In his Opinion delivered on Wednesday 15 January, Advocate General Manuel Campos Sánchez-Bordona of the Court of Justice of the European Union recommends that the judges should oppose British, Belgian and French legislation based on “generalised and undifferentiated” data retention. His Opinion may further complicate negotiations in the Council of the EU on the reform of the directive on privacy and electronic communications (2002/58/CE).
The Advocate General gave his opinion on four references for a preliminary ruling (case C-623/17, and joined cases C-511/18, C-512/18 and C-520/18) where the requirement to protect privacy on the internet and the need to retain personal data for national security reasons conflict with each other. These references concern the legitimacy of the regulations in the United Kingdom, Belgium and France, which require telecoms operators to retain their customers' log-in data for a maximum period of one year for reasons of national security.
Opposed to widespread and undifferentiated retention
In his Opinion, the Advocate General recommends confirming the Court’s case law from the Tele2 judgment, according to which member states may not impose a general and undifferentiated retention requirement on providers of electronic communications services (see EUROPE 11694/16). However, Campos Sánchez-Bordona did acknowledge that a requirement to retain data in order to safeguard national security and combat crime was useful, provided that it was “limited and differentiated”. In his view, the requirement should only involve specific categories of data that are absolutely essential for effectively preventing and controlling crime and for safeguarding national security for a specific period of time, differentiated according to each category. Access to this type of data must be also be restricted. This means that the requirement to retain data must be subject to a number of actions: prior checking by a court or an independent administrative body, the requirement to inform data subjects, provided that this does not jeopardise ongoing investigations, and the adoption of regulations to prevent misuse of the data and unlawful access to it.
Against that background, the Advocate General concludes that the British, French and Belgian regulations are in conflict with the directive on privacy and electronic communications (ePrivacy).
Member states are trying to introduce a new legal basis for ePrivacy
It should be noted that, in 2017, the European Commission suggested reviewing this directive and replacing it with a regulation. Since then, several member states have tried to introduce a new legal basis for data retention in this document (see EUROPE 12375/11), even though the Commission has not opened this area for discussion again.
Diego Naranjo, Head of Policy at EDRi, the European Digital Rights organisation, said that “once again, the Advocate General of the CJEU strongly defended the right to privacy and stated that the indiscriminate retention of all traffic and location data of all subscribers and registered users was disproportionate”. (Original version in French by Sophie Petitjean)