Short Reads

General data retention obligation once again under legal crossfire

General data retention obligation once again under legal crossfire

General data retention obligation once again under legal crossfire


The difficult history behind the data retention legislation, i.e., Data Retention Directive 2006/24, at both European and national levels is quite known.

This legislation, which obliges telecom providers to store and retain traffic- and location data on electronic communications for purposes of investigating and fighting crime, was declared invalid by the Court of Justice of the European Union (“CJEU”) in 2014 (CJEU 8 April 2014, C-293/12 and C-594/12, “Digital Rights”). After that, the Constitutional Court of Belgium declared the Belgian instrument implementing that directive invalid as well (Constitutional Court 11 June 2015, 84/2015). Contrary to the EU legislature, the Belgian lawmaker took action immediately afterwards by promulgating a new law (i.e., the Act of 29 May 2016 on the collection and retention of data in the electronic communications sector, Belgian Official Journal 18 July 2017) that intends to remedy the concerns expressed by the courts. This new Act of 29 May 2016 is now under fire again as the CJEU has criticized data retention legislation once more.

What triggered this new decision by the CJEU was the prevailing uncertainty about the implications of the previous judgment on the Digital Rights case. Following that case, the Swedish telecom provider Tele2 Sverige refused to retain data according to the Swedish data retention legislation. It based its argument on the fact that the Swedish data retention legislation imposed a general data retention obligation in violation with European law as was decided by the Court. However, the Digital Rights judgment did not necessarily seem to preclude a general obligation to retain traffic- and location data on electronic communications if the data retention period, access to the data, and data security are strictly regulated. The Swedish court therefore found it necessary to ask the CJEU to express itself on the compatibility of a Member State’s general data retention obligation with EU law.

On 21 December 2016, the CJEU stated very straightforwardly that an undifferentiated retention of all traffic- and location data gathered on users of electronic communication means violates EU law. First, the Court states that the e-Privacy Directive aims to protect users of electronic communications against the increasing possibilities of automated retention and processing of data. Thus, this Directive states that retention of traffic data is only allowed for marketing and billing purposes. Exceptions to the prohibition of retention are provided, however, for the detection, investigation, and prosecution of crime, for example. However, according to the CJEU, these exceptions should not become the rule.

Traffic- and location data, when taken as a whole, allow one to draw very precise conclusions about the private lives of the data subjects (such as their everyday habits, permanent or temporary places of residence, daily or other movements, the activities they carried out, the social relationships of those persons, and their social environments). Therefore, the general retention of those data constitutes a particularly serious interference in the private lives of the user-data subjects. What is new is that the CJEU considers expressly Article 11 of the Charter of Fundamental Rights of the European Union (“EU Charter”) in this judgment as well: the retention of traffic and location data can also have an effect on the use of electronic communication means and, consequently, on the exercise of the freedom of expression by the users thereof.

The CJEU therefore held that the national legislature may only impose a strictly necessary data retention obligation for traffic- and location data. Only the fight against serious crime, such as organized crime and terrorism, could justify such obligation. The CJEU acknowledges expressly that the fight against serious crime substantially depends on the use of modern investigation techniques. However, public interest grounds cannot justify a general and undifferentiated retention of all data, according to the CJEU. The retention obligation must therefore be limited to data that have a link to serious criminality and should further be based on an objective set of criteria. The CJEU talked about a geographic area with a high risk for serious criminality as an example of limiting data retention. Furthermore, the CJEU requires that judicial oversight be given on the access to these data, the retention of these data on EU-territory, and the irreversible deletion/destruction of the data after the retention period expires. The Court did not answer the question whether Article 7 (privacy) and Article 8 (protection of personal data) of the EU Charter have therefore a wider scope of protection than Article 8 of the European Convention on Human Rights.

The strong opinion of the CJEU is remarkable, as it does not leave any margin for compensating the far-reaching interference with privacy by setting very strict safeguards. Hardly ever has the CJEU stated so straightforwardly that a certain manner of working cannot be tolerated in any way. This far-reaching decision of the CJEU constitutes a fait accompli for the Belgian legislature. Currently, Belgium still has a general data retention obligation (Article 126, §1 Electronic Communications Act). The new Belgian data retention act (i.e., Act of 29 May 2016 mentioned above) attaches strict conditions to the retention of and access to stored data and thus constitutes a very meritorious attempt to reconcile and balance all interests. However, on the basis of the CJEU decision, this seems to be insufficient. Moreover, the criteria put forward by the CJEU for differentiated data retention seem difficult to convert into workable and efficient practice guidelines.

The Court concludes that the data retention obligation is incompatible with EU law only on grounds of Article 15 of the e-Privacy Directive. In that regard, amending this Directive, which is currently ongoing (see the Proposal for a Regulation on Privacy and Electronic Communications, published on 10 January 2017), could put things in a different light. However, the CJEU reads this Article 15 in the light of the fundamental rights to privacy, protection of personal data, and freedom of expression (i.e., Articles 7, 8, and 11 of the EU Charter, respectively). It is mainly these considerations, based on the fundamental rights, that prompted the CJEU to conclude that a general data retention obligation is incompatible with EU law, thus not leaving so much room even at European level.

It now has to be awaited how data retention legislation will further develop. To be continued...  

The case (C-203/15) can be found here


Related news

13.11.2019 NL law
Een strategisch actieplan voor het gebruik van AI door de overheid

Short Reads - Een paar jaren geleden hoorde je er nog nauwelijks over, maar nu kan je er bijna niet meer om heen: kunstmatige intelligentie, ook wel artificiële intelligentie (AI) genoemd.  AI verwijst naar systemen die intelligent gedrag vertonen door hun omgeving te analyseren en – met een zekere mate van zelfstandigheid – actie ondernemen om specifieke doelen te bereiken. Denk aan zelfrijdende auto's of slimme thermostaten. 

Read more

13.11.2019 NL law
A new Act on the Supervision of Trust Offices

Articles - Roderik Vrolijk and Soeradj Ramsanjhal published an article in the Dutch Financial Law Review as a follow-up on their article two years ago in the same journal. The authors specifically shed light on the customer due diligence and open norms of the new Act on the Supervision of Trust Offices 2018, that entered into force on 1 January 2019. 

Read more

15.11.2019 NL law
Position paper on European supervisory mechanism for AML

Short Reads - On 8 November 2019, the Dutch Minister of Finance sent a joint position paper to the Dutch Parliament regarding the need for a European AML supervisor (Anti-money laundering). The paper was prepared by the Ministers of Finance of Germany, France, Italy, Spain, Latvia and the Netherlands. A short summary of the paper is set out below. For more information on the broader plans of the Dutch government to combat money laundering, we refer to our previous newsletters of 1 July 2019 and 17 October 2019.

Read more

08.11.2019 EU law
Erik Valgaeren is session chair during IBA's 6th Biennial Technology Law Conference in Berlin

Speaking slot - Stibbe's TMT partner, Erik Valgaeren, chairs a session discussing the new legal challenges, created by the most recent technological developments in the field of software, data, online services and telecom, including 5G, pricing algorithms, platforms and data monetization. This session will take place on the 8th of November 2019 in Berlin.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring