The Advocate General Saugmandsgaard Øe of the Court of Justice of the European Union has delivered an opinion whereby it suggests that national Member States may enact general obligation on ISPs to retain personal data, provided that that that obligation be circumscribed by strict safeguards and that the scope of the legislation is to fight serious crimes (not whatever). The opinion has been rendered in cases regarding the compatibility with EU law of data retention legislation in Sweden and UK (Joined Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for Home Department v Tom Watson and Others).
The Advocate General’s intent seems to be a re-working of the famous decision of 2014 by which the European Court annulled the EU data retention Directive (directive 2006/24) on the grounds, inter alia, that it laid down a too general and far-reaching retention obligation contrary to human rights. Because of that decision, in Europe various national legislations on data retention have become potentially incompatibile with EU law, and in fact many of them have been revised or annulled.
With the present opinion the Advocate General seems to fix the issue that, even if the scope of a data retention legislation must be circumscribed to serious crimes, the obligation can be nevertheless drafted in a general way. Fact is, while storing and retaing personal data, ISPs cannot know – ex ante – whether such data refer to serious crimes or other less relevant criminal facts. Therefore, they can be obliged to retain all kind of data they process, however the access to them for criminal investigation shall be restriceted and subject to special guarantees.
If confirmed by the European Court, the reasoning of the present opinion can likely become the basis for a new directive on data retention.