Court of Justice confirms EU law prevents general and indiscriminate retention of traffic and location data

September 25, 2022

The Court of Justice of the European Union has ruled in Joined Cases C-793/19 | SpaceNet and C-794/19 | Telekom Deutschland.

SpaceNet and Telekom Deutschland provide publicly available internet access services in Germany. Telekom Deutschland also provides telephone services. They challenged the obligation imposed on them by the German Law on Telecommunications (TKG) to retain, with effect from 1 July 2017, traffic and lcoation data relating to their customers’ telecommubications.

With some exceptions, the TKG requires providers of publicly available electronic communications services – to prosecute serious criminal offences or preventing a specific risk to national security – to retain, in a general and indiscriminate way, for a period of several weeks, most of the traffic and location data of the end users of those services.

The German Federal Administrative Court asked the CJEU if EU law precludes such national legislation. It said that the retention obligation in the TKG concerns less information and a shorter retention period (four or ten weeks) than that provided for by the national legislation in the Court of Justice’s previous judgments. This made it less likely that the retained data may allow very precise conclusions to be drawn concerning the private life of the individuals whose data had been retained. In addition, it considered that the TKG ensured the effective protection of retained data against the risks of abuse and unlawful access.

The Court of Justice confirmed its previous case-law. It said that EU law precludes national legislation which provides, on a preventative basis, to combat serious crime and prevent serious threats to public security, for the general and indiscriminate retention of traffic and location data.

However, EU law does not prevent national legislation which:

  • allows, for safeguarding national security, an instruction to be given requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the member state concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable. Such an instruction must be subject to effective review, either by a court or by an independent administrative body, and can be given only for a period that is limited to what is strictly necessary, but which may be extended if that threat persists;
  • provides, for safeguarding national security, combating serious crime and preventing serious threats to public security, for the targeted retention of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of individuals concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended.
  • provides, for the same purposes, for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period of time limited to what is strictly necessary;
  • provides, to safeguard national security, combat crime and safeguard public security, for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems, and, allows, to combat serious crime and to safeguard national security, an instruction to be given requiring providers of electronic communications services to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers.

In addition, such national legislation must contain clear and precise rules to ensure that the retention of data is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.

The CJEU further ruled that the obligations in the TKG apply to a very broad set of traffic and location data. Contrary to the German courts’ view, the CJEU said that very precise conclusions could be drawn concerning the private lives of the individual whose data is retained and enable a profile to be created about them.

When considering the TKG rules that are intended to protect the retained data against the risks of abuse and against any unlawful access, the CJEU said that the retention of and access to that data constitute and separate interferences with the fundamental rights of the individuals concerned, requiring a separate justification. Therefore, national legislation complying with the EU case law cannot, by its very nature, be capable of either limited or even remedying the serious interference with the rights of the individuals concerned which results from the general retention of the personal data concerned.