The Court of Justice of the European Union (“CJEU”) issued, on December 21, 2016, its ruling in the joined cases, Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15), and Secretary of State for Home Department v. Tom Watson and Others (C-698/15), concerning the interpretation of EU’s Article 15(1) of the ePrivacy Directive (2002/58/EC). Article 15(1) enables EU Member States to adopt measures that restrict privacy rights granted to users of Electronic Communication Services (“ECSs”) when they are “necessary, appropriate and proportionate… to safeguard national security”. Examples of ECSs include private and public companies in Internet, telecommunication, satellite and cable businesses.
In its ruling, the CJEU held that the retention of data for the purposes of fighting crime in the UK and Sweden was incompatible with EU law. The CJEU took particular issue with the “general and indiscriminate” way in which the UK and Sweden were enforcing data retention provisions. According to the CJEU, data retention must be targeted and strictly proportionate to its purpose for a limited duration and justified by one of the specific purposes listed in the judgment (below).
The CJEU highlighted that “only the objective of fighting serious crime is capable of justifying such a measure … in particular organized crime and terrorism ….” and that there must be a “relationship between the data and the threat to public safety…. a connection between the threat and the data to be retained.” The CJEU then went on to provide an exhaustive list of example of when such justifications were available including to “safeguard national security (i.e. State security), defence, public security, and [for] the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system.” The CJEU further stated that national legislation must lay down objective criteria when data is retained and when public authorities may access that data.
The ruling went on to emphasize that data retention interferes with right of free expression, and the validity of any data retention scheme will need to be assessed in light of its impact on free expression. Except in true emergencies, access must require ex ante approval by a court or similar body. The CJEU emphasized that the only true exceptions to this would be threats to national security most commonly in the form of terrorist activities.
Finally the CJEU stated individuals affected must be notified as soon as this would no longer jeopardize the investigation and that data must be retained in the EU and destroyed at the end of the retention period.
From a UK perspective, the CJEU decision is particularly relevant in light of the UK’s Investigatory Powers Act 2016 (“IPA”) receiving royal assent in November 2016. Referred to by privacy advocates as the “Snooper’s Charter” the IPA places particular data retention obligations upon ECSs for the assistance of criminal investigations. This will likely be subject to review in the UK Parliament prior to the IPA entering into force in early 2017. There will be particular debate over the boundaries between targeted and general data retention and what objective tests will be provided for in the legislation.
An analysis of the data retention laws was carried out by the Sidley Austin LLP data privacy team in January 2016, with its report “Essentially Equivalent”, which compared the legal orders for privacy and data protection in the EU and the U.S. In particular, the report explored the use of indiscriminate data collection on the grounds of combating crime and its interaction with the Maximillian Schrems v. Data Protection Commissioner (C-362/14) and Digital Rights Ireland (C-293/12) decisions respectively. Click here to see the report.