The conflict between data protection and data retention is of deep significance, particularly in the wake of terrorist attacks in the last decade.

In 2006, the data retention directive was adopted at EU level,  intended to harmonise rules on preservation of data for the purpose of investigating and prosecuting serious crimes. To achieve this, member states had to store electronic telecommunications data relating to traffic and location for at least six months and at most 24 months. Such data was to be made available, on request, to law enforcement authorities except for content of communications that was excluded from the data preservation rules.

This directive was, however, invalidated by the Court of Justice of the European Union (CJEU) in 2014 as it was deemed to breach the rights to privacy and data protection. In that ruling, the CJEU considered that the data retention rules laid down in the EU directive failed to respect the principle of proportionality and did not contain the necessary safeguards to protect the fundamental human rights of individuals. Nonetheless, the Court did recognise the importance of data retention in the fight against serious crime and the protection of public security.

Following this judgment, the EU member states acted autonomously. Most of them still implemented data retention schemes at national level. Undoubtedly, to be legal, such schemes must respect the right to privacy and data protection as set out in the EU Charter of Fundamental Rights and in the EU e-privacy directive. Striking the proper balance is by no means straightforward.

In telecommunications, data retention is primarily intended for surveillance. It involves the storage of call detail records, the collection of location data, the logging of e-mails sent and received, and websites visited. The wealth of data that can be gleaned from such traffic plays an important role in criminal investigations.

Both Sweden and the UK adopted national legislation that requires telecommunications companies to retain all their customers’ traffic and location data. In the UK, the Investigative Powers Act, or “snooper’s charter” as it is more commonly called, was challenged before the CJEU in view of the bulk interception of data traffic that was permitted under it.

The challenge was brought by two UK MPs who joined their case with that filed against the Swedish equivalent.

The question put to the Court was whether national legislation on data retention had to meet certain EU standards notwithstanding the absence of any harmonisation rules at EU level. In its recent landmark judgment, the Luxembourg Court ruled that mass retention of data was illegal. Legislation that imposes a blanket obligation on telecommunication companies to retain data is prohibited.

The CJEU considered that the e-privacy directive protects the principle of confidentiality of communications. User consent is required for the interception and surveillance of communications and data traffic. Exceptions are permitted only when national security or national defence are at stake, or for the purpose of the prevention, investigation, detection and prosecution of criminal offence or of unauthorised use of electronic communication systems.

Within this context, the Court deemed that holding the data indiscriminately allows the possibility for very precise conclusions to be drawn on the private lives of the persons whose data is retained. According to the Court, this is contrary to EU law as it constitutes an unjustifiable interference in people’s privacy.

The targeted retention of data can only be justified by the objective of fighting serious crime, provided it is limited to what is strictly necessary. However, even if the objective of organised crime and terrorism were being pursued, data retention must be limited by time, geographical area or group of persons likely to be involved or that can contribute to fighting serious crime. Furthermore, the data must be stored within the EU given the risk of unlawful access.

Additionally, access to such data must be restricted solely to the fight of serious crime. The Court held that substantive and procedural rules must be put in place by member states to govern such access, and that it should be subject to prior review by a court or an independent administrative authority.

Notification to affected data subjects must be made as soon as this would no longer endanger the purpose sought, and irreversibly destroyed at the end of the retention period.

It remains to be seen how national constitutional courts will implement these strict judicial criteria developed by the CJEU.

jgrech@demarcoassociates.com

Josette Grech is adviser on EU law at Guido de Marco & Associates.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.