In its decision of December 21, 2016 (Joined Cases C-203/15 and C-698/15) the Court of Justice of the European Union (CJEU) ruled that national legislation may not provide for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication for the purpose of combating crime. Sufficient safeguards should also be provided as to the access to these data by the national authorities.
(The questions raised by the United Kingdom having been ruled out by the CJEU, we made the choice not to deal with them in this article)
Facts: The Swedish Internet Provider Refused to Continue Retaining Traffic and Location data
Tele2 (Swedish Telecom provider) was ordered by PTS (Swedish Post and Telecom Authority) to retain traffic and location data in relation to its subscribers and registered users in accordance with the LEK (Swedish law implementing the Data Retention Directive 2006/24/EC) which provides for location and traffic data to be retained by electronic communication providers for a period of 6 months and access to these data by national authority investigating crime with a potential of 2 years of imprisonment.
Tele 2 refused to follow the PTS order as in its opinion, following the CJEU judgment of 8 April 2014, digital rights judgment (C293/12), the directive 2006/24 was invalidated and therefore it would cease to retain electronic communication data covered by the LEK and would erase data retained prior to 14 April 2014.
PTS informed Tele2 that it was in breach of its obligations under the national legislation.
Tele 2 brought the case before the CJEU after being dismissed by national court.
Legal context: Member States may adopt legislative measures providing for the retention of traffic/location data in specific context such as combating crime
The Swedish law (LEK) was enacted to implement the directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending the directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.
The former directive had been invalidated by a previous CJEU case called the Digital Rights judgment (as referred to above).
However, the article 15 (1) of directive 2002/58/EC has remained into effect and enable “Member States to adopt legislative measures to restrict the scope of the rights and obligations provided for in article 5, 6, 8(1), (2),(3),(4), and article 9 (right to retain and use traffic and location data of users and subscribers of service provided by public communication service providers) when such restriction constitutes a necessary , appropriate and proportionate measure within a democratic society to safeguard security , defence, public security and the prevention , investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.
To this end, Member States may adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down (above) and in accordance with the general principles of community law (…).”
Question raised by the Court: Was the Swedish legislation provisions compatible with the directive and the Human Rights Charter?
The court raised the following question:
Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime compatible with article 15 (1) of the directive 2002/58/EC taking account of of articles 7 and 8 (rights to privacy) and article 52 (1) of the Charter?
The Court ruled that general and indiscriminate retention as well as unrestricted access by national authority to location and traffic data is prohibited
The court ruled that article 15(1) of directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector must be interpreted as precluding national legislation which, for the purpose of fighting crime provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.
The Court went further in ruling that article 15 (1) also precludes national legislation governing the protection and security of traffic and location data and in particular access of the competent national authorities to the retained data, where the objective pursued by that access in the context of fighting crime:
- is not restricted solely to fighting serious crime,
- where access is not subject to prior review by a court or an independent administrative authority and
- where there is no requirement that the data concerned should be retained within the European Union.
Read the decision here