EU: CJEU confirms unlawfulness of indiscriminate access and retention of traffic and location data
The Court of Justice of the European Union ('CJEU') issued, on 6 October 2020, its judgments in Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others. In particular, the CJEU found that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime in general or safeguarding national security.
However, the CJEU held that in situations where the Member State concerned is facing a serious threat to national security that proves to be genuine and present or foreseeable, the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), which the CJEU found applicable to national legislation requiring providers of electronic communications services to carry out personal data processing operations for the purposes of safeguarding national security and combating crime, does not preclude recourse to an order requiring providers of electronic communications services to retain, generally and indiscriminately, traffic data and location data. In this regard, the judgment specifies that the decision imposing such an order, for a period that is limited in time to what is strictly necessary, must be subject to effective review either by a court or by an independent administrative body whose decision is binding, in order to verify that one of those situations exists and that the conditions and safeguards laid down are observed.
In addition, the CJEU stated that the ePrivacy Directive does not preclude legislative measures that allow recourse to the targeted retention, limited in time to what is strictly necessary, of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion. The judgment also provided that the ePrivacy Directive does not preclude a legislative measure that allows recourse to the expedited retention of data available to service providers, where situations arise in which it becomes necessary to retain that data beyond statutory data retention periods in order to shed light on serious criminal offences or attacks on national security, where such offences or attacks have already been established, or where their existence may reasonably be suspected.
Lastly, the CJEU outlined that the ePrivacy Directive does not preclude national legislation which requires providers of electronic communications services to have recourse to the real-time collection, inter alia, of traffic data and location data, where that collection is limited to persons in respect of whom there is a valid reason to suspect that they are involved in terrorist activities and is subject to a prior review carried out either by a court or by an independent administrative body whose decision is binding, to ensure that such real-time collection is authorised only within the limits of what is strictly necessary.