Various Member States, Italy in primis, will have to revise their legislation about conditions and duration of obligations upon ISPs and telecoms to keep record of Internet traffic and telephony conversations. The telecom industry will seek opportunities to diminish such obligations, which normally require huge capex investments in data retention equipments and exhausting communications with public prosecutors. Finally, civil rights organizations will attack in courts existing data retention legislations on the assumption that they are in contrast with the European jurisprudence. All this will happen in a scenario where national governments tend, in contrast with the above, to reinforce internal surveillance for antiterrorism- reasons, rather than relaxing the public security regime.
The above are the main effects of today’s CJEU ruling on a joint-case concerning the legitimacy of data retention laws in EU Member States.
This court decision follows the previous 2014 ruling about the annulment of the European Data Retention Directive. In that case, the CJEU just pointed out the relation between fundamental rights, data protection and retention of personal data by ISP and telecom operators, with the final result that the directive was annulled. The same principles are now applied directly in the context of national legislations on data retention, without major changes.
To tell the true, following the 2014 ruling most of European countries started a review of respective legislations in the matter of data retention, however with the prevailing result to keep alive the existing legislations (save for some minor adaptations). In some countries, however, the local constitutional courts rendered rulings annulling their data retention legislation. Few countries remained completely inactive, amongst them Italy. Today’s ruling will make even more difficult this wait and see strategy.
The main conclusions of todays’ ruling are:
· Member States may not impose a general obligation to retain data on providers of electronic communication services
· Data retention is admissible under EU law only in instances where it is targeted, limited to what is strictly necessary, and subject to conditions (e.g. prior review by an independent authority, localization of data, etc).
The reasoning of the CJEU is streamlined hereinbelow:
· EU law precludes national legislation prescribing general and indiscriminate retention of data.
· Data retention constitute a serious interference with citizens fundamental rights and as such can only be utilised in the fight against serious crime.
· Legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security.
· Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.
· The EU acquis does not however preclude national data retention laws, provided that the retention of data is: (i) Limited to what is strictly necessary (in terms of categories of data retained, persons targeted, retention period, etc); (ii) Defined in clear and precise national legislation; (iii) Constrained by meaningful procedural safeguards; (iv) Based on objective evidence.
· Concerning access to data, Member States must introduce objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data.
· It is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by a court or an independent authority.
· National data retention legislation must make provision for that data to be retained within the EU owing to its sensitivity.