Short Reads

General data retention obligation once again under legal crossfire

General data retention obligation once again under legal crossfire

General data retention obligation once again under legal crossfire


The difficult history behind the data retention legislation, i.e., Data Retention Directive 2006/24, at both European and national levels is quite known.

This legislation, which obliges telecom providers to store and retain traffic- and location data on electronic communications for purposes of investigating and fighting crime, was declared invalid by the Court of Justice of the European Union (“CJEU”) in 2014 (CJEU 8 April 2014, C-293/12 and C-594/12, “Digital Rights”). After that, the Constitutional Court of Belgium declared the Belgian instrument implementing that directive invalid as well (Constitutional Court 11 June 2015, 84/2015). Contrary to the EU legislature, the Belgian lawmaker took action immediately afterwards by promulgating a new law (i.e., the Act of 29 May 2016 on the collection and retention of data in the electronic communications sector, Belgian Official Journal 18 July 2017) that intends to remedy the concerns expressed by the courts. This new Act of 29 May 2016 is now under fire again as the CJEU has criticized data retention legislation once more.

What triggered this new decision by the CJEU was the prevailing uncertainty about the implications of the previous judgment on the Digital Rights case. Following that case, the Swedish telecom provider Tele2 Sverige refused to retain data according to the Swedish data retention legislation. It based its argument on the fact that the Swedish data retention legislation imposed a general data retention obligation in violation with European law as was decided by the Court. However, the Digital Rights judgment did not necessarily seem to preclude a general obligation to retain traffic- and location data on electronic communications if the data retention period, access to the data, and data security are strictly regulated. The Swedish court therefore found it necessary to ask the CJEU to express itself on the compatibility of a Member State’s general data retention obligation with EU law.

On 21 December 2016, the CJEU stated very straightforwardly that an undifferentiated retention of all traffic- and location data gathered on users of electronic communication means violates EU law. First, the Court states that the e-Privacy Directive aims to protect users of electronic communications against the increasing possibilities of automated retention and processing of data. Thus, this Directive states that retention of traffic data is only allowed for marketing and billing purposes. Exceptions to the prohibition of retention are provided, however, for the detection, investigation, and prosecution of crime, for example. However, according to the CJEU, these exceptions should not become the rule.

Traffic- and location data, when taken as a whole, allow one to draw very precise conclusions about the private lives of the data subjects (such as their everyday habits, permanent or temporary places of residence, daily or other movements, the activities they carried out, the social relationships of those persons, and their social environments). Therefore, the general retention of those data constitutes a particularly serious interference in the private lives of the user-data subjects. What is new is that the CJEU considers expressly Article 11 of the Charter of Fundamental Rights of the European Union (“EU Charter”) in this judgment as well: the retention of traffic and location data can also have an effect on the use of electronic communication means and, consequently, on the exercise of the freedom of expression by the users thereof.

The CJEU therefore held that the national legislature may only impose a strictly necessary data retention obligation for traffic- and location data. Only the fight against serious crime, such as organized crime and terrorism, could justify such obligation. The CJEU acknowledges expressly that the fight against serious crime substantially depends on the use of modern investigation techniques. However, public interest grounds cannot justify a general and undifferentiated retention of all data, according to the CJEU. The retention obligation must therefore be limited to data that have a link to serious criminality and should further be based on an objective set of criteria. The CJEU talked about a geographic area with a high risk for serious criminality as an example of limiting data retention. Furthermore, the CJEU requires that judicial oversight be given on the access to these data, the retention of these data on EU-territory, and the irreversible deletion/destruction of the data after the retention period expires. The Court did not answer the question whether Article 7 (privacy) and Article 8 (protection of personal data) of the EU Charter have therefore a wider scope of protection than Article 8 of the European Convention on Human Rights.

The strong opinion of the CJEU is remarkable, as it does not leave any margin for compensating the far-reaching interference with privacy by setting very strict safeguards. Hardly ever has the CJEU stated so straightforwardly that a certain manner of working cannot be tolerated in any way. This far-reaching decision of the CJEU constitutes a fait accompli for the Belgian legislature. Currently, Belgium still has a general data retention obligation (Article 126, §1 Electronic Communications Act). The new Belgian data retention act (i.e., Act of 29 May 2016 mentioned above) attaches strict conditions to the retention of and access to stored data and thus constitutes a very meritorious attempt to reconcile and balance all interests. However, on the basis of the CJEU decision, this seems to be insufficient. Moreover, the criteria put forward by the CJEU for differentiated data retention seem difficult to convert into workable and efficient practice guidelines.

The Court concludes that the data retention obligation is incompatible with EU law only on grounds of Article 15 of the e-Privacy Directive. In that regard, amending this Directive, which is currently ongoing (see the Proposal for a Regulation on Privacy and Electronic Communications, published on 10 January 2017), could put things in a different light. However, the CJEU reads this Article 15 in the light of the fundamental rights to privacy, protection of personal data, and freedom of expression (i.e., Articles 7, 8, and 11 of the EU Charter, respectively). It is mainly these considerations, based on the fundamental rights, that prompted the CJEU to conclude that a general data retention obligation is incompatible with EU law, thus not leaving so much room even at European level.

It now has to be awaited how data retention legislation will further develop. To be continued...  

The case (C-203/15) can be found here


Related news

11.10.2018 NL law
Stibbe hosts NGB Extra Seminar about product development and counsel’s role at the interface of new technology and law

Seminar - On 11 October 2018, Stibbe will host the NGB (Dutch Association of Corporate Lawyers) Extra Seminar.  IT/IP lawyers Judica Krikke, Jasper Klopper, Marc Spuijbroek and Frederiek Fernhout will discuss the practical aspects of the development of innovative new products. 

Read more

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

27.08.2018 BE law
Actualia: Het BIM-referentieprotocol: eerste stap in de (o.m. juridische) omkadering van BIM in België

Articles - “BIM” is niet louter het werken in 3D. BIM is een manier van samenwerken in de bouwsector. Met behulp van digitale technologie (o.a. bouwinformatiemodellen) wordt informatie gestructureerd beschreven, beheerd en uitgewisseld tijdens de volledige levenscyclus van een project (van programmafase tot exploitatiefase).

Read more

ECJ: Facebook fan page administrator is a joint data controller

Short Reads - On 5 June 2018, the European Court of Justice ("ECJ") decided on several preliminary questions that were raised in an administrative proceeding between the German Data Protection Authority ("GDPA") and Wirtschaftsakademie Schleswig-Holstein GmbH ("Wirtschaftsakademie"), a German educational services provider that offers its services through a Facebook fan page. In its decision, the ECJ held, among other things, that Wirtschaftsakademie qualifies as a data controller ex Article 2 under d Directive 95/46/EC[1] ("Privacy Directive").

Read more

12.07.2018 NL law
Algemene verordening gegevensbescherming van toepassing

Short Reads - Vanaf 25 mei 2018 zijn de Algemene verordening gegevensbescherming (Verordening (EU) 2016/679) (AVG) en de Uitvoeringswet Algemene verordening gegevensbescherming (Uitvoeringswet) van toepassing in Nederland. De AVG en de Uitvoeringswet vervangen de richtlijn betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens (Richtlijn 95/46/EG) en de Wet bescherming persoonsgegevens (Wbp).

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring