General and indiscriminate retention of traffic and location data permitted only if there is a serious threat to national security

November 24, 2021

Advocate General Campos Sánchez-Bordona has reiterated in Joined Cases C-793/19 SpaceNet and C-794/19 Telekom Deutschland, in Case C-140/20 Commissioner of the Garda Síochána and Others and in Joined Cases C-339/20 VD and C-397/20 SR that the general and indiscriminate retention of traffic and location data relating to electronic communications is permitted only if there is a serious threat to national .security.

The Court of Justice of the European Union’s case-law on the retention and access to personal data generated in the electronic communications sector has given rise to concerns in certain member states. Certain national courts referred a question to the Court for a preliminary ruling because they feared that that case-law could deprive State authorities of an instrument necessary to safeguard national security and to combat crime and terrorism. 

There had been two requests from Germany for a preliminary ruling calling into question the case-law relating to exceptions to the confidentiality of communications and users’ data. An appeal had been brought by the Federal Network Agency against domestic judgments upholding the actions brought by two companies providing internet access services, in which they challenged the obligation in German legislation to store their customers’ telecommunications traffic data from 1 July 2017.

The third request was referred by the Irish Supreme Court, in the context of civil proceedings in which a person convicted of murder and sentenced to life imprisonment challenges the validity of certain provisions of the Irish legislation under which telephony data had been retained and made accessible and on which certain incriminating evidence was based. 

Two further requests for a preliminary ruling were referred by the French courts relating to a financial services investigation involving personal data relating to the use of telephone lines.

Joined Cases C-793/19 and C-794/19

While recognising the progress made in the German legislation, which showed that the German legislator wanted to comply with the Court’s case-law, the Advocate General observed that the general and indiscriminate storage obligation which it imposes covers a very wide range of traffic and location data. The time limit imposed on that storage does not remedy the issue, because, apart from the situation justified by the defence of national security, the storage of electronic communications data must be targeted, due to the serious risk caused by the data’s general storage. In addition, the Advocate General pointed out that, in any event, access to that data involves a serious interference with fundamental rights to private and family life and the protection of personal data, irrespective of the duration of the period for which access to the data is requested. 

Case C-140/20

AG Bordona said that the general and indiscriminate retention of traffic and location data is justified only to protect national security, which does not include the prosecution of offences, including serious offences. By permitting, for reasons going beyond those inherent in the protection of national security, the preventive, general and indiscriminate retention of traffic and location data of all subscribers for a period of two years, Irish legislation does not comply with EU legislation. 

In addition, access by the competent national authorities to retained data does not appear to be subject to prior review by a court or an independent authority, as required by the case-law, but to the discretion of a police officer of a certain rank. The Irish Supreme Court will have to ascertain whether that official satisfies the conditions laid down in the case-law relating to the status of ‘independent authority’ and whether it is a ‘third party’ in relation to the authority requesting access. The Advocate General also pointed out that that review must take place before, not after, access to the data. Finally, the Advocate General reiterated that a national court cannot limit in time the effects of a declaration of illegality of domestic legislation incompatible with EU law.

Joined Cases C-339/20 and C-397/20

The Advocate General observed that these proceedings essentially related, like the three previous proceedings, to the issue of whether the member states may impose an obligation to retain electronic communications traffic data in a general and indiscriminate manner. He stated that the provisions concerning the processing of data traffic records set out in the legislation on market abuse must be interpreted in the light of the scheme of the Directive on privacy and electronic communications. 

The Advocate General points out that the market abuse legislation does not confer specific and autonomous powers to retain data; it merely authorises competent authorities to access the data retained in existing records, which must have been drawn up in a manner consistent with the Directive on privacy and electronic communications. At issue, in particular, are records or recordings which may be retained to combat serious crime and to safeguard public security, which cannot be assimilated to those retained in a preventive, generalised and indiscriminate basis for the defence of national security. Accordingly, national legislation which requires electronic telecommunications undertakings to retain traffic data on a general and indiscriminate basis in the context of an investigation into insider dealing or market manipulation and abuse is contrary to EU law. Nor may a national court, in such circumstances, limit in time the effects of that incompatibility.