On 6 October 2020, the Court of Justice of the European Union confirmed that EU law precludes national legislation from requiring a provider of electronic communications services to indiscriminately transmit or retain personal data for combating crime or safeguarding national security. However, the CJEU said that where a Member State is facing a genuine, serious threat to national security that is present or foreseeable, the E-Privacy Directive (2002/58/EC), read in the light of the Charter, does not prevent Member States from making an order requiring electronic communications services providers to retain, generally and indiscriminately, traffic and location data. Such an order must, however, be for a limited period and be strictly necessary. It must also be subject to effective review either by a court or by an independent administrative body whose decision is binding. In addition, in those circumstances, the Directive does not preclude the automated analysis of the personal data of all users of electronic communication services (Case C-623/17 Privacy International and Joined Cases C-511/15, La Quadrature du Net, C-512/18 French Data Network and C-520/18 Order des barreaux francophones et germanophone EU:C:2020:790 (6 October 2020)).

By 6 October 2020, the CJEU had already received three other references relating to exceptions to the confidentiality of communications and users’ data. Two were referred by the Bundesverwaltungsgericht (Federal Administrative Court, Germany), before which an appeal on a point of law was brought by the Federal Network Agency against judgments upholding the decisions in cases brought by two internet service providers, in which they had challenged the obligation under German law to store their customers’ telecommunications traffic data from 1 July 2017 (Joined Cases C-793/19 and C-794/19).

The third reference was from the Supreme Court of Ireland, in the context of civil proceedings in which a person convicted of murder and sentenced to life imprisonment challenged the validity of certain provisions of the Irish Communications (Retention of Data) Act 2011 under which telephony data had been retained and made accessible and on which certain incriminating evidence had been based (Case C-140/20).

After considering the CJEU decisions of 6 October 2020, both national courts maintained their references.

Two further references were then made by the Cour de cassation (Court of Appeal, France), which had been asked to rule on a case brought by two people accused of insider dealing and money laundering following investigation by the Autorité des Marchés Financiers (Financial Markets Authority), in which personal data relating to the use of telephone lines, collected on the basis of the Code Monétaire et Financier (Monetary and Financial Code), had been used (Joined Cases C-339/20 and C-397/20).

The Advocate General has now published his Opinion in relation to all five references, stating that in his view, the answers to all the questions referred are already in the CJEU’s case law or can be inferred from them without difficulty.

Joined Cases C-793/19 and C-794/19

The AG says that while recognising the progress made in German legislation, which shows intention to comply with the CJEU’s case law, the general and indiscriminate storage obligation which German legislation still imposes covers a very wide range of traffic and location data. The time limit imposed on that storage does not remedy the issue, since unless the purpose is to protect national security, the storage of electronic communications data must be targeted and cannot be general. In addition, the AG says, in any event access to that data entails a serious interference with fundamental rights to private and family life and the protection of personal data, irrespective of the duration of the period for which access to those data is requested.

Case C-140/20

The AG opined that the general and indiscriminate retention of traffic and location data is justified only in the case of protecting national security, which does not include the prosecution of offences, including serious offences. By permitting, for reasons beyond those inherent in the safeguarding of national security, the preventative, general and indiscriminate retention of traffic and location data of all subscribers for a period of two years, Irish legislation is not complying with the E-Privacy Directive.

Further, access by national authorities to retained data does not appear to be subject to prior review by a court or an independent authority, as required by CJEU case law, but to the discretion of a police officer of a certain rank. The Irish Supreme Court will have to ascertain whether that official satisfies the conditions set out in case law relating to the status of an “independent authority” and whether it is a “third party” in relation to the authority requesting access. The AG also says that that review must take place before, not after, access to the data is granted.

Finally, the AG reiterated that, as set out CJEU case law, a national court cannot limit in time the effects of a declaration of illegality of domestic legislation incompatible with EU law.

Joined Cases C-339/20 and C-397/20

The AG observes that these two cases essentially relate to the issue of whether Member States can impose an obligation to retain electronic communications traffic data in a general and indiscriminate manner. The case involves EU market abuse legislation, but in the AG’s opinion the CJEU’s decision in La Quadrature du Net applies. Further, provisions on the processing of data traffic records set out in the EU market abuse legislation must be interpreted in the light of the E-Privacy Directive, which is the reference standard.

The AG said that none of the relevant market abuse legislation provides for specific and autonomous powers to retain data; they merely authorise competent authorities to access the data retained in existing records, which must have been compiled in accordance with the E-Privacy Directive.

The AG opined that the question concerned records retained in order to combat serious crime and to safeguard public security, which could not be assimilated into those retained in a preventative, generalised and indiscriminate basis for the defence of national security without upsetting the delicate balance underpinning the judgment in La Quadrature du Net. Accordingly, national legislation which requires electronic telecommunications undertakings to retain traffic data on a general and indiscriminate basis in the context of an investigation into insider dealing or market manipulation and abuse is contrary to EU law. Again, limiting the time the data is kept does not remedy the incompatibility. (Joined Cases C-793/19 SpaceNet and C-794/19 Telekom Deutschland and Case C-140/20 Commissioner of the Garda Síochána (18 November 2021) — to read the Opinion in full, click here; Joined Cases C-339/20 VD and C-397/20 SR (18 November 2021) — to read the Opinion in full, click here).