Jan 122017

CJEU issues ruling on retention of data by Electronic Communication Services

William RM Long and Francesca Blythe
, , , ,

The Court of Justice of the European Union (“CJEU”) issued, on December 21, 2016, its ruling in the joined cases, Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15), and Secretary of State for Home Department v. Tom Watson and Others (C-698/15), concerning the interpretation of EU’s Article 15(1) of the ePrivacy Directive (2002/58/EC). Article 15(1) enables EU Member States to adopt measures that restrict privacy rights granted to users of Electronic Communication Services (“ECSs”) when they are “necessary, appropriate and proportionate… to safeguard national security”. Examples of ECSs include private and public companies in Internet, telecommunication, satellite and cable businesses.

In its ruling, the CJEU held that the retention of data for the purposes of fighting crime in the UK and Sweden was incompatible with EU law. The CJEU took particular issue with the “general and indiscriminate” way in which the UK and Sweden were enforcing data retention provisions. According to the CJEU, data retention must be targeted and strictly proportionate to its purpose for a limited duration and justified by one of the specific purposes listed in the judgment (below).

The CJEU highlighted that “only the objective of fighting serious crime is capable of justifying such a measure … in particular organized crime and terrorism ….” and that there must be a “relationship between the data and the threat to public safety…. a connection between the threat and the data to be retained.” The CJEU then went on to provide an exhaustive list of example of when such justifications were available including to “safeguard national security (i.e. State security), defence, public security, and [for] the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system.” The CJEU further stated that national legislation must lay down objective criteria when data is retained and when public authorities may access that data.

The ruling went on to emphasize that data retention interferes with right of free expression, and the validity of any data retention scheme will need to be assessed in light of its impact on free expression. Except in true emergencies, access must require ex ante approval by a court or similar body. The CJEU emphasized that the only true exceptions to this would be threats to national security most commonly in the form of terrorist activities.

Finally the CJEU stated individuals affected must be notified as soon as this would no longer jeopardize the investigation and that data must be retained in the EU and destroyed at the end of the retention period.

From a UK perspective, the CJEU decision is particularly relevant in light of the UK’s Investigatory Powers Act 2016 (“IPA”) receiving royal assent in November 2016. Referred to by privacy advocates as the “Snooper’s Charter” the IPA places particular data retention obligations upon ECSs for the assistance of criminal investigations. This will likely be subject to review in the UK Parliament prior to the IPA entering into force in early 2017. There will be particular debate over the boundaries between targeted and general data retention and what objective tests will be provided for in the legislation.

An analysis of the data retention laws was carried out by the Sidley Austin LLP data privacy team in January 2016, with its report “Essentially Equivalent”, which compared the legal orders for privacy and data protection in the EU and the U.S. In particular, the report explored the use of indiscriminate data collection on the grounds of combating crime and its interaction with the Maximillian Schrems v. Data Protection Commissioner (C-362/14) and Digital Rights Ireland (C-293/12) decisions respectively. Click here to see the report.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.