End of the EU's Data Retention Saga? CJEU Clarifies Conditions for State Surveillance Regimes
The Situation: On October 6, 2020, the Court of Justice of the European Union ("CJEU") held that the national security laws of the United Kingdom, France, and Belgium, which each require that providers of electronic communications services ("ECS") must retain traffic and location data on a general and indiscriminate basis, contravene EU law.
The Issue: The Court ruled that EU law prohibits national legislation from requiring ECS to retain traffic and location data for the purpose of combating crime or safeguarding national security on a general and indiscriminate basis. Only a "serious threat" to national security that proves to be "genuine and present or foreseeable" justifies an exception to this prohibition, but even then only for as long as such a threat exists.
Looking Ahead: EU Member States will have to abide by stringent conditions when requiring the retention of traffic and location data for the purpose of safeguarding national security; otherwise, evidence gathered through such data collection methods risks being disregarded by national courts.
Background and Issue
On October 6, 2020, the CJEU adopted several rulings addressing data retention obligations contained in the national security laws of the United Kingdom (Case C-623/17 Privacy International), France, and Belgium (joined Cases C-511/18 La Quadrature du Net and Others, C-512/18 French Data Network and Others, and C-520/18 Ordre des barreaux francophones et germanophone and Others). The Court held that the legal frameworks in these countries must not require ECS providers to carry out general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime or safeguarding national security.
These rulings are the latest of a series of CJEU decisions—including joined cases C-203/15 and C-698/15 Tele2 Sverige and Watson and Others; and joined cases C-293/12 and C-594/12 Digital Rights Ireland and Others—that prohibit EU Member States from requiring ECS to retain all traffic and location data of their users in a general and indiscriminate manner (see our related publications, "The Data Retention Saga Continues: European Court of Justice and EU Member States Scrutinize National Data Retention Laws" and "EU Data Retention Directive Declared Null and Void: What is Next and How The Ruling Has Been Received in the Member States").
The CJEU was asked, inter alia, to determine whether national legislation can require ECS providers to forward their users' traffic and location data to a public authority, or to retain such data, in a general or indiscriminate manner for the specific purpose of safeguarding national security.
National Security vs. Privacy
Despite the fact that national security is a competence of the EU Member States, the CJEU confirmed that Directive 2002/58/EC of July 12, 2002—concerning the processing of personal data and the protection of privacy in the electronic communications sector ("E-Privacy Directive")—applies to national legislation that require ECS to forward or retain data for the purpose of safeguarding national security.
Therefore, EU Member States adopting legislative measures that restrict the scope of the rights and obligations provided by the E-Privacy Directive (e.g., obligations to ensure the confidentiality of communications and traffic data) must ensure that these measures comply with general principles of EU law (such as the principle of proportionality) and the fundamental rights provided by the EU Charter of Fundamental Rights. Accordingly, the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that their data will be effectively protected against the risk of abuse.
ECS vs. Other Information Society Services
The CJEU stressed that issues relating to the confidentiality of communications and personal data have to be assessed in light of the E-Privacy Directive or the General Data Protection Regulation, depending on the types of services provided. Therefore, the CJEU clarified that obligations imposed on providers of information society services, cloud providers, and web-based email services would also have to follow the principles set out by the Court for ECS.
Massive vs. Targeted Surveillance
The Court said that general and indiscriminate retention of traffic and location data for the purpose of combating crime or safeguarding national security is not allowed under EU law, except in limited circumstances:
- Where an EU Member State is under a serious threat to national security that proves to be "genuine and present or foreseeable," the CJEU held that such Member State may order ECS to retain traffic and location data, generally and indiscriminately, but only for as long and in so far as it is strictly necessary for such a genuine threat. In addition, the order must be subject to effective review either by a court or by an independent administrative body whose decisions are binding.
- General retention of IP addresses is, however, permitted, but it has to be temporary.
- General retention of civil identity of users of electronic communications systems may also be ordered without storage limits.
In addition, the CJEU stressed that retention of traffic and location data must be targeted and limited on the basis of objective and nondiscriminatory factors, according to the categories of persons concerned or by using a geographical criterion.
Real-Time vs. Non-Real Time
The Court recognized that EU Member States may require providers of ECS to collect traffic and location data in real time, provided that such collection is either:
- Based on a genuine and present or foreseeable serious threat to national security, subject to ex post review (as explained above); or
- Concerns only persons suspected of being involved in terrorist activities and is subject to prior authorization by a court or an independent administrative body.
International Data Transfers
The CJEU rulings will have an important impact on any assessment of adequacy necessary for international data transfers, including to the United Kingdom after December 31, 2020, the end of the Brexit Implementation Period. The rulings may make it less likely that the United Kingdom will be granted an adequacy decision by the EU Commission for the transfer of personal data from the European Union to the United Kingdom from 2021 (unless there is a specific agreement between the EU and UK in the ongoing Brexit negotiations). The ruling could be interpreted as a confirmation that the United Kingdom does not provide an adequate level of protection of personal data because of its surveillance laws.
In the wake of the annulment of the EU-U.S. Privacy Shield in July 2020, the criteria set out by the CJEU will also be relevant for data transfer from the European Union to the United States, whether in relation to the adoption of an updated EU-U.S. Privacy Shield or any future assessment of use of Standard Contractual Clauses. The conditions may also potentially help with the screening of third-country legislation and risk when assessing whether it is possible to rely on EU Standard Contractual Clauses to specific countries following the Schrems II decision.
Not Yet the End of the Data Retention Saga
This is not the end of the data retention story for the CJEU as another request for a preliminary ruling is still pending to address the retention of traffic and location data for four- and 10-week periods respectively under German statutory law (ECJ, SpaceNet, Case C- C-793/19). This case was referred to the ECJ by the German Federal Administrative Court (Ruling of September 25, 2019, BVerwG 6 C 12.18, English summary of the request for a preliminary ruling), which emphasized in its preliminary request that it considers that the German data retention law contains sufficient protective measures to justify the interference with fundamental rights. Nevertheless, the German telecom regulator announced that it will not enforce data retention provisions until compliance with EU law is clarified in the court proceedings. This case illustrates why it is unlikely that the data retention saga will end soon for the CJEU.
Furthermore, all EU Member States will have to review—and likely reform—their existing data retention laws in light of the criteria set out by the CJEU. This is likely to lead to new controversies and follow-up questions—for example, how to determine when a threat to national security is "serious" and is "genuine and present or foreseeable." So the saga will continue at the national level as well as for the Court.
Three Key Takeaways
- EU Member States will need to review their national security legislation to ensure that the retention and transfer obligations for bulk and real-time communication data remain within the limits and safeguards set out by the courts, including proportionality, limited timing, and judicial review. Otherwise, evidence acquired risks being set aside by national courts.
- Providers of information society services (cloud, ECS, web mail, etc.) that are subject to national security laws should review their data retention policies to account for the CJEU rulings and limit the risk of third-party privacy complaints. In doing this, they may find themselves between a rock and a hard place in deciding whether to follow the national legislation or EU rulings. While EU Member States will not be in a position to rely on national legislation contrary to EU law against such providers, the ability of such providers to directly rely on EU law and to disregard their own national security laws is less evident.
- Another case still pending regarding German location and traffic data retention and the criteria set out by the Court leaves room for further debate and controversies at national level.