CJEU rules on general and indiscriminate retention of traffic data

September 26, 2022

The Court of Justice has ruled in Joined Cases C-339/20 | VD and C-397/20 | SR.

Criminal proceedings were brought in France against VD and SR for insider dealing, concealment of insider dealing, aiding and abetting, corruption and money laundering. These were based on personal data from telephone calls made by VD and SR which were generated when electronic communications services were provided. The data had been sent to the investigating judge by the French regulator, the Autorité des marchés financiers (AMF).

VD and SR appealed their convictions, relying on EU case-law to challenge the fact that the AMF used French legal provisions as the legal basis to collect personal data, arguing that the French laws did not comply with EU law. This was because the French laws provided for general and indiscriminate retention of connection data and contained no restrictions on the powers of the AMF’s investigators to require the retained data to be provided to them.

The French referring court asked the CJEU how the relevant provisions of the E-Privacy Directive (2002/58/EC) alongside the Charter of Fundamental Rights of the EU can be reconciled with the relevant provisions of the Market Abuse Directive and the Market Abuse Regulation.

The Court of Justice ruled that neither the Market Abuse Directive nor the Market Abuse Regulation can constitute the legal basis for the powers conferred on the competent financial authorities.

It also said that the E-Privacy Directive is the key reference point on the retention and, more generally, the processing of, personal data in the electronic communications sector. Therefore, it also governs the traffic data records held by operators providing electronic communications
services, which the competent financial authorities, under the Market Abuse Directive and the Market Abuse Regulation, may require. Consequently, the assessment of the lawfulness must be carried out under the E-Privacy Directive as interpreted by the Court.

The Court ruled that the Market Abuse Directive and Regulation do not authorise the general and indiscriminate retention of traffic data.

It also confirmed its case law under which a national court may not restrict the temporal effects of a declaration of invalidity which it is bound to make under national law regarding national legislation requiring operators providing electronic communications services to retain generally and indiscriminately traffic and location data due to that legislation being incompatible with the E-Privacy Directive.

That said, the Court pointed out that, in accordance with the principle of procedural autonomy of the member states, the admissibility of evidence obtained as part of such retention is a matter for national law, subject to compliance with the principles of equivalence and effectiveness. The latter principle of effectiveness means that national criminal courts must disregard the information and evidence obtained by means of the generalised and indiscriminate retention of traffic and location data in breach of EU law if the persons concerned cannot comment effectively on that information and that evidence and they relate to a field of which the judges have no knowledge and are likely to have a greater influence on the findings of fact.

The ruling is relevant to the UK because the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) which implemented the E-Privacy Directive into UK law, (currently) continue to apply as retained EU law.