EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime.
This is the general thrust of the decision made on Wednesday 21 December by the Court of Justice of the European Union (joint cases C-203/15 and C-698/15), which defer the conclusions of the Advocate General (see EUROPE 11597).
The judges explain that access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained on Union territory.
In its Digital Rights Ireland judgement of 2014,1 the Court of Justice declared invalid the directive on the retention of data. After this ruling, Tele2 Sverige and Mr Tom Watson, Mr Peter Brice and Mr Geoffrey Lewis brought actions challenging the UK and Swedish requiring public telecommunications operators to retain all the data relating to communications as stipulated in the invalidated directive.
In its judgement, the Court’s answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data.
The Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is strictly necessary. The Court states that the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. The European Court considers , “The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious.”
The Court argues that this national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the European Charter of Fundamental Rights.
The Court makes clear, however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, but according to strict conditions.
Regulating competent authorities’ access to data
The Court confirms that all national regulation must include material and procedural conditions governing the access of the national authorities responsible to the retained data. Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body.
Given the quantity and sensitive nature of the data retained and the risk of illegal access to this data, National rules must ensure that the data is retained on Union Territory and that it is permanently destroyed at the end of the period of retention, concludes the Court.
The Greens/EFA Group at the European Parliament welcomed this verdict, which is described as, “a victory for citizens' rights”. The group also explained that, “The national legislation on anonymous data storage in the UK and Sweden is contrary to European law and both must take urgent action to bring their laws up to speed”. When data retention exceeds what is authorised, “it is a clear breach of the EU Charter of Fundamental Rights”, explained the Greens. (Original version in French by Lionel Changeur)