Indiscriminate retention of data precluded under EU law, Luxembourg rules
EU law precludes national legislation that prescribes general and indiscriminate retention of data except in the fight against serious crime, the Court of Justice of the European Union has ruled.
In Case C-698/15, Mr Tom Watson, Mr Peter Brice and Mr Geoffrey Lewis brought actions challenging the UK rules on the retention of data which enable the Secretary of State for the Home Department to require public telecommunications operators to retain all the data relating to communications for a maximum period of 12 months, with the provision that retention of the content of those communications is excluded.
In references for a preliminary ruling made by the Kammarrätten i Stockholm (Administrative Court of Appeal, Stockholm, Sweden) in another case and the Court of Appeal (England and Wales) (Civil Division), the Court is requested to state whether national rules that impose on providers a general obligation to retain data and which make provision for access by the competent national authorities to the retained data, where, inter alia, the objective pursued by that access is not restricted solely to fighting serious crime and where access is not subject to prior review by a court or an independent administrative authority, are compatible with EU law (in particular the directive on ‘privacy and electronic communications’ read in the light of the Charter of Fundamental Rights of the European Union.
In today’s judgment, the Court’s answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data. The Court confirms first that the national measures at issue fall within the scope of the directive. The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures taken by all persons other than users, whether by private persons or bodies, or by state bodies.
Next, the Court finds that while that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in particular to the prohibition on storage of data laid down by that directive, becoming the rule.
Further, the Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is strictly necessary. The Court applies that case-law to the rules governing the retention of data and those governing access to the retained data.
The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.
The interference by national legislation that provides for the retention of traffic data and location data with that right must, therefore, be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.
The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia, providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.
The Court makes clear however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse. The legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that the scope of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is likely to reveal a link with serious criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.
Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, the competent national authorities to whom access to retained data has been granted must notify the persons concerned of that fact.
Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end of the retention period.