General obligation of indiscriminate retention of data is inadmissible – according to the new CJEU ruling
The Court of Justice of the European Union (CJEU) addressed the question of admissibility of the general obligation of indiscriminate retention of traffic data and location data already in its Digital Rights Ireland judgement, by which it declared the directive on the retention of data invalid.
By its judgement of 21 December 2016 in Joined Cases C-203/15 and C-698/15, in which the general obligation of retention of traffic data and location data in Sweden and the United Kingdom was considered, the CJEU again stressed that EU law precludes national legislation that provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users with respect to all means of electronic communications.
The Member States may, in accordance with EU law, restrict the obligation of principle to ensure the confidentiality of communications and related traffic data with legislative measures, however, exceptions to that obligation of principle may not become the rule. Such measures may only be adopted for a limited period and must be necessary, appropriate and adequate to achieve the objectives, exhaustively listed in Article 15 (1) of the Directive on privacy and electronic communications. These objectives include, inter alia, prevention, investigation, detection and prosecution of criminal offences, yet according to CJEU only the objective of fighting serious crime is, however, not in itself capable of justifying so serious interference in the fundamental rights. In order to ensure limitation to what is strictly necessary, national legislation should, in the CJEU’s opinion, lay down in particular: (i) clear and precise rules governing the scope and application of such a data retention measures; (ii) objective criteria, that establish a connection between the retained data and the objective pursued and (iii) objective evidence in order to define the affected public.
Further, CJEU emphasised that access to the retained data must be limited to the exhaustively listed objectives which justify exceptions to the obligation of principle to ensure the confidentiality of communications as well. In addition, the CJEU says such access should be limited to substantive and procedural conditions the fulfilment of which should be subject to a prior review carried out either by a court or by an independent administrative body (except in cases of validly established urgency). From the perspective of data security, the CJEU stressed that the data should be retained within the EU and irreversibly destructed at the end of the data retention period.
The judgement concerned may have an impact on the interpretation of the provisions of Slovenian legislation. Based on the judgement in the Digital Rights Ireland case the relevant provisions of the Electronic Communications Act, which imposed a general obligation of indiscriminate data retention upon network operators, have already been annulled by way of the Slovenian Constitutional Court Decision U-I-65/13 of 3 June 2014; however, the indirect impact of the recent CJEU judgement in respect of the provisions relating to retention of data by the providers of information society services remains to be seen.