CJEU Confirms National Data Retention Laws May Only Be Adopted Where “Strictly Necessary”: Court of Justice of European Union
On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.
The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not necessarily a “serious” crime). The national laws in question also permitted access to the retained data by law enforcement authorities (“LEAs”).
The CJEU held that the E-Privacy Directive (2002/58/EC) (“EPD”), when read in light of the EU Charter of Fundamental Rights, prohibits national legislation from imposing data retention obligations unless it is “strictly necessary” for the purpose of fighting “serious crime” and that measures allowing for “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” are not permitted. The CJEU also held that LEAs can only access the retained data where it is “strictly necessary” for the purpose of fighting serious crime and where such access has been approved following a prior review by a court or an independent authority.
Article 15(1) of the EPD permits Member States to adopt measures requiring communication service providers to retain traffic data, provided the measure “constitutes a necessary, appropriate and proportionate measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”.
The Data Retention Directive (2006/24/EC) further imposed an obligation on Member States to adopt laws requiring communication service providers to retain traffic data to make available for the investigation, detection and prosecution of serious crime. However, in 2014 the CJEU ruled that the Data Retention Directive was invalid as it infringed the principle of proportionality and failed to provide sufficient safeguards to protect against public authorities unlawfully accessing retained data (Digital Rights Ireland (Joined Cases 293/12 and 594/12)). Following this decision the question arose as to whether national laws currently in force in Member States imposing data retention obligations were invalid, or whether they could still be permitted under Article 15(1) of the EPD. Sweden’s Stockholm Administrative Court of Appeal and the England and Wales Court of Appeal referred the issue to the CJEU.
The CJEU held that while Article 15(1) of the EPD did permit Member States to impose national measures for the retention of data and for access to the retained data by LEAs, it could only do so provided certain conditions are satisfied. The conditions are as follows:
Conditions for national measures permitting the retention of data:
Data retention obligations must only be adopted when “strictly necessary” for the purposes of fighting crime. The crime in question must be serious crime.
Generalized metadata retention obligations covering an entire population are not permitted. The retention of such data must be targeted to individuals that are either (i) likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting serious crime.
National laws must ensure that the retained data is stored in the EU.
Conditions for national measures permitting LEA access to retained data:
National laws granting LEA access to the retained data must be “strictly necessary” for the purpose of fighting serious crime.
These national laws must lay down “substantive” and “procedural” conditions that govern the access by LEAs to the retained data. National laws giving LEAs access to the retained data are only lawful if:
Access to retained data by LEAs is approved by a prior review carried out by national courts or administrative bodies; and
LEAs notify individuals after their data has been accessed.
The decision is significant, as it calls into question the validity of national data retention laws, not just in the UK and Sweden but across all Member States. Further, while the CJEU’s decision concerns existing UK retention law (the Data Retention and Investigatory Powers Act 2014, ‘DRIPA’), the decision may impact its new replacement, the Investigatory Powers Act 2016.
The cases will now return to the England and Wales Court of Appeal and Stockholm Administrative Court of Appeal, who will apply the CJEU’s decision to the respective cases before them. Based on the CJEU’s ruling, it appears likely that the national courts will find the existing national laws on data retention invalid under EU law.
Gemma Nash is co-author of this article.