On October 6, 2020, the Grand Chamber of the Court of Justice of the European Union (CJEU) delivered two new judgments [1] on the processing of personal data in the field of electronic communications. In this respect, the CJEU clarified that national provisions requiring providers of electronic communications services (ECS) to carry out the general and indiscriminate transmission or retention of traffic and location data to safeguard national security are incompatible with Directive 2002/58/EC [2] (commonly known as the ePrivacy Directive).
The Facts
The requests for a preliminary ruling were made in proceedings involving the “Investigatory Powers Tribunal” (United Kingdom), the “Conseil d’État” (Council of State, France), and the “Cour constitutionnelle” (Constitutional Court, Belgium) concerning the lawfulness of national legislations laying down an obligation for ECS providers to (i) forward users’ traffic data and location data to a public authority or (ii) retain such data in a general or indiscriminate way.
Specifically, over the years some Member States had enacted national laws requiring ECS providers to perform certain processing operations on traffic/location data for national security purposes. For instance, UK legislation required the general and indiscriminate transmission of bulk communication data to local security and intelligence agencies. French law instead required ECS providers to implement automated data processing practices to detect links that might constitute a terrorist threat.
Member States argued that the ePrivacy Directive did not apply to legislation safeguarding national security, which should be the sole responsibility of Member States under Article 4(2) TEU. [3] However, the CJEU rejected this view and found that these measures entailed disproportionate interference with users’ right to privacy and confidentiality.
Reasoning of the Court
Preliminarily, the CJEU affirmed that national legislations on processing of traffic and location data for national security purposes fall under the scope of the ePrivacy Directive. Indeed, the mere introduction of a national measure to protect national security cannot render an EU law inapplicable. The CJEU observed that it is the same ePrivacy Directive that — by allowing Member States to introduce restrictions in the areas of criminal law, defense, and public and national security under Article 15(1) — implies that processing data for these purposes falls under its scope.
Limitations to the confidentiality of correspondence granted under the ePrivacy Directive must not become the rule. Accordingly, in the Privacy International case, the CJEU confirmed that Member States cannot require ECS providers to carry out general and indiscriminate transmission of traffic data and location data to security and intelligence agencies for the purpose of safeguarding national security. Similarly, in Joined Cases La Quadrature du Net and Others and Ordre des barreaux francophones et germanophone and Others, the CJEU found that national measures requiring ECS providers to retain traffic data and location data as a preventive measure were incompatible with EU legislation. In fact, these obligations amount to particularly serious interference with the fundamental rights guaranteed, especially considering that there is no link between the conduct of the individuals whose data is affected and the objective pursued by the legislation at issue.
In accordance with Article 15 of the ePrivacy Directive, as interpreted in light of the principles enshrined by the Charter of Fundamental Rights of the European Union, any legislative measure limiting the right of confidentiality must be necessary, proportionate, and appropriate to pursuing the purpose of safeguarding national security. This means, from the CJEU perspective, that the adopted measures must (a) apply only insofar as is strictly necessary, meaning that the objective of general interest cannot be pursued otherwise; and (b) lay out clear and precise rules governing the scope and application of the measure, as well as sufficient guarantees that the data will be protected against any risk of abuse. This is especially important considering the sensitivity of the information that can be gained through analysis of traffic and location data, which may lead individuals to feel their private lives are constantly surveilled.
Examples of measures that comply with these criteria are (a) the obligation to retain personal data for a limited period; (b) targeted retention of traffic and location data limited to the categories of individuals concerned or using a geographical criterion; (c) retention measures beyond statutory data retention periods to shed light on serious criminal offenses or attacks on national security; (d) real-time collection of data on individuals suspected — on the basis of valid reasons — to be involved in terrorist activities and subject to a review of a court or an independent administrative body.
Final Considerations
This is not the first time that the CJEU has addressed the issue of traffic and location data retention for national security purposes. The cited decisions basically confirm the principles laid down in the Tele2 Sverige and Watson and Others cases, [4] in which the CJEU was required to interpret the scope of Article 15(1) of the ePrivacy Directive. Even before that, the CJEU had already taken a position on the issue by declaring Directive 2006/24/EC [5] invalid, arguing that interference with the rights to respect for private life and the protection of personal data had not been limited to the strictly necessary.
In this context, the framework designed by the Italian legislation appears to be inconsistent with the line drawn by the CJEU. Indeed, currently in Italy ECS providers must retain traffic data for 72 months (i.e., six years) for the purposes of preventing or investigating certain crimes (such as crimes committed or attempted for the purpose of terrorism, murder, and so on). This retention period was introduced by Law No. 167/2017, which significantly extended the retention periods provided by default under the Italian Data Protection Code (namely, 24 and 12 months, respectively, for phone and telematic traffic data).
Despite the fact that the provision was harshly criticized by the Italian Data Protection Authority on more than an occasion, it was not changed, nor was a time limit for its applicability established. There are many points of inconsistency with CJEU case law, including the fact that this provision applies to users in general, absent any suspicion that a crime was committed. In this context, unless the Italian Parliament introduces an amendment, it seems highly likely that the CJEU will intervene on this point in the near future.
The cited decisions issued by the CJEU are available here and here.
[1] Privacy International, C-623/17; La Quadrature du Net and Others, Joined Cases C-511/18 and C-512/18; Ordre des barreaux francophones et germanophone and Others, C-520/18.
[2] Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
[3] According to Article 4(2) TEU, “The Union […] shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.”
[4] C-203/15 and C-698/15.
[5] Directive 2006/24/EC of the European Parliament and of the Council of March 15, 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
