The EU Charter of Fundamental Rights precludes the “general and indiscriminate retention of traffic data and location data” and “the Member States may not impose a general obligation to retain data on providers of electronic communications services.” This is clear following the Court of Justice of the European Union’s judgment of 22 December 2016 inTele2 Sverige  which affirms that Court’s previous judgment in Digital Rights Ireland, from 2014. In that judgment the CJEU held that the EU’s Data Retention Directive was invalid. Some EU member states, such as Sweden and the U.K., then continued to oblige telecommunications providers to generally retain data under their national laws. In Tele2 Sverige the EU held that such national laws must similarly comply with the Charter’s data protection rules and may thus be similarly invalid.
The Tele2 Sverige judgment is of great significance for a number of reasons. First, the CJEU made clear that the data retention laws of member states must comply with EU data protection rules. Some member states thought that the derogations provided by EU Directive 2002/58 allowed them to introduce national laws governing the general retention of personal date by private companies outside the scope of EU data protection law and the judgment of the CJEU in Digital Rights Ireland in particular.
Second, the CJEU reiterated its judgment, in Digital Rights Ireland and Schrems, that generalised and indiscriminate surveillance is not permissible under EU law. Every phone call, text or internet connection that is made generates data about the location, time and duration of that communication. As the CJEU held, this “retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.”
Third, the CJEU accepted that it may be necessary to retain data in some circumstances, such as in respect of “a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offenses, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security.” Data retention might be lawful if limited on the basis of geography, such as a city centre, where there exists a high risk of preparation for or commission of such offences.
Fourth, the CJEU outlined the criteria a national data retention law needs to contain in order to comply with EU data protection law. Such a law must lay down clear and precise rules and impose minimum safeguards; it must indicate the circumstances and conditions under which data retention may be adopted as a preventative measure. This is to limit such retention to what the ECJ underlines as “strictly necessary.” Where data is retained, such retention must “meet objective criteria, that establish a connection between the data to be retained and the objective pursued.” These objective criteria must be assessed against objective evidence. While the CJEU does allow that member states may require that data may be retained, such requirements will not be easily or lightly imposed.
Fourth, the CJEU stated unequivocally that “the data concerned should be retained within the European Union.” This statement appears to preclude, or imply the need for further legislation authorising, the transfer of personal data outside the EU including the EEA.
In contrast to many of the CJEU’s recent judgments in the areas of monetary policy and EU citizenship law, the Tele2 Sverige judgment is commendable by the standards of traditional judicial reasoning. Articles 7 and 8 EU Charter guarantee the right to private life and to the protection of personal data in broad terms and so warrant a generous interpretation of the individual rights under both provisions. Moreover, there is no restrictive directly effective provision of equal or indeterminate normative status in the EU Treaties which mandates a restrictive interpretation of the scope of either right in relation to the field of electronic communications data retention. The CJEU in Tele2 Sverige further rightly notes that exceptions and derogations to fundamental rights guaranteed by EU law must be interpreted narrowly and not go beyond what is strictly necessary to achieve countervailing public policy objectives, although it should not be forgotten that the principle of the narrow construction of all derogations from treaty provisions was itself established by the CJEU in the absence of a clear basis in the Treaties. Finally, the CJEU’s approach in Tele2 Sverige closely follows the reasoning in the earlier Digital Rights Ireland case in which the CJEU had declared the Data Retention Directive invalid on the grounds that the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) EU Charter.
The Tele2 Sverige decision further merits the following observations. First, the respondent Member States argued that the national legislation in question concerned the ‘retention’ and not the ‘processing’ of personal data. At first sight, this argument might appeal on literal grounds. However, as the ‘processing’ of such data requires their prior ‘retention’, the Court’s ruling may be defended on the grounds that if ‘data processing’ is covered by EU legislation which is subject to judicial review by the CJEU, so must national legislation governing the prior ‘retention’ of such data as there can be no ‘processing’ without ‘retention’ and the risk of unlawful processing is inevitably magnified if the prior indiscriminate detention were exempted from the need for compliance with the EU Charter. Article 3 of Directive 2002/58 further makes clear that the Directive applies to all “processing of personal data in connection with the provision of publicly available electronic communications services in public communications.” It is not unconvincing to conclude, as the CJEU does, that the term ‘data processing … in connection with‘ provisons of electronic communications also covers the intermediate retention of such data of the relevant communications. Second, the Court’s Judgment may also be defended against criticisms that Article 1(3) of Directive 2002/58 expressly excludes state “activities concerning public security, defence, State security.” The offending national legislation in Tele2 Sverige governs the retention of data by commercial electronic communication providers, not state activities. Third, the Court’s emerging and so far expansive interpretation of data protection guarantees under EU law follows on from the Court’s strict adherence to established procedural rights guarantees in the area of EU sanctions law. In both areas the CJEU has not shirked away from questioning EU as well as implementing national legislation on the grounds of their non-compliance with applicable rights guarantees under EU law notwithstanding the obvious political dimension of its rulings and despite the overt contrary political preferences of many member states and their willingness to intervene alongside the respondent EU institution or member state in key proceedings. Continue reading