Top court rules again that EU laws may not require general and indiscriminate data retention, but then muddies the privacy waters

Posted on Oct 7, 2020 by Glyn Moody

National governments in the EU are very keen for communication companies to store traffic and location data for all their users. They claim this is necessary to enable the authorities to fight terrorism and serious crime. Such information may be helpful in some cases, but it also entails a massive invasion of privacy for hundreds of millions of people. As a result, digital rights organizations have been fighting hard against general requirements to store this data for all EU users of the Internet. This has led to a series of important judgments from the EU’s top court, the Court of Justice of the European Union (CJEU), which lay down what exactly is permitted in the field of data retention.

In 2014, the CJEU ruled that the main EU law, the Data Retention Directive, was invalid – effectively striking it down. However, governments in the EU were still keen to retain data about people’s use of the Internet, and passed local laws requiring service providers to store this information. In a 2016 judgment, the CJEU ruled that local laws requiring indiscriminate retention of traffic and location data were not acceptable. However, it did also state:

the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse.

This week, the CJEU handed down important clarifications of what that means, which will have a big impact in the EU and possibly beyond. The new judgment involves three joined cases regarding data retention laws in the UK, France and Belgium. After re-affirming that these national laws are indeed still subject to the general principles of EU law, the CJEU repeated its view that national legislation requiring communication companies to carry out the “general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” is not permitted. It underlined that laws requiring companies to retain traffic and location data as a “preventative measure” were similarly forbidden. This means existing national laws requiring this kind of data retention will have to be re-written. However, having clarified these points, the CJEU then went on to carve out some notable exceptions.

For example, the court said that EU laws do not rule out orders to communication companies to retain, “generally and indiscriminately”, traffic and location data, if the state is “facing a serious threat to national security that proves to be genuine and present or foreseeable.” But that must only be for a period that is “limited in time to what is strictly necessary”, and it must be “subject to effective review either by a court or by an independent administrative body whose decision is binding, in order to verify that one of those situations exists and that the conditions and safeguards laid down are observed.” That’s an important constraint, but the exception laid down here is a pretty vague one: what exactly constitutes a “serious threat to national security”?

The CJEU also ruled that “targeted retention, limited in time to what is strictly necessary, of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion” is permitted. In particular, countries can bring in laws that require communication companies to to carry out real-time collection of traffic and location data, where that collection is limited to “persons in respect of whom there is a valid reason to suspect that they are involved in one way or another in terrorist activities and is subject to a prior review carried out either by a court or by an independent administrative body whose decision is binding.” Again, what exactly a “valid reason” might be is left undefined.

As to the various requirements that such data retention should be limited in time to what is strictly necessary and so on, the CJEU says that it will be national courts that decide whether information and evidence obtained by the retention of data in breach of EU law is admissible or not. On the plus side, the CJEU does say that information and evidence obtained as a result of indiscriminate retention of traffic and location data in breach of EU law should be disregarded in court cases. It will be interesting to see if this leads to previous court cases being struck down as a result.

Although it is welcome that the CJEU has once more affirmed that “general and indiscriminate” retention of traffic and location data is not allowed, it has also given national governments some very handy ways to get around that ban in certain circumstances. Since it has also ruled that the details must be decided by local courts, rather than by the CJEU itself, we can probably expect a string of legal actions around the EU trying to determine whether local government use of data retention is legal under the new, rather confusing, guidelines. It is quite possible that some of those cases will be referred to the CJEU for guidance. The EU’s debate over when it is permissible for governments to require personal data to be retained is by no means over.

Featured image by denisbin.

VPN Service