General data retention obligation once again under legal crossfire

The difficult history behind the data retention legislation, i.e., Data Retention Directive 2006/24, at both European and national levels is quite known.

This legislation, which obliges telecom providers to store and retain traffic- and location data on electronic communications for purposes of investigating and fighting crime, was declared invalid by the Court of Justice of the European Union (“CJEU”) in 2014 (CJEU 8 April 2014, C-293/12 and C-594/12, “Digital Rights”). After that, the Constitutional Court of Belgium declared the Belgian instrument implementing that directive invalid as well (Constitutional Court 11 June 2015, 84/2015). Contrary to the EU legislature, the Belgian lawmaker took action immediately afterwards by promulgating a new law (i.e., the Act of 29 May 2016 on the collection and retention of data in the electronic communications sector, Belgian Official Journal 18 July 2017) that intends to remedy the concerns expressed by the courts. This new Act of 29 May 2016 is now under fire again as the CJEU has criticized data retention legislation once more.

What triggered this new decision by the CJEU was the prevailing uncertainty about the implications of the previous judgment on the Digital Rights case. Following that case, the Swedish telecom provider Tele2 Sverige refused to retain data according to the Swedish data retention legislation. It based its argument on the fact that the Swedish data retention legislation imposed a general data retention obligation in violation with European law as was decided by the Court. However, the Digital Rights judgment did not necessarily seem to preclude a general obligation to retain traffic- and location data on electronic communications if the data retention period, access to the data, and data security are strictly regulated. The Swedish court therefore found it necessary to ask the CJEU to express itself on the compatibility of a Member State’s general data retention obligation with EU law.

On 21 December 2016, the CJEU stated very straightforwardly that an undifferentiated retention of all traffic- and location data gathered on users of electronic communication means violates EU law. First, the Court states that the e-Privacy Directive aims to protect users of electronic communications against the increasing possibilities of automated retention and processing of data. Thus, this Directive states that retention of traffic data is only allowed for marketing and billing purposes. Exceptions to the prohibition of retention are provided, however, for the detection, investigation, and prosecution of crime, for example. However, according to the CJEU, these exceptions should not become the rule.

Traffic- and location data, when taken as a whole, allow one to draw very precise conclusions about the private lives of the data subjects (such as their everyday habits, permanent or temporary places of residence, daily or other movements, the activities they carried out, the social relationships of those persons, and their social environments). Therefore, the general retention of those data constitutes a particularly serious interference in the private lives of the user-data subjects. What is new is that the CJEU considers expressly Article 11 of the Charter of Fundamental Rights of the European Union (“EU Charter”) in this judgment as well: the retention of traffic and location data can also have an effect on the use of electronic communication means and, consequently, on the exercise of the freedom of expression by the users thereof.

The CJEU therefore held that the national legislature may only impose a strictly necessary data retention obligation for traffic- and location data. Only the fight against serious crime, such as organized crime and terrorism, could justify such obligation. The CJEU acknowledges expressly that the fight against serious crime substantially depends on the use of modern investigation techniques. However, public interest grounds cannot justify a general and undifferentiated retention of all data, according to the CJEU. The retention obligation must therefore be limited to data that have a link to serious criminality and should further be based on an objective set of criteria. The CJEU talked about a geographic area with a high risk for serious criminality as an example of limiting data retention. Furthermore, the CJEU requires that judicial oversight be given on the access to these data, the retention of these data on EU-territory, and the irreversible deletion/destruction of the data after the retention period expires. The Court did not answer the question whether Article 7 (privacy) and Article 8 (protection of personal data) of the EU Charter have therefore a wider scope of protection than Article 8 of the European Convention on Human Rights.

The strong opinion of the CJEU is remarkable, as it does not leave any margin for compensating the far-reaching interference with privacy by setting very strict safeguards. Hardly ever has the CJEU stated so straightforwardly that a certain manner of working cannot be tolerated in any way. This far-reaching decision of the CJEU constitutes a fait accompli for the Belgian legislature. Currently, Belgium still has a general data retention obligation (Article 126, §1 Electronic Communications Act). The new Belgian data retention act (i.e., Act of 29 May 2016 mentioned above) attaches strict conditions to the retention of and access to stored data and thus constitutes a very meritorious attempt to reconcile and balance all interests. However, on the basis of the CJEU decision, this seems to be insufficient. Moreover, the criteria put forward by the CJEU for differentiated data retention seem difficult to convert into workable and efficient practice guidelines.

The Court concludes that the data retention obligation is incompatible with EU law only on grounds of Article 15 of the e-Privacy Directive. In that regard, amending this Directive, which is currently ongoing (see the Proposal for a Regulation on Privacy and Electronic Communications, published on 10 January 2017), could put things in a different light. However, the CJEU reads this Article 15 in the light of the fundamental rights to privacy, protection of personal data, and freedom of expression (i.e., Articles 7, 8, and 11 of the EU Charter, respectively). It is mainly these considerations, based on the fundamental rights, that prompted the CJEU to conclude that a general data retention obligation is incompatible with EU law, thus not leaving so much room even at European level.

It now has to be awaited how data retention legislation will further develop. To be continued...  

The case (C-203/15) can be found here