The Advocate General has provided an opinion in Case C-623/17 Privacy International and Case C-520/18 Ordre des barreaux francophones et germanophone and others.

Directive 2002/58/EC on privacy and electronic communications applies, in principle, when the providers of electronic communication services are obliged by law to retain the data of their subscribers and to allow public authorities access to that data, regardless of whether those obligations are imposed on national security grounds.

In recent years, the Court of Justice of the European Union has ruled on the retention of personal data and access to that data.  Those rulings have caused concern for some member states due to them needing the data to safeguard national security and to combat crime and terrorism.

That concern was highlighted in four cases referred by courts in France, Belgium, and the UK. The primary issue was how the Directive applies to activities relating to national security and combatting terrorism.

In his opinion, Advocate General Manuel Campos Sánchez-Bordona said there was no doubt as to the applicability of the Directive in that area. 

He stated that the Directive does not apply to activities that are aimed at safeguarding national security and are carried out by the public authorities on their own account, without requiring the cooperation of private parties and not, therefore, imposing obligations on the latter in relation to the management of their businesses. 

However, if obligations are imposed on private parties and their cooperation is required, even when that is on grounds of national security, those activities are governed by EU law: the protection of privacy enforceable against those private actors. 

Further, the Directive allows member states to adopt legislative measures which, in the interests of national security, affect the activities of individuals subject to the authority of those states by restricting their rights. The Advocate General stated that limitations on the obligation to guarantee the confidentiality of communications and related traffic data must be interpreted strictly and with regard to the fundamental rights enshrined in the Charter on Human Rights.

He also stressed that a general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate. However, he recognised the usefulness of an obligation to retain data to safeguard national security and combat crime. 

Consequently, he recommends limited and discriminate retention (that is, the retention of specific categories of information that are absolutely essential to effectively prevent and control crime and to safeguard national security for a limited period adapted to each particular category, and limited access to that data (subject to a prior review carried out either by a court or by an independent administrative authority; the data subjects being notified, as long as that does not jeopardise ongoing investigations, and the adoption of rules to avoid misuse of, and unlawful access to, that data. Nonetheless, the Advocate General adds that there is no reason why, in exceptional situations characterised by an imminent threat or an extraordinary risk warranting the official declaration of a state of emergency, national legislation should not make provision, for a limited period, for the possibility of imposing an obligation to retain data that is as extensive and general as is deemed necessary.

The Advocate General effectively stated that all the national legislation in all three countries is precluded by the Directive.

The obligation to retain data imposed by the French and Belgian legislation is general and indiscriminate, and therefore is a particularly serious interference in the fundamental rights enshrined in the Charter. 

Further, the French legislation is incompatible with the Directive because it imposes no obligation to notify the data subjects about the processing of their personal data by the competent authorities to ensure that they can exercise their right to effective judicial protection.

The Directive precludes the Belgian legislation because as well as terrorism and national security, it also has its objectives defence of the territory, public security, the investigation, detection and prosecution of less serious offences and, in general, any other objective provided for in Article 23(1) of Regulation 2016/69. Even though access to the data retained is subject to precisely prescribed safeguards, a general and indiscriminate obligation is imposed, which applies permanently and continuously, to retain traffic and location data that is processed in the course of the provision of those services, which is incompatible with the Charter.

The Advocate General considers that despite Article 4 TFEU, under which national security is the exclusive responsibility of each Member State, the Directive also precludes the UK legislation.