On October 6, 2020 Court of Justice of the European Union (CJEU) published several rulings on the compatibility between EU law and national legislations on data retention. The rulings are Privacy International (C-623/17) as well as joined cases La Quadrature du Net and Others (C-511/18), French Data Network and Others (C-512/18), and Ordre des barreaux francophones et germanophone and Others (C-520/18). It is possible to read the press release here.

The main take-way of the ruling is the following: despite the fact that data retention is a national prerogative, member States must comply with European rules protecting fundamental rights and, in particular, confidentiality of communications (such as the e-privacy directive of 2002). 

The European Union had tried to harmonise the data retention issue since 2006 when an ad hoc directive was adopted, namely Directive 2006/24/EC; however, that act was subsequently annulled by the European Court in 2014. Following that ruling, European members States have reacted in random order, mostly analysing their data retention legislation and trying to adapt it to the principles laid down by the CJEU. This exercise has not been always successful since various national legislation have been attacked by civil activists in front of the European court and made void, as in the present case.

Remarkably, the Italian data retention legislation, despite being one amongst the most controversial (since it mandates retention up to 6 years) is still alive and resists, no one has ever tried to attack it front of a national court with to scope to refer the case to the CJEU. 

The latest ruling of the CJEU are relevant also because the invalidation of British data retention rules creates an additional level of complexity to the current Brexit negotiations. 

Summary of the rulings

The CJEU confirms that EU law precludes national legislation requiring electronic communications operators to carry out general and indiscriminate data retention for the purpose of combating crime in general or safeguarding national security. Up to this point, this is a confirmation of the first ruling of 2014 annulling the European data retention directive. In fact, the CJEU considers that national legislation requiring providers of electronic communications services to retain traffic data and location data falls within the scope of the eprivacy directive. This means that national measures restricting the rights and obligations provided for in that directive should comply with general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the EU Charter of Fundamental Rights.

Interestingly, the Court extends its reasoning to hosting service providers within the meaning of Article 14 of the E-Commerce Directive (Directive 2000/31/EC), as it interprets Article 23(1) of the General Data Protection Regulation (Regulation 2016/679) as precluding national legislation requiring providers of access to online public communication services and hosting service providers.

However, in the present ruling the CJEU found that, if a Member State faces a “serious threat to national security”, genuine and present or foreseeable, it may order data retention measures, if they are limited in time to what is strictly necessary. Member States can also provide for targeted data retention in the context of combating serious crime and preventing serious threats to public security, if they ensure effective safeguards and the measures are reviewed by a court or by an independent administrative authority. It follows from the foregoing that, in the absence of a valid national security threat, the mass and indiscriminate surveillance of communications networks is subject to EU law but does not qualify for the national security exemption as outlined in Article 15(1) of the ePrivacy directive.

Similarly, Member States can engage in data retention of IP addresses assigned to the source of a communication if the retention is limited to what is strictly necessary. In the case of data retention relating to the civil identity of users of electronic communication services, the retention is not subject to a specific time limit.

As regards retention of IP addresses assigned to the source of a communication, this  is allowed provided that the retention period is limited to what is strictly necessary.

Moreover, national legislation on real-time collection of traffic data and location data is permitted, at the condition that it is limited to persons in respect of whom there is a valid reason to suspect that they are involved in one way or another in terrorist activities and is subject to a prior review carried out either by a court or by an independent administrative body whose decision is binding.