CJEU Confirms National Data Retention Laws May Only Be Adopted Where “Strictly Necessary”: Court of Justice of European Union
Monday, January 9, 2017
Internet, CJEU Confirms National Data Retention Laws May Only Be Adopted Where “Strictly Necessary”: Court of Justice of European Union
Print Mail Download i

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not necessarily a “serious” crime).  The national laws in question also permitted access to the retained data by law enforcement authorities (“LEAs”).

The CJEU held that the E-Privacy Directive (2002/58/EC) (“EPD”), when read in light of the EU Charter of Fundamental Rights, prohibits national legislation from imposing data retention obligations unless it is “strictly necessary” for the purpose of fighting “serious crime” and that measures allowing for “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” are not permitted.  The CJEU also held that LEAs can only access the retained data where it is “strictly necessary” for the purpose of fighting serious crime and where such access has been approved following a prior review by a court or an independent authority.

Background

Article 15(1) of the EPD permits Member States to adopt measures requiring communication service providers to retain traffic data, provided the measure “constitutes a necessary, appropriate and proportionate measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”.

The Data Retention Directive (2006/24/EC) further imposed an obligation on Member States to adopt laws requiring communication service providers to retain traffic data to make available for the investigation, detection and prosecution of serious crime. However, in 2014 the CJEU ruled that the Data Retention Directive was invalid as it infringed the principle of proportionality and failed to provide sufficient safeguards to protect against public authorities unlawfully accessing retained data (Digital Rights Ireland (Joined Cases 293/12 and 594/12)).  Following this decision the question arose as to whether national laws currently in force in Member States imposing data retention obligations were invalid, or whether they could still be permitted under Article 15(1) of the EPD.  Sweden’s Stockholm Administrative Court of Appeal and the England and Wales Court of Appeal referred the issue to the CJEU.

CJEU decision

The CJEU held that while Article 15(1) of the EPD did permit Member States to impose national measures for the retention of data and for access to the retained data by LEAs, it could only do so provided certain conditions are satisfied.  The conditions are as follows:

Conditions for national measures permitting the retention of data:

  • Data retention obligations must only be adopted when “strictly necessary” for the purposes of fighting crime. The crime in question must be serious crime.

  • Generalized metadata retention obligations covering an entire population are not permitted. The retention of such data must be targeted to individuals that are either (i) likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting serious crime.

  • National laws must ensure that the retained data is stored in the EU.

Conditions for national measures permitting LEA access to retained data:

  • National laws granting LEA access to the retained data must be “strictly necessary” for the purpose of fighting serious crime.

  • These national laws must lay down “substantive” and “procedural” conditions that govern the access by LEAs to the retained data. National laws giving LEAs access to the retained data are only lawful if:

    • Access to retained data by LEAs is approved by a prior review carried out by national courts or administrative bodies; and

    • LEAs notify individuals after their data has been accessed.

Next steps

The decision is significant, as it calls into question the validity of national data retention laws, not just in the UK and Sweden but across all Member States.  Further, while the CJEU’s decision concerns existing UK retention law (the Data Retention and Investigatory Powers Act 2014, ‘DRIPA’), the decision may impact its new replacement, the Investigatory Powers Act 2016.

The cases will now return to the England and Wales Court of Appeal and Stockholm Administrative Court of Appeal, who will apply the CJEU’s decision to the respective cases before them.  Based on the CJEU’s ruling, it appears likely that the national courts will find the existing national laws on data retention invalid under EU law.

Gemma Nash is co-author of this article. 

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins