According to article 15 of directive 2002/58 (the privacy and electronic communications directive), Member States may provide for restrictions to several key principles of the directive, and in particular to the principle of the prohibiting the storage of traffic and location data. The restrictions must comply with the principle of proportionality and be justified by purposes mentioned in article 15.
On 5 April 2022, the Grand Chamber of the Court of Justice of the European Union first confirmed that EU law precludes national legislative measures which provide, as a preventative measure, for the general and indiscriminate retention of traffic and location data relating to electronic communications, for the purpose of combating serious crime (C-140/20, G.D. v Commissioner of An Garda Síochána,Minister for Communications, Energy and Natural Resources,Attorney General).
However, the CJEU listed several legislative measures (for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security) that are not precluded by EU law:
- the targeted retention of traffic and location data which is limited according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended;
- the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary;
- the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
- the expedited retention (quick freeze) of traffic and location data in the possession of those service providers.
These measures are not precluded provided that they ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.
Therefore, the Court states for example that the directive 2002/58 does not preclude the general retention of data relating to civil identity. It does also not preclude the check of the identity of a purchaser by a seller of a pre-paid SIM card and the retention of that information for providing access to the competent national authorities.
This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.