Recalibrating Data Retention in the EU

• Date: 08 September 2021
• Year: 2021
• Author: Adam Juszczak,Elisa Sason
• Pages: 44
• DOI: https://doi.org/10.30709/eucrim-2021-020

I. Introduction

Over the past years, “data retention” has been the subject of extensive, controversial and at times fierce discussions amongst practitioners, policy makers, civil society and academia in the EU and its Member States. Essentially, it is about the retention by providers of electronic communication services and networks of traffic and location data for a certain period of time, in order to allow access by competent national authorities for the purpose of preventing, investigating, detecting, or prosecuting crimes and safeguarding national security.

Although it is generally about traffic and location data and not about the content of the communication conducted, the scope of such retention remains significant. The kind of retained data enables obtaining an enormous amount of information, such as locating the source of a communication and its destination; determining the date, time, duration and type of communication; identifying the communications equipment used; locating the terminal equipment and communications; saving the names and addresses of users, the telephone numbers of the caller and the person called, and the IP address for internet services.

Data retention covers all electronic communication systems and applies to all users of such systems, not only to persons suspected of having committed a crime. It applies to all users of electronic communication, without distinction or exception.

Some repeat that it is indispensable that electronic communication operators and service providers retain certain data – besides that collected strictly for their business purposes – and disclose it, under certain conditions, to law enforcement, judicial and other competent authorities, in order to effectively prevent serious threats to security and combat serious crimes, including terrorism, organised crime or child pornography.¹ Others reiterate that such practice constitutes an invasive and unjustified encroachment on fundamental rights; they also put in question the purported benefits of the retention of data for the purpose of preventing threats and fighting crime as such.²

The matter of “data retention” raises myriads of legal and practical questions and touches upon fundamental rights in the European multi-level system, i.e. fundamental rights as enshrined in national constitutions (national level), and those enshrined in the EU Charter of Fundamental Rights and the European Convention on Human Rights (European level). At the EU level, the Court of Justice of the European Union (hereinafter “CJEU”) as the guardian of the Charter of Fundamental Rights³ (hereinafter “Charter”), checks whether national legislation on data retention complies with Union law, and in particular the Charter. At the same time national Supreme Courts or Constitutional Courts are competent to check compliance of national provisions against the guarantees enshrined in their national constitutions, while the European Court of Human Rights (ECtHR) reviews interferences with the European Convention on Human Rights (ECHR). This mixed and multi-layered judicial environment does not make it easy to attain clarity and certainty in establishing the scope and limits of data retention in Europe. It is hence not surprising that several national Supreme and Constitutional Courts rendered judgements on data retention in the past years,⁴ as well as the ECtHR,⁵ and, lastly, the CJEU.

For all the focus on the judicial and security dimension of this topic, another aspect related thereto remained out of sight: Imposing an obligation on providers of electronic communication services and networks to retain data and provide access thereto to competent national authorities, might not only potentially pose a significant financial burden on the service providers, but also comprises a considerable impact on the way they conduct their business – a right that falls under the scope of Art. 16 of the Charter. Although the CJEU has reviewed the requests for preliminary ruling by referring to fundamental rights of the Charter, it has been entirely oblivious to a potential interference with said Art. 16 of the Charter.

Generally, although the protection of personal data is high on the political agenda in the EU, there has always been strong political will to find a viable solution allowing for an effective use of retained data for the purpose of combating crimes and maintaining security in the EU. The heads of state and government underlined at the meeting of the European Council in December 2020 that it is essential that national law enforcement and judicial authorities exercise their powers both online and offline to combat serious crime and – in the light of the case law of the CJEU– stressed the need to continue and advance work on retention of data in full respect of fundamental rights and freedoms⁶. At the March 2021 Justice and Home Affairs Council, Ministers, too, stressed the need for competent national authorities to have access to data previously retained for the purpose of preventing, investigating, detecting, and prosecuting serious crimes.⁷

This article provides a short background on data retention at the EU level (II.) before it outlines the most recent jurisprudence of the CJEU (III.). It subsequently elaborates on the legal and practical consequences of that jurisprudence (IV.), sheds light on this matter in the context of the current negotiations on the e-Privacy Regulation between the European Parliament, Council and Commission (V.), and concludes with a number of reflections on how and to which extent retention of personal data and access thereto could be reconciled with the requirements under EU law (VI.).

II. Quick Flash: From the Data Retention Directive to the Tele2/Watson Decision by the CJEU

At the EU level, common rules on a Union-wide data retention regime were introduced back in 2006 by Directive 2006/24/EC,⁸ which obliged Member States to adopt measures to ensure that providers of electronic communication services and networks retain traffic and location data (excluding the content of the communication) for between six months and two years, in order to allow access by competent national authorities for the purpose of investigation, detection and prosecution of serious crimes.

1. Digital Rights Ireland/Seitlinger – the CJEU’s decision on the invalidity of the data retention Directive

This first and somehow candid attempt to establish an EU-wide data retention regime was, to some surprise of many, declared invalid by the CJEU in 2014 in its landmark decision Digital Rights Ireland and Seitlinger.⁹ Following legal challenges in Ireland and Austria, requests for a preliminary ruling were made by the Irish High Court and the Austrian Constitutional Court (Verfassungsgerichtshof), and the CJEU held that the retention of data, as envisaged in that Directive, violated Arts. 7 and 8 of the Charter. The CJEU established that the general and indiscriminate retention of data envisaged in the Directive constituted a particularly serious interference with fundamental rights, as it was not sufficiently circumscribed to ensure that the interference is limited to what was strictly necessary. However, the CJEU did not fail to stress that in its view the retention of data genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security and that, as such, it does not adversely affect the essence of the fundamental rights in question. Moreover, the CJEU stated that the Directive may be considered appropriate for attaining the objective pursued – in other words, that the retention of data and access thereto by national authorities was considered a suitable tool that indeed has an added value in combating serious crimes.¹⁰

Although this decision has been perceived as marking the end to data retention in the EU, the CJEU clearly did not dismiss data retention as such but the way the directive was constructed – the Union legislator failed the proportionality test. The CJEU meticulously enumerated the faulty parts of the Directive, i.e.:

• The lack of differentiation, limitation or exception when retaining all traffic data of all individuals;¹¹

• The lack of any objective criteria as regards the access to the data by national authorities;¹²

• An overly rigid retention period, without any distinction as regards the categories of data and the usefulness for the objective pursued;¹³

• The absence of sufficient safeguards against the risk of abuse of the retained data;¹⁴

• An overly relaxed attitude allowing that the data may be retained outside the EU, hence out of reach of the required control of compliance under EU law, as also required by Art. 8(3) of the Charter.¹⁵

What was the immediate consequence of this decision? The CJEU declared Directive 2006/24 invalid, but it did not dismiss data retention as such, thus leaving room for national solutions, provided they comply with the standards of EU law. As the CJEU does not consider the validity of national legislation transposing that Directive, its decision could not not directly impact the domestic regimes on data retention across the EU. Although a number of national courts of last resort declared national legislation to be invalid on the basis of the Digital Rights decision¹⁶ and some Member States made limited amendments, it remained unclear to which extent the findings and requirements of that decision would, in practice, impact the domestic regimes on data retention.

It required further action to bring this matter before the CJEU again and to give practical effect to the landmark judgement in Digital Rights. This happened just a day after the decision of the CJEU, when Swedish telecommunication company “Tele2” decided to no longer retain data and informed the Swedish authorities accordingly. Legal proceedings were instituted and, in the course thereof, the Swedish court (Kammarrätten i Stockholm) referred the question...