June 19, 2019

June 18, 2019

Subscribe to Latest Legal News and Analysis

June 17, 2019

Subscribe to Latest Legal News and Analysis

CJEU Confirms National Data Retention Laws May Only Be Adopted Where “Strictly Necessary”: Court of Justice of European Union

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not necessarily a “serious” crime).  The national laws in question also permitted access to the retained data by law enforcement authorities (“LEAs”).

The CJEU held that the E-Privacy Directive (2002/58/EC) (“EPD”), when read in light of the EU Charter of Fundamental Rights, prohibits national legislation from imposing data retention obligations unless it is “strictly necessary” for the purpose of fighting “serious crime” and that measures allowing for “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” are not permitted.  The CJEU also held that LEAs can only access the retained data where it is “strictly necessary” for the purpose of fighting serious crime and where such access has been approved following a prior review by a court or an independent authority.

Background

Article 15(1) of the EPD permits Member States to adopt measures requiring communication service providers to retain traffic data, provided the measure “constitutes a necessary, appropriate and proportionate measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”.

The Data Retention Directive (2006/24/EC) further imposed an obligation on Member States to adopt laws requiring communication service providers to retain traffic data to make available for the investigation, detection and prosecution of serious crime. However, in 2014 the CJEU ruled that the Data Retention Directive was invalid as it infringed the principle of proportionality and failed to provide sufficient safeguards to protect against public authorities unlawfully accessing retained data (Digital Rights Ireland (Joined Cases 293/12 and 594/12)).  Following this decision the question arose as to whether national laws currently in force in Member States imposing data retention obligations were invalid, or whether they could still be permitted under Article 15(1) of the EPD.  Sweden’s Stockholm Administrative Court of Appeal and the England and Wales Court of Appeal referred the issue to the CJEU.

CJEU decision

The CJEU held that while Article 15(1) of the EPD did permit Member States to impose national measures for the retention of data and for access to the retained data by LEAs, it could only do so provided certain conditions are satisfied.  The conditions are as follows:

Conditions for national measures permitting the retention of data:

  • Data retention obligations must only be adopted when “strictly necessary” for the purposes of fighting crime. The crime in question must be serious crime.

  • Generalized metadata retention obligations covering an entire population are not permitted. The retention of such data must be targeted to individuals that are either (i) likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting serious crime.

  • National laws must ensure that the retained data is stored in the EU.

Conditions for national measures permitting LEA access to retained data:

  • National laws granting LEA access to the retained data must be “strictly necessary” for the purpose of fighting serious crime.

  • These national laws must lay down “substantive” and “procedural” conditions that govern the access by LEAs to the retained data. National laws giving LEAs access to the retained data are only lawful if:

    • Access to retained data by LEAs is approved by a prior review carried out by national courts or administrative bodies; and

    • LEAs notify individuals after their data has been accessed.

Next steps

The decision is significant, as it calls into question the validity of national data retention laws, not just in the UK and Sweden but across all Member States.  Further, while the CJEU’s decision concerns existing UK retention law (the Data Retention and Investigatory Powers Act 2014, ‘DRIPA’), the decision may impact its new replacement, the Investigatory Powers Act 2016.

The cases will now return to the England and Wales Court of Appeal and Stockholm Administrative Court of Appeal, who will apply the CJEU’s decision to the respective cases before them.  Based on the CJEU’s ruling, it appears likely that the national courts will find the existing national laws on data retention invalid under EU law.

Gemma Nash is co-author of this article. 

© 2019 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Joseph Jones, Covington, Copyright and trademark attorney
Associate

Joe Jones is an associate in the technology and media practice group, having joined the firm as a trainee solicitor in 2014.

Mr. Jones advises emerging and leading companies on data protection and intellectual property issues, including cybersecurity, copyright, trademarks, and e-commerce. He has experience advising companies in the technology, pharmaceutical, and media sectors. His practice encompasses regulatory compliance and advisory work. He regularly provides strategic advice to global companies on complying with data protection laws in Europe and the UK....

44 20 7067 2193
Philippe Bradley-Schmieg, Covington Burling, Data privacy and cybersecurity attorney
Associate

Philippe Bradley-Schmieg's practice covers a range of regulatory and commercial matters affecting the IT, internet media, e-health and telecoms sectors across the world.

Mr. Bradley-Schmieg advises on legislation, enforcement, advocacy and contracts relating to privacy, data protection, consumer protection, intermediary liability, copyright and databases, Big Data, medical confidentiality, cybersecurity, law enforcement data requests, and smart medical devices and apps.

44-20-7067-2282