EU: Retention of traffic data and location data – recent developments
The Court of Justice of the European Union ('CJEU') has recently ruled, in Case C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others and in the Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others, that it is necessary for EU Member States to limit the surveillance of telecommunication and internet data, including location data. The judgments specifically referred to legislation in force in Belgium, France, and the United Kingdom, but are also crucial for other EU Member States. Following the CJEU judgment, relevant documents for bulk surveillance were also made available and adopted by the European Data Protection Board ('EDPB'): namely Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures ('the EEG Recommendations'), adopted on 10 November 2020, and Guidelines 10/2020 on Restrictions under Article 23 of GDPR ('the DSR Restriction Guidelines'), published on 15 December 2020 and currently under public consultation. Robert Brodzik, Associate at KLM Law, examines the impact of the CJEU judgments and the direction set by EDPB for EU Member States, taking into account applicability of the judgments to the regulatory framework in force in Poland.
The ePrivacy Directive shall apply to national regulations
In two judgments issued on 6 October 2020 in Privacy International and in the Joined Cases La Quadrature du Net and Others French Data Network and Others, and Ordre des barreaux francophones et germanophone and Others, the Grand Chamber of the CJEU ruled that Directive 2002/58/EC on Privacy and Electronic Communications ('the ePrivacy Directive') applies to national regulations requiring providers of electronic communications services to process personal data, such as transmission to public authorities or data retention, for the purposes of protecting national security and combating crime. This confirms the position of the CJEU in its judgment in Joint Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post and Secretary of State for the Home Department v Tom Watson, Peter Brice, Geoffrey Lewis on the disproportionate nature of general and indiscriminate retention and transmission of traffic and location data. The CJEU has clarified the scope of the powers that the ePrivacy Directive grants to Member States to retain such data for the aforementioned purposes. In opposition to this view, a number of EU member states have argued, in particular, that the ePrivacy Directive does not apply to EU Member States' national regulations in the main proceedings, since the purpose of these regulations is to protect national security, which is their sole competence, as reflected in particular in the third sentence of Article 4(2) of the Treaty on European Union. However, the CJEU has indicated that national regulations imposing an obligation on providers of electronic communications services to retain traffic and location data fall within the scope of the ePrivacy Directive – in particular following an interpretation of Article 1(3) and Article 15 of the ePrivacy Directive.
Restriction of privacy in electronic communications is an exception rather than the rule
In accordance with the ePrivacy Directive, EU member states may introduce restrictions on rights and obligations, including on the confidentiality of communications, traffic data relating to subscribers and users and their identification, as well as location data, only if such restrictions meet a number of criteria. In particular, these restrictions must be necessary, appropriate, and proportionate measure within a democratic society to safeguard national security (i.e. state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or unauthorised use of the electronic communication system. In addition, the CJEU has indicated to what extent the ePrivacy Directive does not apply to activities such as the external activities of the EU, including foreign policy, or to activities concerning public security, defence, state security and criminal law.
The CJEU pointed out that the ePrivacy Directive does not allow restrictions on the rights and obligations relating to the privacy of electronic communications to be the rule; at the same time, the CJEU recalled the essential obligation under the ePrivacy Directive to ensure the confidentiality of electronic communications and related data. When introducing restrictions, Member States are obliged to respect the general principles of Union law, including proportionality, and the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union.
In this context, the CJEU has stated, in its judgments, that:
- the ePrivacy Directive, in conjunction with the Charter of Fundamental Rights of the European Union, does not allow national regulation imposing obligations on providers of electronic communications services to transmit traffic and location data to intelligence and security services in a general and indiscriminate manner, even for the purposes of protecting national security;
- the ePrivacy Directive makes it generally impossible to impose obligations on providers of electronic communications services to carry out general and indiscriminate retention of traffic and location data;
- the national obligations to transmit and to retain bulk data in a general and indiscriminate manner constitute a particularly serious interference with the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union, in view of the absence of any link between the behaviour of the data subjects and the purpose of the obligations;
- the interpretation of Article 23(1) of the GDPR in the light of the Charter of Fundamental Rights of the European Union indicates that it is not permitted to impose on providers of access to publicly available electronic communications services and hosting providers an obligation to retain, inter alia, personal data relating to those services in a general and indiscriminate manner;
- if a Member State encounters a serious threat to national security that proves to be real and present or foreseeable, the ePrivacy Directive allows electronic communications service providers to be required to retain traffic and location data in a general and indiscriminate manner;
- the obligation on providers of electronic communications services should be limited in time, limited to what is strictly necessary, and should be subject to effective control by a court or independent administrative authority;
- targeted retention of traffic and location data for a limited period of time, limited to what is strictly necessary, is permissible on the basis of objective and non-discriminatory grounds depending on the categories of data subjects or on a geographical criterion;
- the ePrivacy Directive does not prevent the rapid retention of data available to electronic communications service providers where there are circumstances in which it is necessary to retain this data outside the statutory retention periods for the purpose of investigating serious crimes or breaches of national security, where these crimes or breaches have already been identified or their existence can be reasonably foreseen.
In addition to the fact that the CJEU has ruled out unlimited surveillance at all times, the main focus of the judgments is the possibility to invoke exceptions to the principle of guaranteeing the privacy of personal data, as well as to the corresponding obligations listed in particular in Articles 6 and 9 of the ePrivacy Directive (traffic data, location data). The CJEU clearly indicates – as in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') – that the rights to privacy and the protection of personal data are not absolute prerogatives, but must be considered in the light of their social function (Para. 172 of the Schrems II judgement).
Any limitation of these rights must respect their essence, the principle of proportionality, and must be in line with the general interest. At the same time, such limitations must indicate the conditions for the restriction of these rights, for example, the temporal or material scope – in particular, clear and precise rules governing the scope and application of the measure concerned and setting minimum requirements to ensure that the persons whose personal data is affected have sufficient guarantees to protect them effectively against the risk of abuse. The CJEU has assessed that a situation where general and indiscriminate data relating to virtually all users of electronic communications services is obtained for the purpose of safeguarding national security does not meet the criterion of proportionality and the relationship between the data concerned and the objective pursued has not been sufficiently demonstrated ("even an indirect or remote one") (Paragraph 80 of Privacy International).
EDPB guidelines and recommendations – follow-up to CJEU judgments
The EEG Recommendations and the DSR Restriction Guidelines are in line with the concerned CJEU and ECtHR judgments.
The European Essential Guarantees were originally drafted in response to the Schrems I judgment. The recently revised EEG Recommendations refer to the latest CJEU case law on privacy principles – Schrems II and Privacy International cases. On this basis, the EDPB defines four guarantees for privacy and data protection:
- Processing should be based on clear, precise and accessible rules (e.g. clarified legal basis of such processing which should at least include a definition of categories of data subjects that might be subject to surveillance as well as the interference should be foreseeable as to its effect);
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated (e.g. serious threat to national security that is shown to be genuine and present or foreseeable);
- An independent oversight mechanism should exist (e.g. independent oversight system through judicial prior authorisation); and
- Effective remedies need to be available to the individual (e.g. once the surveillance is over, the data subject should be notified in order to have possibility to bring legal action before an independent and impartial court).
Although the EEG Recommendations refer mainly to third countries, they have been drawn up on the basis of case law relating to Member States and can independently serve as a reference point, as the purpose of the EEG Recommendations is to establish a single privacy and data protection standard.
National law of the EU member states may not arbitrarily restrict privacy
In addition, the DSR Restriction Guidelines, which set out the rules for the application of Article 23 of the GDPR, are in line with the judgments and recommendations, as well as the timing of their issuance. Article 23 of the GDPR sets out the principles and conditions which allow Member States to limit the obligations of controllers and processors with regard to the obligations relating to the exercise of the rights of data subjects set out in Articles 12 to 22 and Article 34 of the GDPR, as well as the corresponding Article 5, including the provision of information on the principles of personal data processing. As the guidelines indicate, '[r]estrictions should be seen as exceptions to the general rule of allowing the exercise of rights and observing the obligations enshrined in the GDPR', and therefore restrictions should be interpreted narrowly.
In light of the surveillance activities carried out by Member States and the CJEU judgments referred to, it is important to assess their invocation of restrictions on the rights of data subjects in connection with national security, defence, and public security or prevention, investigation, detection, and prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security. As the DSR Restriction Guidelines indicate, this could be, for example, protection of human life in response to natural or manmade disasters. In the case of ongoing criminal proceedings, for example, it may be justified in some cases to omit informing a suspect about the processing of their data, involving the acquisition of communication or location data. On the other hand, this information should be given to the data subject after the restriction has been applied.
Regulations in Poland in the light of recent judgments
The CJEU judgments referred to are directly applicable to the legislation of Belgium, France, and the United Kingdom, however they must be applied consistently and comprehensively to the legislation of all Member States. The regulations on the collection of bulk data from telecommunications networks are quite similar in Poland.
Pursuant to Article 180a(1)(a) of the Polish Telecommunications Law of 16 July 2004 ('the Telecommunications Law'), the operator of a public telecommunications network and the provider of publicly available telecommunications services is obliged to retain and store at their own expense data generated in the network or processed by them on the territory of Poland for a period of 12 months, and on the expiry of that period to erase such data (except for that which has been secured, in accordance with separate regulations, e.g. in connection with criminal proceedings conducted by law enforcement agencies, courts or the public prosecutor's office). This obligation covers data necessary, inter alia, for:
- identifying the user initiating the communication;
- identifying the user to whom the communication is directed;
- determining the date and time of the call and its duration;
- determining the type of connection; and
- determining the location of the telecommunication terminal equipment.
The Telecommunications Law further provides that the telecommunications operator shall protect telecommunications data against accidental or unlawful destruction, loss or alteration, unauthorised or unlawful storage, processing, access or disclosure. In addition, it must apply appropriate technical and organisational measures and provide data access only to duly authorised personnel.
With regard to criminal proceedings, the CJEU recalled that the admissibility and assessment of evidence obtained as a result of data retention in the framework of criminal proceedings brought against persons suspected of committing serious crimes, contrary to EU law, is governed exclusively by national law. However, the CJEU pointed out that the ePrivacy Directive, interpreted in the light of the principle of effectiveness, requires that, in the context of criminal proceedings brought against persons suspected of having committed a criminal offence, a national criminal court should disregard evidence obtained through the general and indiscriminate retention of traffic and location data contrary to EU law where those persons are unable to respond effectively to that evidence.
In this context, it should be noted that pursuant to Article 168a of the Polish Code of Criminal Procedure of 6 June 1997, evidence in criminal proceedings cannot be considered inadmissible solely on the basis of the fact that it was obtained in violation of the provisions of the proceedings or by means of a prohibited act, unless the evidence was obtained in connection with the performance of official duties by a public officer as a result of murder, intentional damage to health or imprisonment.
Given that these provisions of the Polish Code of Criminal Procedure allow for the admissibility of data gathered on the basis of indiscriminate retention, the regulations in force in Poland may, with a high degree of probability, be considered to be contrary to EU law. In particular, in light of the requirements outlined by the EDPB and the CJEU jurisprudence, the regulations in force in Poland may not meet the requirements, inter alia, with respect to the definition of categories of data subjects, as well as the requirements applicable to independent oversight system through judicial prior authorisation, as such prior authorisation does not function in legal practice. These issues have been the subject of interest of the Polish Ombudsman, who pointed out serious doubts as to the principles of surveillance of individuals by intelligence agencies in Poland1
Recent CJEU judgments, the opinions of administrative bodies, as well as NGOs, point to the need to introduce legislative restrictions on the application of mass surveillance of citizens by Member States and, to some extent, by third countries. Although the application of mass surveillance tools is justified from the point of view of national and public security, as well as defence, its scope should change in terms of the scale of operation and the fulfilment of the relevant conditions, corresponding to human rights and freedoms in a democratic state under the rule of law.
Robert Brodzik Associate
Kobylańska Lewoszewski Mednis