In its decision of 21 December 2016, the ECJ ruled that national legislation imposing a general and indiscriminate data retention obligation on telecom operators is illegal. This judgment raises many questions, including questions regarding the possibility to trace past communications by suspects or persons accused of serious crimes.
The disputes in the main proceedings and the references for preliminary ruling
Directive 2006/24/EC on data retention, imposing a general data retention obligation on providers of electronic communications services, was declared invalid by the Court of Justice’s Digital Rights Ireland judgment of 2014 (C-293/12 and C-594/12), because such a general obligation resulted in an interference with the fundamental rights to respect of privacy and the protection of personal data which was not limited to what was strictly necessary.
Following this judgment, the ECJ was requested by the Administrative Court of Appeal of Sweden and by the Court of Appeal of England and Wales to confirm whether national rules imposing such a general data retention obligation and making provision for general access by the competent national authorities to the retained data for the purpose of combatting crime, without any prior review by a court or by an independent administrative authority, are compatible with EU law, taking into consideration the Digital Rights Ireland judgment.
Consideration and ruling
The ECJ answered that EU law precludes national legislation that prescribes the general and indiscriminate retention of data, noting that the national legislation at stake is not limited to specific cases, and that the data retention is not restricted to a particular time period, geographical zone or group of persons. Such legislation exceeds the limits of what is “strictly necessary” and cannot be justified within a democratic society.
However, a targeted retention of data is not precluded, provided that it is limited to what is strictly necessary for the purpose of fighting serious crime. Any legislation to that effect must be clear and precise and must provide sufficient guarantees as to the protection of data against misuse.
Regarding the access of competent national authorities to the retained data, the ECJ states that the legislation must be based on objective criteria in order to determine the circumstances and conditions under which access is granted. As a general rule, access can only be granted for the purpose of fighting serious crime and access to the retained data should be subject to prior review by a court or by an independent body. Finally, the data concerned should be retained within the EU and should be irreversibly destructed at the end of the retention period.