On 21 December 2016 the Court of Justice of the European Union provided its Judgment in Joined Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others prohibiting the application of Member State laws that call for general and indiscriminate electronic communications data retention.
Following the CJEU’s 2014 invalidation of Directive 2006/24/EC, better known as the Data Retention Directive and within the legal context of the ePrivacy Directive 2002/58 and the Charter of Fundamental Rights, the EU’s highest Court has established that electronic communications providers cannot be obliged under national laws to retain data indiscriminately. The decision clarifies conditions for the retention of and access to data and sets forth obligations for high-level data privacy standards when data is retained. Specifically, the Court has noted that data retention must be “strictly necessary”, for the purpose of combating crime, that Member State legislation provides for data to be subject to the review of an independent authority and retained within the European Union, and that such data is necessarily destroyed at the conclusion of the established period of retention.
1. Scope of data retention: The CJEU clarifies that national legislation on targeted data retention is within the scope of the Directive and that such targeted data retention for law enforcement purposes is allowed when the legislation provides adequate guarantees and safeguards against possible misuse of the data. Essentially the Court states that Member State laws must clearly outline both the conditions and circumstances when data protection is permitted as a preventive measure, limiting such a measure to what is “strictly necessary”. Furthermore, “the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security.”
2. Data location (EU): National legislation shall require data to be retained within the European Union.
3. Law Enforcement Access: With regards to the important issue of Law Enforcement Access, the Court established that national legislation must necessarily establish the conditions regulating such access to the retained data based on “objective criteria, that establish a connection between the data to be retained and the objective pursued”. This is particularly important with reference to national security and terrorist threats where it states that only access to “the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime” may be accessed, recognising, however, that in specific cases of national security and terrorist threats, access to data of other individuals may be permitted when there is “objective evidence” that such data will contribute to fighting such crimes.
4. Prior review by either a court or an independent body: Perhaps most importantly, the Court has stated that except in cases of great urgency, access to data should be approved by an independent body or court and that the persons concerned are notified of such access.
5. Destruction: In order to avoid unlawful access to the retained data, according to the judgement, it is necessary that Member States provide for data retention within the area of the EU and that the data is destroyed at the conclusion of the established period of retention.
This judgment will undoubtedly have important consequences on Member States which are now called to revise their national legislation in order to make sure that it complies with specific criteria set forth by the Court. Failure to so will in fact expose such legislation to actions for its invalidation. In a world where citizens’ personal data are often indiscriminately retained in the name of national security, this is a fundamental decision to reaffirm the citizens’ right to privacy and to clarify the extension of possible exception to it.
The full text of the judgement can be read here.