On 30 September 2022, the Court of Justice of the European Union (CJEU) handed down two judgments in which it ruled, respectively, that Germany’s and France’s data retention laws are incompatible with EU law.

In Joined Cases C‑793/19 and C‑794/19 SpaceNet AG and Telekom Deutschland GmbH (EU:C:2022:702), the CJEU ruled that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security.  It also confirmed, however, that to combat serious crime, Member States may, in strict compliance with the principle of proportionality, provide for the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses.

The ruling came from a reference by the German Federal Administrative Court in proceedings brought by SpaceNet and Telekom Deutschland, challenging the requirement under the German Law on Telecommunications (TKG) to retain traffic and location data relating to their customers’ use of their services.

With some exceptions, the TKG requires providers of publicly available electronic communications service to retain, in a general and indiscriminate way, most of the traffic and location data of their end users for a period of several weeks, for purposes including prosecuting serious criminal offences or preventing a specific risk to national security.

The German court asked the CJEU to confirm whether, following the CJEU’s rulings in various cases, including Case C-140/20 Commissioner of An Garda Síochána and Joined Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net, EU law precludes such national legislation in circumstances where the retention obligation under the TKG concerned less data and a shorter retention period (four or 10 weeks) than imposed by the national legislation in those cases.

The CJEU’s answer is that EU law precludes national legislation, which provides, on a preventative basis, for the general and indiscriminate retention of traffic and location data for the purposes of combatting serious crime and preventing serious threats to public security.  The CJEU was clear that the retention obligation under the TKG applied to a very broad set of traffic and location data, which corresponded, in essence, to those that led to the previous judgments.  The fundamental point is that the traffic and location data to be retained under the TKG could allow for very precise conclusions to be drawn about the private lives of the persons involved (such as their habits of everyday life, permanent or temporary places of residence, daily or other movements, general activities, and social lives) and, in particular, could enable a profile of those persons to be created.

However, the CJEU was also clear that EU law does not preclude national legislation that:

  • allows the relevant national authority to require, for the purposes of safeguarding national security, electronic communications services to retain, generally and indiscriminately, traffic and location data where there is a serious threat to national security;
  • provides, for the purposes of safeguarding national security, combatting serious crime and preventing serious threats to public security, for the targeted retention of traffic and location data that is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but that may be extended;
  • provides, for the same purposes, for the general and indiscriminate retention of IP addresses where the retention period is limited to what is strictly necessary;
  • provides, for the purposes of safeguarding national security, combatting crime and safeguarding public security, for the general and indiscriminate retention of data relating to the identity of users; or
  • allows the relevant national authority, for the purposes of combatting serious crime and safeguarding national security, to require providers to undertake, for a specified period of time, the expedited retention of traffic and location data in their possession.

On the same day, the CJEU handed down a judgment relating to criminal proceedings against two individuals accused of insider dealing, brought on the basis of telephone calls containing personal data.  In Joined Cases C‑339/20 and C‑397/20 VD and SR, the CJEU ruled that the general and indiscriminate retention of traffic data by operators providing electronic communications services for a year from the date on which they were recorded is not authorised, as a preventive measure, for the purpose of combatting market abuse offences including insider dealing.  The court stressed that the retention and, more generally, the processing of personal data in the electronic communications sector is governed by the e-Privacy Directive (2002/58/EC).  Neither the Market Abuse Directive (2003/6/EC) nor the Market Abuse Regulation (596/2014/EU) provided a legal basis for a general obligation to retain the data traffic records held by service providers for the purposes of exercising the powers conferred on the competent financial authorities under those measures.

Comment

Neither judgment amounts to an outright ban on mandating the retention of communications data.  A general retention mandate may be warranted where there is a serious threat to national security.  Otherwise, any measures that do require electronic communications services, such as internet service providers, to retain data must be strictly proportionate and targeted, to combat serious crime, safeguard national security or prevent serious threats to public security.  The CJEU has essentially reaffirmed its previous rulings and made it clear, in this latest case, that Member States cannot use national measures implementing other EU obligations to work around the general prohibition on the general and indiscriminate retention of traffic and location data.  Of course, the UK has had its own run-in with the CJEU over its bulk retention laws.  In Case C-623/17 Privacy International (EU:C:2020:790), the CJEU ruled that the UK’s data retention and collection practices for national security purposes must be subject to the same safeguards.  In 2021, the Grand Chamber of the European Court of Human Rights (ECtHR) ruled in Big Brother Watch v UK that aspects of the UK’s data interception and acquisition regime breached Articles 8 and 10 of the European Convention on Human Rights.  The latest iteration of the UK’s surveillance laws, the Investigatory Powers Act 2016, which introduced new safeguards, is also the subject of protracted litigation following a challenge by civil rights group Liberty.