to what is strictly necessary, with respect to:

1. the categories of data to be retained;
2. the means of communication affected;
3. the persons concerned; and
4. the retention period adopted.

In addition, such legislation must:

• lay down clear and precise rules governing its scope and application while imposing minimum safeguards against misuse;
• indicate in what circumstances and conditions a data retention measure may be adopted as a preventive measure;
• be restricted to the retention of data pertaining to a particular time period and/or geographical area and/or group of persons likely to be involved in a serious crime, or persons who could, for other reasons, contribute to fighting crime;
• meet objective criteria that establish a connection between the data to be retained and the objective pursued;
• be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a direct or indirect link with serious criminal offences, and to contribute to fighting serious crime or preventing a serious risk to public security;
• lay down clear, precise and binding rules indicating the circumstances and conditions under which providers of electronic communications services must grant the competent national authorities access to the data;
• lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data;
• provide that data must be retained within the European Union;
• provide for the irreversible destruction of the data at the end of the data retention period;
• Ensure adequate review by an independent authority ensuring the level of protection guaranteed by EU law.

For more information or if you have any questions, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com

Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.