Personal data protection : the obligation to retain personal data is contrary to EU law
April 5, 2017
By a judgment of December 21, 2016the Court of Justice of the European Union (CJEU) has prohibited states from imposing the "generalized and undifferentiated" retention of personal data by telecommunications operators. This new requirement is part of a series of rulings governing access to and use of electronic communications data by member states.
The n°2202/58 Directive on the protection of personal data required electronic communications service providers to retain "data enabling the calling subscriber to be identified". In 2014, the directive was invalidated in its entirety by the ruling Digital Rights Ireland. The CJEU held that this general obligation was disproportionate, particularly with regard to the general principle of the right to protection of personal data.The ruling of December 21, 2016 follows on from this, urging the European Commission to strengthen privacy protection measures, calling on the Parliament and Council to amend legislation by May 2018 at the latest (press release January 10, 2017).
In this case, Tele2Sverige, an electronic communications service provider based in Sweden, notified the national authorities that it would cease storing data. Following an injunction prohibiting it from doing so, Tele2Sverige brought an action before the administrative court, which dismissed the case. On appeal, the court referred a question to the CJEU for a preliminary ruling on whether the obligation to retain data relating to electronic communications was compatible with the Directive, in the light of the EU Charter of Fundamental Rights.
Firstly, the CJEU recalls its established case law, in particular the rulings in Digital Rights Ireland - prohibiting mass electronic surveillance, Google Spain - enshrining a right to be forgotten, and Schrems - annulling the Commission's "Safe Harbor" decision 2000/520. In the new Tele2Sverige ruling, the CJEU once again demonstrates its determination to ensure respect for the fundamental rights enshrined in the EU Charter of Fundamental Rights.
The Court thus found that the protection of the confidentiality of electronic communications and the transfer of data guaranteed by the Directive apply to measures taken by any person, including national regulations issued by a State. The CJEU also confirms that stored data can be used to draw very precise conclusions about people's private lives, without having informed them. The CJEU therefore ruled that "generalized and undifferentiated" retention "exceeds the limits of what is strictly necessary and cannot be regarded as justified in a democratic society, as required by the Directive read in the light of the Charter".
Secondly, the judges specify that, as a preventive measure, and solely for the purpose of combating cybercrime, Member States may retain such metadata. The categories of data in question, the means of communication targeted, the persons concerned, as well as the duration of retention must be "limited to what is strictly necessary", says the Court, which means that national legislation must subject collection and retention by providers to material and procedural conditions, based on objective criteria. One of the requirements imposed is prior control of access by an independent authority. In addition, the data in question must only be stored on EU territory.
This is a new case law of principle which is likely to produce considerable effects in franҫais law. One week after the Commission's announcement of the amendment to the Directive, in a question published on the National Assembly website, the franҫais Minister of Justice was questioned on the scope of this ruling. The MP questioned the validity of the procedures initiated at national level and requested a review. We will therefore have to wait for the Ministry's response to find out whether national law will be brought into line in France in the near future.