January 16, 2017

In its judgment in Digital Rights Ireland, the Court of Justice of the European Union found that the Data Retention Directive (2006/24/EC) was invalid.

There were two cases before the CJEU (from Sweden and the UK) on whether national legislation that imposed a general obligation on telecommunication service providers to retain data relating to electronic communications was compatible with EU law or not (in particular the e-Privacy Directive (2002/58/EC) and the EU Charter of Fundamental Rights).

The first involved the Swedish telecommunications provider, Tele2 Sverige, which, following the decision in Digital Rights Ireland, notified the Swedish post and telecommunications authority of its decision to cease retaining data and of its proposal to delete the data already registered. Swedish law requires providers of electronic communication services to retain certain personal data of their subscribers.

The second involved the judicial review proceedings brought by British MPs, Tom Watson and David Davis, challenging the validity of data retention powers under s 1 of the Data Retention and Investigatory Powers Act 2014, which allowed the Home Secretary to require public telecommunications operators to retain communications data (other than the actual content of any communication) for a maximum period of 12 months. That legislation has now expired and has been replaced by the Investigatory Powers Act 2016, which contains a similar requirement.

The CJEU found that, in accordance with its own case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data that allow the retention of data and access to retained data should apply only insofar as is “strictly necessary”.

In the CJEU’s view, the retained data in question, taken as a whole, was liable to allow very precise conclusions to be drawn concerning the private lives of the persons to whom the data belonged. Further, any interference by national legislation to the right to private life must be considered “particularly serious”. The fact that data was retained without the users of electronic communications services being informed was likely, the CJEU said, to cause the persons concerned to feel that their private lives were the subject of constant surveillance. Consequently, “only the objective of fighting serious crime is capable of justifying such interference”.

Legislation that prescribes a general and indiscriminate retention of data and does not require any relationship between the data retained and a threat to public security and is not restricted to retaining data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime, exceeds the limits of what is strictly necessary and cannot be justified within a democratic society, the CJEU said.

However, the CJEU said, the Directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. Any national legislation to that effect must be “clear and precise” and must provide for sufficient guarantees against the risk of misuse. Further, such legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventative measure, be adopted, thereby ensuring that the scope of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence, which makes it possible to identify the persons whose data is likely to reveal a link with serious criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.

As regards access by national authorities to retained data, the CJEU confirmed that national legislation must also set out “substantive and procedural conditions” based on objective criteria governing such access. Access can, as a general rule, be granted, in relation to the objective of fighting serious crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be inferred that that data might, in a specific case, make an effective contribution to combating such activities.

Further, the CJEU said that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, national authorities to whom access to retained data has been granted must notify the persons concerned.

Finally, given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end of the retention period. (Joined Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson — to access the judgment in full, go to the curia search form, type in the case number and follow the link).