The CJEU has confirmed in the joined cases C-511/18,C-512/18,C-520/18,C-623/17 La Quadrature du Net and Others that national legislation requiring a provider of electronic communications services to carry out general and indiscriminate transmission or retention of traffic data and location data to combat crime in general or to safeguard national security is not permitted under EU law.
However, there is an exception to this if there is a genuine and serious threat to national security. In those circumstances, data can be retained, but for only as long as is strictly necessary. That period may be extended if the threat carries on.
When combating serious crime and preventing serious threats to public security, a member state may also require targeted retention of that data as well as its expedited retention. This should be subject to effective safeguards which must be reviewed by a court or by an independent administrative authority. IP addresses can be retained if the retention period is limited to what is strictly necessary. It is acceptable to retain data relating to the civil identity of users of electronic communications, and here the court said that the retention is not subject to a specific time limit.
Background
EU case law, especially the judgment in Tele2 Sverige and Watson and Others, in which the Court held that member states could not require providers of electronic communications services to retain traffic data and location data in a general and indiscriminate way, had created concerns in some countries that they are able to employ measures that they deem necessary to safeguard national security and to combat crime.
In these new cases, questions were referred to the CJEU about the lawfulness of legislation adopted by France, Belgium and the UK requiring providers of electronic communications services to forward users’ traffic data and location data to a public authority or to retain such data in a general or indiscriminate way.
The rulings in detail
The CJEU ruled that the Directive on privacy and electronic communications applies to national legislation requiring providers of electronic communications services to carry out personal data processing operations, such as its transmission to public authorities or its retention, for the purposes of safeguarding national security and combating crime. Some member states had argued that the Directive does not apply because the national laws aim to safeguard national security, which is the sole responsibility of member states under Article 4(2) TFEU. However, the Court disagreed.
The Court also said that under the Directive, member states may not adopt for national security purposes, legislative measures intended to restrict the Directive’s provisions, especially the obligation to ensure the confidentiality of communications and traffic data, unless such measures comply with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter.
In that context, the Court held that the Directive stops national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies to safeguard national security.
It also found that the Directive rules out legislative measures as a preventive measure. Such obligations are a particularly serious interference with the fundamental rights guaranteed by the Charter, because there is no link between the conduct of the people whose data is affected and the objective of the national legislation.
Similarly, the Court said that Article 23(1) of the GDPR prevents national legislation requiring communications and hosting providers to retain, generally and indiscriminately, personal data relating to those services.
However, the Court held that if the member state concerned is facing a serious threat to national security that proves to be genuine and present or foreseeable, the Directive does permit retention of traffic and location data. In these circumstances an order should be imposed for no longer than is strictly necessary and must be subject to effective review either by a court or by an independent administrative body whose decision is binding. Further, the Directive does not stop the automated analysis of the data.
Further, member states can carry out targeted retention, limited in time to what is strictly necessary, of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of people concerned or using geographical criteria. The same applies to IP addresses. Member states can also pass laws relating to identity information and those laws do not have to be time limited. Member states can also allow recourse to the expedited retention of data available to service providers, if it becomes necessary to retain that data beyond statutory data retention periods to shed light on serious criminal offences or attacks on national security, where such offences or attacks have already been established or where their existence may reasonably be suspected.
In addition, the Court ruled that member states may require collection of real time traffic data and location data, where it is limited to people about whom there is a valid reason to suspect that they are involved in one way or another in terrorist activities. A prior review must take place by a court or by an independent administrative body whose decision is binding, to ensure that it is strictly necessary. In urgent cases, the review must take place promptly.
Lastly, the Court said that although national law sets out criminal procedure rules, the national criminal courts should interpret the Directive in the light of the principle of effectiveness. Therefore, in criminal proceedings, they must disregard data obtained in breach of EU law, where defendants are not in a position to comment effectively on that data.