October 12, 2020
Privacy International in the UK and organisations in France and Belgium brought proceedings in their respective jurisdictions on the lawfulness of legislation adopted by certain Member States obliging providers of electronic communications services to forward users’ traffic and location data to public authorities or to retain such data in a general or indiscriminate way in order to allow the State to combat crime and safeguard national security. In all three sets of proceedings, questions were referred to the CJEU on the interpretation of Articles 1(3) and 15(1) of the E-Privacy Directive (2002/58/EC).
Contrary to various arguments submitted by the parties, the CJEU held that the E-Privacy Directive was applicable to the national legislation concerned. Further, the CJEU said that the Directive does not permit the exception to the obligation of ensuring the confidentiality of electronic communications and related data and to the prohibition on storage of such data to become the rule. Therefore, the Directive does not allow Member States to adopt legislation restricting the rights and obligations it contains for the purposes of national security, unless such measures comply with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter.
The CJEU held that in the Privacy International case, the E-Privacy Directive prevents national legislation from requiring providers of electronic communications services to indiscriminately transmit traffic and location data to the security and intelligence agencies for the purpose of safeguarding national security. In the French and Belgian cases, the CJEU held that the Directive prevents Member States from adopting such legislation as a preventative measure. In the CJEU’s view, the imposition of obligations to forward and retain such data in a general and indiscriminate way amounts to a particularly serious interference with the fundamental rights guaranteed by the Charter where there is no link between the conduct of the people whose data are affected and the objective of the legislation in question.
The CJEU also said that Article 23(1) of the General Data Protection Regulation (2016/679/EU), read in the light of the Charter, precludes national legislation requiring communication services and hosting service providers to retain, generally and indiscriminately, personal data relating to those services. However, the CJEU said that where a Member State is facing a genuine, serious threat to national security that is present or foreseeable, the E-Privacy Directive, read in the light of the Charter, does not prevent Member States from making an order requiring electronic communications services providers to retain, generally and indiscriminately, traffic and location data. Such an order must, however, be for a limited period and be strictly necessary. It must also be subject to effective review either by a court or by an independent administrative body whose decision is binding. In addition, in those circumstances, the Directive does not preclude the automated analysis of the personal data of all users of electronic communication services.
The E-Privacy Directive also does not preclude legislative measures allowing targeted retention, limited in time to what is strictly necessary, of traffic and location data, limited also, on the basis of objective and non-discriminatory factors, to certain categories of people or to geographical criterion. Likewise, the Directive does not preclude legislation providing for the general and indiscriminate retention of IP addresses indicating the source of a communication, provided that the retention period is limited to what is strictly necessary. The Directive also does not preclude data retention measures in relation to the identity of users of electronic communication services, such measures not being subject to any specific time limit. Moreover, the Directive does not preclude legislation allowing for the expedited retention of data available to service providers where it becomes necessary to retain that data beyond statutory data retention periods in order to shed light on serious criminal offences or attacks on national security, where such offences or attacks have already been established or where their existence may reasonably be suspected.
In addition, the CJEU held that the Directive does not preclude national legislation requiring providers of electronic communications services to collect traffic and location data in real time if someone is reasonably suspected of being involved in terrorist activities and where it is subject to prior review by either a court or an independent administrative body whose decision is binding to ensure that such real-time collection is authorised only within the limits of what is strictly necessary. In urgent cases, the review must take place promptly.
Finally, the CJEU held that a national court cannot apply a provision of national law empowering it to limit the temporal effects of a declaration of illegality that it is bound to make due to the national legislation being incompatible with the E-Privacy Directive. That said, the CJEU observed that, as EU law currently stands, in criminal proceedings involving people suspected of having committed serious criminal offences, it is for national law alone to determine the rules on the admissibility and assessment of evidence obtained through the retention of data in breach of EU law. However, the CJEU said that the E-Privacy Directive requires national criminal courts to disregard such evidence where the suspects are not in a position to comment effectively on it. (Case C-623/17 Privacy International and Joined Cases C-511/15, La Quadrature du Net, C-512/18 French Data Network and C-520/18 Order des barreaux francophones et germanophone EU:C:2020:790 (6 October 2020) — to read the judgment in full, click here).