The Court of Justice of the European Union (CJEU) issued a judgment on Tuesday 20 September (joined cases C-793/19 and C-794/19) in which it ruled that EU law precludes the general and undifferentiated retention of traffic and location data, except in cases of serious threat to national security.
The CJEU had been consulted by the German Federal Administrative Court, which wanted to know whether EU law precluded national legislation such as the German TKG, which has been in force since July 2017. This law requires providers of electronic communications services that are publicly available to retain certain data for a period of several weeks on a “general and undifferentiated” basis for the purpose of combating serious criminal offences or preventing a specific risk to national security.
The German court was asked to rule on the validity of the TKG by the companies SpaceNet and Telekom Deutschland, who challenged its validity. In particular, the court questioned the fact that the retention periods imposed under German law — four weeks for location data and ten weeks for traffic data — were shorter than those of other national regulations that had led to earlier judgments of the CJEU overturning them.
In addition to these shorter retention periods, which could have reduced the possibility of coming to accurate conclusions about the privacy of data subjects, the TKG also includes provisions for protecting retained data from the risks of misuse and unlawful access.
This is not enough for the CJEU, which found that the TKG’s retention obligation extends to a very broad range of data, corresponding to those that resulted in previous judgments. Furthermore, regarding duration, the CJEU ruled that the planned periods of ten and four weeks were long enough to allow precise conclusions to be drawn about people’s private lives, habits, movements, activities or social relationships with a view to establishing an accurate profile of the persons concerned.
While the CJEU found the TKG to be contrary to EU law, it noted that EU law does not preclude national legislation that would allow widespread and undifferentiated data retention to address an “actual, present or foreseeable” serious threat to national security.
Such an injunction, says the CJEU, may be reviewed by a court or by an independent administrative body and can only be issued for a period “limited in time to the strict minimum necessary, but renewable” if the threat persists.
Nor does EU law preclude time-limited national legislation that allows “limited” and targeted retention of traffic data, location data and IP addresses “on the basis of objective and non-discriminatory elements”, according to categories of data subjects or by means of a geographical criterion, for the purpose of safeguarding national security and combating serious crime.
See the judgment: https://aeur.eu/f/36i (Original version in French by Thomas Mangin)