Data retention in Europe—the Tele 2 case and beyond

Data retention in Europe—the Tele 2 case and beyond Key Points Provides an introduction to data retention case law from the CJEU. Analyses the Tele2 judgment (joined cases C-203/15 and C-698/15, Tele2 Sverige AB and Watson). Evaluates the impact of the judgment on national data retention regimes. Considers whether the judgment may have an impact on data protection law beyond data retention regulation. Introduction In 1999, the United Nations General Assembly adopted the International Convention for the Suppression of the Financing of Terrorism.1 Yet in the aftermath of 9/11, a need emerged for further legal means to detect, investigate, and prosecute criminal acts relating to terrorism. Prevention of further attacks was deemed paramount. This led to the adoption of the Security Council Resolution 1373 (2001) in September 2001,2 and the Council Framework Decision on combating terrorism in June 2002.3 The Council Conclusions of December 2002 proposed various means for countering terrorism and other serious crime, but particularly mentioned the retention of communications data.4 In the wake of these international initiatives, European Union (EU) Member States adopted antiterrorism legislation, including national provisions on data retention.5 In the year 2004 saw the Madrid train bombings, while 2005 brought the bombings in London. This made the threat of terrorism within EU borders imminent, and it ushered in diverse legal means for countering this danger, including common EU legislation on data retention.6 National data retention schemes did already exist, but they varied considerably across Member States, creating obstacles for the cross border, internal market in terms of delivering electronic communications services.7 Seeking to harmonize existing national provisions, and moving to ensure that communications data were available for the investigation, detection, and prosecution of serious crime, the European Parliament and the Council adopted Directive 2006/24/EC on data retention (the Data Retention Directive).8 This required that Member States adopt provisions to ensure the retention of traffic and location data (as opposed to content data) within national legal orders.9 However, several Member States were opposed to the implementation, declaring the Data Retention Directive, or parts of it, unconstitutional.10 This led to the referral of both an Austrian and an Irish case to the Court of Justice of the European Union (CJEU), culminating in the invalidation of the Data Retention Directive in Digital Rights Ireland.11 The Court acknowledged that legal problems extended beyond those pertaining to retention of content data, stating that the retention of traffic and location data (metadata) also constituted a ‘particularly serious’ interference with the rights to privacy and data protection afforded in Articles 7 and 8 of the EU Charter of Fundamental Rights (the Charter).12 However, as the CJEU did not restrict its argumentation to the matter of mere retention, but continued to elaborate on the importance of safeguards surrounding subsequent access to the retained data, uncertainty persisted as to whether the invalidation of the Data Retention Directive was caused by mere retention, or solely by insufficient safeguards surrounding access to the retained data. Likewise, uncertainty lingered as to what the consequences of this judgment would be for national data retention schemes. While some Member States amended or repealed national data retention provisions, others remained passive.13 As a result, actions were filed before national courts and two were referred to Luxembourg, known subsequently as Tele2 Sverige AB and Watson (hereinafter referred to as Tele2). In the Swedish case, the referring court asked the Court to assess, specifically, the implications attached to the mere retention of data (unconflated with the matter of access to retained data). While emphasizing the serious nature of the interference with fundamental rights caused by mere retention, the Advocate General’s opinion of 19 July 2016 held the door open for national data retention schemes if accompanied by sufficient safeguards surrounding access to the retained data.14 Yet on 21 December 2016, the Court delivered a ruling questioning not only the existing data retention schemes, but also whether data retention could still be used as a means for detecting, investigating, and prosecuting serious crime.15 The present article undertakes an analysis of the Court’s ruling of 21 December 2016, assessing its impact on current and future provisions on data retention. First, the article will set out the direct scope of application of the ruling, focusing on Directive 2002/58/EC. Secondly, it will determine whether data retention (namely, general and undifferentiated collection of communications data) may still be used as a means for detecting, investigating, and prosecuting serious crime. The article’s third main concern is to scrutinize the criteria that such retention provisions must meet if they are to comply with Articles 7, 8, and 52 of the Charter. Finally, the article will assess the broader consequences of the ruling outside its direct scope of application (ie the implications for other service providers and data). Scope of application of Tele2 Sverige AB and Watson Directive 2002/58/EC and EU Charter of Fundamental Rights Articles 7 and 8 The Tele2 ruling concerns data retention rules in Sweden and the UK: namely, whether obligations imposed by these jurisdictions comply with EU law following the invalidation of the Data Retention Directive. As such, the ruling is one measure of the room to manoeuvre retained by national data retention rules within the framework of EU law. The abiding questions posed are: which rules apply, and to whom? After the invalidation of the Data Retention Directive there are no longer data retention rules at the EU level. However, because the national data retention rules in question—Swedish and UK—concern the processing of communications data by providers of telecommunication services,16 what applies here is Directive 2002/58/EC on Privacy and Electronic Communication (the e-Privacy Directive),17 which is part of the EU legal framework on telecommunications. Since communications data is personal data (revealing who has been communicating with whom, when and where etc), the e-Privacy Directive translates the principles set out in Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Directive)18 into specific rules for the telecommunications sector.19 In both Swedish and UK legislation the e-Privacy Directive is partly implemented, within an area harmonized in general by Directive 95/46/EC, which also means that the Charter applies here (notably Articles 7 and 8 regarding privacy and protection of personal data, and, more indirectly, Article 11 regarding freedom of speech, cf Article 51 of the Charter).20 Providers of electronic communications services It follows that the scope of the ruling is primarily delimited to the special category of service providers and communications data covered by the e-Privacy Directive. This directive applies to providers of ‘publicly available electronic communications services’, which is defined not in the e-Privacy Directive itself, but in the main telecommunications directive, the so-called Framework Directive,21 which is referred to in Article 2 of the e-Privacy Directive. According to Article 2(c) of the Framework Directive, an electronic communications service consists—wholly or mainly—in electronic conveyance (transmission or transportation) of communication through a publicly available network (eg by transporting phone calls, e-mails, and internet traffic between communicating parties). Services providing content (eg web services, mobile apps or broadcasting services) are not covered, but are instead most likely ‘information society services’ covered by the e-Commerce Directive (2000/31/EC),22 or ‘Audiovisual Media Services’ covered by the Audiovisual Media Service Directive (2007/65/EC), now consolidated Directive 2010/13/EU.23 Hence, the e-Privacy Directive applies to telecommunication operators (such as those regulated by the Swedish and UK legislation which pertains in Tele2).24 This encompasses the telecom operators who transmit electronic communication between communicating parties and who are able to store and process data regarding this communication. Most pertinent here is traffic and location data revealing who is communicating with whom, the means of communication used, along with information about when and where the exchange occurs: in other words, the data that constitutes the foundation of data retention regimes.25 So far, it is only the telecom operators who have been subject to general and systematic data retention obligations (whether in the now invalidated Data Retention Directive or in the Swedish and the UK regulations covered by the Tele2 ruling). Traffic and location data Communications data are protected by the fundamental right to confidentiality of communications, which is guaranteed by Article 8 of the European Convention on Human Rights (ECHR) and also covered by Article 7 of the Charter, cf Article 52(3).26 Article 5(1) of the e-Privacy Directive restates this fundamental right and it prohibits as a main rule any listening, tapping, storage, other kinds of interception, or surveillance of communications and the related traffic data. It appears, then, that the right to confidentiality applies not only to the relevant communicative content, but also to the related traffic data. The notion of ‘traffic data’ is defined as any data processed for the purposes of the conveyance of a communication on an electronic communications network or for the billing thereof, cf Article 2(b). ‘Traffic data’ includes, inter alia, data regarding the identity of the sender and recipient of the communication, the location of the parties’ terminal equipment, the time and duration of the communication, the applied network and communication equipment, and the format of the communication.27 Under the Swedish and UK legislation scrutinized in the Tele2 CJEU ruling, and in line with the invalidated Data Retention Directive, it is storage of traffic data which is at issue—traffic data covered by Article 2(b) of the e-Privacy Directive.28 As such, the ruling does not – at least not directly—cover communications data other than traffic data (including location data) comprised and defined by the e-Privacy Directive. The e-Privacy Directive covers both the retention of data and access to that data The right to confidentiality is not absolute. Neither the ECHR nor the e-Privacy Directive extend the matter this far. Traffic data may be processed by the telecom providers themselves for the purposes of transmitting a communication or for subscriber billing and interconnection payment, cf Article 6(1) and (2) of the e-Privacy Directive. Additionally, and more importantly in the present context, according to Article 15(1), Member States can restrict rights granted under the e-Privacy Directive when such restrictions constitute a necessary, appropriate, and proportionate measure within a democratic society to safeguard national security (ie State security), defence, public security, or to prevent, investigate, detect, and prosecute criminal offences or unauthorized use of the electronic communication system, as referred to in Article 13(1) of the Data Protection Directive. Article 15(1) explicitly states that to achieve the legitimate ends laid down in the provision (safeguard security, prevent crime etc), Member States may adopt legislative measures providing for the retention of data, though only for a limited period. Ultimately, it is the interpretation of Article 15(1)—informed by the Charter, and pertaining to the Swedish and UK data retention legislation – which forms the pivotal point of the CJEU’s decision in Tele2. In this context it should be noted that it was argued before the CJEU that national legislation on data retention and access to that data by the national authorities for the purpose of combating crime either falls entirely outside the scope of the e-Privacy Directive, or that the directive only applies to national legislation regarding the mere retention of data, not rules relating to national authorities’ access to that data.29 The reason for both arguments is that Article 1(3) of the e-Privacy Directive excludes from its scope activities of the State in respect to realms such as criminal law. The CJEU, however, correctly rejected these arguments. The purpose of the e-Privacy Directive is to regulate the right to privacy and confidentiality in the electronic communications sector, as well as the activities of providers of electronic communications services. Data retention regimes that impose the retention of users’ traffic and location data upon providers of electronic communications services affect both the privacy of said users and the activities of the providers and thus cannot fall entirely outside of the scope of the directive. Further, as the Court also reasoned, if any Article 1(3)-related State activity within the realm of criminal law automatically falls outside the scope of the directive, then Article 15(1), with its grounds (including combatting crime) for exceptions to some of the basic rules of the directive, would be deprived of any purpose.30 The essential issue is not whether the national regulation pursues a criminal law purpose, but whether it concerns electronic communications service providers’ protection of their users’ privacy and communications confidentiality. If so, the e-Privacy Directive applies. This being the case, the e-Privacy Directive applies to both the retention of and subsequent access to the retained data. Accordingly, the directive applies not only to the retention itself, but also to the access to the retained data by the competent authorities when such access is granted by the provider eg in accordance with a court order or similar legal process in accordance with national law.31 In sum, the ruling in Tele2 applies to national data retention regulations governing providers of telecommunications services covered by the e-Privacy Directive (read in light of the Charter). It applies to such providers’ retention of traffic and location data (as defined by the e-Privacy Directive) as well as national authorities’ access to said data retained by the provider. This raises the issue of the scope of the ruling with regard to possible data retention measures directed not merely at telecom providers but also at content providers who, as noted above, presently fall outside the scope of the e-Privacy Directive. This issue will be considered in ‘Consequences for other types of data?’section of this article. General collection of communications data post-Tele2 Introduction In Tele2, the CJEU was once again asked its opinion on the legality of a general data retention scheme. While the judgment in Digital Rights Ireland concerned the EU data retention scheme established by the Data Retention Directive and its direct compliance with the Charter, Tele2 concerned national data retention schemes under the e-Privacy Directive, and thus an interpretation of that directive read in light of the Charter. Tele2 raised the question of whether the mere retention of traffic and location data, as seen in the legislation concerned in the Swedish case,32 complied with Article 15(1) of the e-Privacy Directive read in light of Articles 7, 8, 11, and 51 of the Charter, irrespective of the existence of sufficient safeguards surrounding access to the retained data. Consequently, having established that the e-Privacy Directive governs such national data retention schemes, the Court set out to define the room to manoeuvre retained by such national rules under Article 15 of the e-Privacy Directive. Seeking to ensure confidentiality in electronic communications, Article 5(1) of the e-Privacy Directive prohibits, ‘as a general rule’, anyone other than the user from storing of traffic data relating to electronic communications without the user’s consent. Aside from the technical storage necessary for the conveyance of a communication and for billing purposes,33 Article 15(1) thus provides for the only exceptions to that rule and, according to settled case law, must, therefore, be interpreted strictly.34 It also follows directly from Article 15(1)(3) that such exceptions shall be in accordance with the general principles of EU law and fundamental rights now guaranteed by the Charter.35 As already mentioned, the latter involves in particular Articles 7 and 8, but also Article 11 on freedom of expression, as extensive data retention may affect the use of electronic communications and thus the service users’ freedom of expression.36 Furthermore, pursuant to Article 52(1) of the Charter, any limitation to the rights enshrined in the EU Charter must be provided for by-law and respect the essence of those rights. Subject to the principle of proportionality, limitations are allowed only if they are necessary and if they genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedom of others. With respect to ‘necessity’, it is stipulated that the measure is ‘necessary, appropriate and proportionate’ or—as expressed by the Advocate General—that no other measures exist that would be equally appropriate and less restrictive.37 Hence, as introduced above, under Article 15(1) of the e-Privacy Directive, Member States may adopt measures that derogate from the general principle of confidentiality to the extent that they are ‘necessary, appropriate and proportionate’ in a democratic society, or, in other words, ‘strictly’ proportionate.38 It follows from Article 15(1)(2), specifically relating to data retention, that data should be retained ‘for a limited period’ only, and should be justified by reference to one of the objectives listed in Article 15(1)(1). Also, more generally, with respect to the protection of the fundamental right to respect for private life, limitations apply only in so far as ‘strictly necessary’.39 In sum, pursuant to Article 15(1) of the e-Privacy Directive, Member States may adopt national data retention provisions only in so far as they are strictly necessary and proportionate. Did the Court find that national legislation such as that examined in Tele2 is situated to meet these criteria? The CJEU recalled that such national legislation provides for a general and indiscriminate retention of all data of all subscribers and registered users relating to all means of electronic communications. Furthermore, it imposes on providers of electronic communications services an obligation to retain such data systematically and continuously, with no exception. The categories of data covered by such legislation thus correspond, in essence, to data retained under the Data Retention Directive. Such data makes it possible ‘in particular, to identify the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. Furthermore that data makes it possible to know how often the subscriber or registered user communicated with certain persons in a given period.’40 As already acknowledged in Digital Rights Ireland, ‘that data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning private lives of the persons whose data has been retained’.41 With reference to the Advocate General, the Court recalled that such data thus provide for the means of establishing a profile of the individuals concerned, information that is no less sensitive regarding the right to privacy, than the actual content of communications.42 In Digital Rights Ireland, reaching the conclusion that the inference with the rights in Article 7 and 8 of the Charter caused by the Data Retention Directive did not adversely affect the ‘essence’ of the rights, the Court relied on the distinction between content data on the one hand, and traffic and location data on the other.43 Yet the above statement questions the extent of that distinction and may have the potential to influence areas outside retention of communications data. From there, the CJEU essentially followed, by analogy, its judgment in Digital Rights Ireland. Accordingly, it recalled that the interference with the rights safeguarded by Articles 7 and 8 of the Charter caused by such legislation is very far-reaching and must be considered particularly serious. Moreover, the fact that data is retained without informing the subscriber or registered user of the means of communication is likely to cause those persons to feel that their private lives are the subject of constant surveillance.44 Even if the legislation only permits retention of traffic and location data, not content data, and does not adversely affect the ‘essence’ of the rights, it could have an effect on prospective use of electronic communications and on the users’ exercise of their freedom of expression under Article 11 of the Charter.45 Given the seriousness of the interference, only the objective of fighting serious crime is capable of justifying it. However, even the most fundamental objective of general interest cannot, in itself, justify a national law that provides for the general and indiscriminate retention of all traffic and location data as being deemed ‘necessary’ for the purpose of fighting such crime.46 The assessment of the necessity of the retention obligation follows two main arguments. First, as opposed to Digital Rights Ireland, in which the Data Retention Directive was assessed in light of the Charter directly, the national provisions concerned in Tele2 are assessed pursuant to Article 15(1) of the e-Privacy Directive read in light of the Charter. Thus, while the system put in place by the directive requires data retention to be the exception, under the Swedish rules concerned it had become the rule.47 Secondly, the national rules cover, in a generalized manner, all subscribers and registered users and all means of electronic communication as well as all traffic data, providing for no differentiation, limitation or exception according to the objective pursued. It even applies to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Such rules do not require there to be any relationship between the data retained and a threat to public security. In particular, they are not restricted to retention of (i) data pertaining to a particular period of time and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime.48 Consequently, such rules exceed the limits of what is strictly necessary in a democratic society, as required by Article 15(1), read in light of Articles 7, 8, 11 and 52(1) of the EU Charter.49 As noted, those criteria were already established by the CJEU in Digital Rights Ireland. However, following that judgment, it remained unclear whether a general data retention scheme as a matter of principle exceeds the legitimate limits of the Charter, or whether it depends on the safeguards surrounding access to the retained data. The latter interpretation is supported by the fact that the CJEU in Digital Rights Ireland continued to assess the scheme surrounding access to the retained data.50 In Tele2, even though the Advocate General strengthened the assessment of the fundamental rights implications of such general data retention rules, he did hold the door ajar for these rules provided that they follow the criteria established by the CJEU in Digital Rights Ireland.51 Nonetheless, Tele2 saw the CJEU reach the opposite broader conclusion. Few would have foreseen this as a probable consequence of Digital Rights Ireland and it will force a number of Member States to amend their national rules on data retention. Criteria for imposing national data retention regulation It is important to note that the ruling in Tele2 does not preclude Member States from imposing national data retention legislation as a matter of principle. The Court explicitly states that preventive national data retention regimes can be adopted ‘… for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.’52 Within this overall principle of proportionality, the Court elaborates, lie both formal requirements to the character of the regulation as such, and more substantial conditions in the regulation, ie how retention is ‘targeted’. These formal and substantial requirements concern the retention itself, the authorities’ subsequent access to the retained data, or both. Formal requirements With regard to the formal requirements, the ruling stipulates that national data retention legislation must lay down clear and precise rules governing the scope and application of such data retention measures and impose minimum safeguards, providing persons whose data have been retained with sufficient guarantees for the effective protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what circumstances and under which conditions provisions on data retention may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary, ie is proportionate.53 The Court, referring back to its ruling in Digital Rights Ireland,54 leans here on case law under Article 8 of the ECHR, wherein the European Court of Human Rights has stated repeatedly that in order to enact exemption from the right to privacy, the exemption must not only be prescribed by law, but that law must also be clear and precise and contain sufficient safeguards to effectively protect against the risk of abuse and against any unlawful access and use of the relevant data. Thus, a clear legal basis must apply, based on objective criteria, and sufficient minimum safety guarantees, both with regard to the data retention itself and the authorities’ subsequent access to the retained data. With regard to the latter, the CJEU, in line with its previous statements in Digital Rights Ireland,55 highlights that national provisions on data retention must lay down clear and precise rules indicating in what circumstances and under which conditions the providers of electronic communications services must grant the competent national authorities access to the data.56 The Court makes clear that Member States cannot circumvent this requirement simply by requiring that access should be for one of the objectives referred to in Article 15(1) of the e-Privacy Directive, even if that objective is to fight serious crime. In order to ensure that the measure in question is, in fact, necessary and proportionate, the national legislation must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. Substantial requirements Possibility of creating a link between the persons affected and serious criminal offences Besides these formal conditions—that the national law is clear, precise, and contains minimum safeguards—it must also comply with certain substantial conditions. Recognizing that those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the Court makes it clear that retention of data must continue nonetheless to meet objective criteria that establish a connection between the data to be retained and the objective pursued. Such conditions must circumscribe, in practice, the extent of that measure and, thus, the persons affected. More precisely, the Court notes that the national legislation must be based on objective evidence, which makes it possible to identify persons whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fight serious crime or to prevent a serious risk to public security.57 Thus, as mentioned above, the Court makes it very clear, as stated in paragraph 97 of the ruling, that national legislation that provides for a general, systematic, continuous, and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication does not conform to EU law and thus cannot be upheld or adopted. The national data retention legislation must render it possible to create a link between the persons whose data are retained and the prevention of or fight against serious crime. Use of a geographical criterion? However, this does not mean that the persons whose data are retained can never be identified based on a geographical criterion alone (and thus cover all persons within that geographical area). According to the Court, the required limits (with regard to the public affected by the data retention measure) may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences. This probably means that a geographically based data retention—covering all persons within that specific area—cannot be automatic and continuous, but requires (i) that a competent authority has issued a retention order in accordance with general legislation, (ii) that the order is based on objective evidence corresponding with objective criteria laid down in the national legislation, (iii) that the evidence indicates not only a risk, but a high—and thus probably also relatively specific—risk of serious criminal offences being prepared or executed. This also, by implication, means that when the risk is no longer high, the data retention must cease. All of this must all be reflected in the national regulation: only subject to these conditions may the data retention be based (solely) on a geographical criterion (cf above regarding the formal requirement that the national regulation is clear, precise, and must contain sufficient safety guarantees). Yet a certain paradox ought to be noted in the Court’s conditions regarding the geographical criterion. Given that serious crime in practice58 covers a rather wide spectrum including homicide, attempted homicide, organized narcotics trade, human trafficking, serious violent assault etc, most—if not all—areas of major population concentrations in the EU will be the scene of the planning or execution of such crime on a daily basis. In practice, then, one could argue—while remaining strictly within the reasoning of the Court—that most major cities in the EU will at any given time warrant geographically based data retention. It is also noteworthy that the ruling indicates that the criteria which must be applied for restricting the data retention to what is proportionate may differ depending on the situation. The Court expressly refers to restrictions due to (i) data pertaining to a particular time-period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime.59 Hence, it seems that the Court leaves some latitude for national data retention regimes to stipulate that under certain conditions some of the three listed criteria need not be applied. If, for example, a Member State encounters a specific situation with a high risk of terror-related crime being conducted, that Member State’s data retention regime can prescribe retention of data only restricted by a time criterion (provided the terror risk is imminent), but not subject to restriction in terms of the geographical area or the group of persons likely to be involved. Other persons than the individuals suspected? It is constructive to question the requirement set forth by the Court that under the national regulation there must be an (in)direct link between the persons whose data are being retained and the prevention of or fight against serious crime. Namely—in terms of access to the retained data—is it only the data of individuals suspected of planning, committing, or having committed a serious crime, or of being implicated in one way or another in such a crime, to which the authorities can gain access? The Court establishes that this is indeed the general rule.60 However, as an exception hereto, the Court affirms that ‘in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities’. Hence, it is possible for national data retention regimes to allow for the retention of data and access to retained data on persons who are not linked to serious crime, but only in relation to a specific case and only in particular situations where ‘vital interests’ are threatened by forces such as terrorist activities. Again, a systematic and continuous retention of the wider population’s communications data without limitations is not permissible. Duration It follows that national data retention legislation may no longer be based on a retention, which takes place automatically and continuously, but must instead be targeted and based on a specific order in compliance with the rules and safeguards laid down in the legislation. When the risk of a serious criminal offence is no longer present, the data retention must cease. A question persists, however, how long may the national legislation subsequently require that data remains stored, allowing the competent authorities to gain access to data in accordance with the conditions set forth in national law? The ruling from the CJEU does not stipulate a specific time-period (unlike the now invalidated Data Retention Directive).61 The ruling states only that the retention period should comply with the principle of proportionality (ie be based on objective criteria and limited to what is strictly necessary).62 Hence, it is up to the Member States to determine the retention period within these limits. Importantly, the ruling also specifies that national legislation must make provision for the data to be retained within the EU and for the irreversible destruction of the data at the end of the data retention period.63 This requirement to store data within the EU is discussed further in ‘Consequences for other types of data?’ section below. Retention and access only with the object of fighting serious crime The Court has reiterated many times that data retention may only be imposed for the purpose of fighting ‘serious crime’.64 Concerning the mere retention of data specifically, the Court notes that since national data retention legislation represents such a serious interference with fundamental rights, only the objective of fighting serious crime is capable of justifying such a measure.65 With regard to access to the retained data, the Court also emphasizes that, since the objective pursued by the national legislation must be proportionate to the seriousness of the interference with fundamental rights that such access entails, it follows, with regard to fighting criminal offences, that only the objective of fighting serious crime is a worthy justification.66 Hence, the Court creates a distinction between serious crime and other kinds of crime; yet without defining, or otherwise making clear, how this distinction shall be made. As examples of ‘serious crime’, the ruling mentions organized crime, terror,67 and serious threats to public security.68 These are types of crime which all clearly indicate that only the most severe types of crime can legitimize a national data retention regime. Although other EU instruments (eg the aforementioned European Arrest Warrant) may provide some guidelines regarding the notion of ‘serious crime’, the CJEU makes no reference hereto in the ruling, and thereby, to a large extent, leaves the definition of ‘serious crime’ up to the Member States and national courts. This may create legal uncertainty and national differences across the EU. Notwithstanding the interpretational problems, the requirement regarding serious crime will no doubt represent an unwelcome barrier for several Member States whose current data retention regimes may also allow access to retained data (eg location data) with regard to crimes which cannot be deemed serious to the degree stipulated by the Court. Access only subject to a prior review As stated in ‘The e-Privacy Directive covers both the retention of data and access to that data’ section, the Court decided that the e-Privacy Directive covers both the retention of data and access to that data. In order to ensure that the conditions for the authorities’ access to the retained data are respected, the Court, in line with its ruling in Digital Rights Ireland,69 stresses that, apart from cases of validly established urgency, access should be subject to a prior review carried out either by a court or by an independent administrative body.70 Regardless of whether this requirement is seen as a substantial requirement, or rather as a procedural minimum safeguard and thus part of the formal requirements, it underlines the seriousness the Court ascribes to the sensitivity of traffic and location data. Access to such data cannot rely only on an assessment delivered by any given authority, but must be scrutinized by either a court or by an independent administrative body. Moreover, the Court reiterates what it stated in Digital Rights Ireland, namely that the decision of that court or administrative body should be made following ‘a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime’.71 Hence, not only must a request for access be reasoned, ie comply with the substantial conditions for gaining access (clear and precise rules, serious crime, only persons related to that crime, cf above). It must also adhere to normal criminal procedural rules and safety guarantees. This means that in case it is not a court, but an administrative body which carries out the prior review, the procedural rules governing such administrative body must be very similar to the procedural rules before the ordinary courts. An administrative body cannot act as simply a rubber stamp for an authority’s submission for access to retained data. Security The requirements that competent authorities legitimate and regulate access to retained data is one matter. Quite another matter is the risk of illegitimate, third-party access to the data due to lack of security. Pursuant to Articles 4(1) and 4(1)(a) of the e-Privacy Directive, providers of electronic communications services must take appropriate technical and organizational measures to ensure the effective protection of retained data against risks of misuse and any unlawful access to that data. Hence, the security level must correspond with the risks and consequences of a security breach. As the Court also notes, the quantity and sensitivity of retained data, and the risk of unlawful access to it, require a particularly high level of protection and security with regard to retained data.72 In this connection, the Court requires that national legislation should accord in two further ways, both of which followed from Digital Rights Ireland:73 namely, that the legislation makes provision for the data to be retained within the EU and that it provides for the irreversible destruction of the data at the end of the retention period. The requirement that the data must be retained within the EU may seem somewhat surprising and is not explained further in the ruling. However, in Digital Rights Ireland, to which the Court expressly refers (by analogy), it is explained that if the data is not stored within the EU, it cannot be ensured that the requirements regarding protection and security of the data are controlled by an independent authority as prescribed by Article 8(3) of the Charter. Are the requirements cumulative? In Digital Rights Ireland, where the Court applied some of the requirements also followed in Tele2, it is not entirely clear whether the requirements are meant to be cumulative (as opposed to an assessment as a whole whereby only some of the requirements need to be fulfilled). In the Advocate General’s proposal, it is argued that the safety guarantees established in Digital Rights Ireland shall be cumulative.74 In the present ruling, however, the Court does not explicitly address the issue, but the wording and structure of the ruling leaves little doubt that the requirements—which have now increased to encompass requirements regarding the retention as such—are cumulative. Hence, national data retention legislation must conform to all the requirements. Conclusion In sum, the Tele2 ruling does not preclude Member States from imposing national data retention legislation as general, preventive regimes. However, such rules must conform to both formal and substantial conditions, and these conditions pertain to both the retention as such and the subsequent access to the retained data by the authorities. This means an end to the type of national data retention measures exhibited by Sweden and the UK in Tele2—measures that provide for a general, systematic, continuous, and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communications. The legislation must be, in itself, clear and precise, based on objective criteria, and contain sufficient minimum safeguards, both with regard to the retention of data and the subsequent access to retained data. Moreover, the regulation must contain objective criteria that establish a connection between the data to be retained and the objective pursued. In this connection, the legislation must be based on objective evidence, which makes it possible to identify persons whose data is likely to reveal a link, at least an indirect one, with serious criminal offences. Identification of the relevant persons using a geographical criterion may be applied, but only where the competent national authorities deem, based on objective evidence, that there is an existing high risk of preparation for or commission of such offences in one or more (specific) geographical areas.75 Moreover, data retention can only be imposed for the purpose of fighting ‘serious crime’ which remains far from clear as a concept. Specifically, concerning access to the retained data, national legislation must set forth that, apart from cases of validly established urgency, access should be subject to a prior review carried out either by a court or by an independent administrative body. Further, the quantity and the sensitivity of retained data, and the risk of unlawful access to it, require a particularly high level of protection and security with regard to retained data. Finally, the national legislation must make provision for the data to be retained within the EU. Consequences for other types of data? Tele2 is a case about the interpretation of Article 15 of the e-Privacy Directive. The judgment focuses on data retention activities covered by Article 15 and does not deal directly with activities beyond this. In other words, the judgment does not provide interpretations of the Data Protection Directive. For several reasons, the judgment may nonetheless have an impact on other areas of data protection law. Not least, this is because the Court draws heavily on the Charter in reaching its conclusions. Both the Data Protection Directive and the e-Privacy Directive must be interpreted in light of the Charter. Furthermore, the Court’s basic line of thought and the requirements stipulated in its judgment seem to indicate that a database containing personal data about a (potentially) huge sector of a population with content that enables possible detailed profiling of the data subjects, must be subject to extraordinarily strict data protection measures and requirements. Regarding the content of the retained data, the Court states the following (paragraph 99): That data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 27). In particular, that data provides the means, as observed by the Advocate General in points 253, 254 and 257 to 259 of his Opinion, of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications. At a general level, this raises the question whether other kinds of databases (containing very sensitive data about a very large group of data subjects) may, in the same way, be subject to extraordinarily strict requirements in the light of the protection provided for by Articles 7 and 8 of the Charter. The judgment must be read and understood in the light of the intrusive nature of data retention schemes, which does not necessarily apply to other types of databases. However, not all parts of the judgment are linked closely to this intrusion aspect, and this prompts questions about whether some aspects of the judgment could inform efforts to analyse the processing of some other types of data (data which may be even more sensitive than retention data). With the Court emphasizing the profiling potential of data retention databases, analysts might be prompted to evaluate the status of other databases established by private parties with a large profiling potential. In this regard, it is well known that companies like Google and Facebook collect large amounts of data about their users, enabling extremely detailed profiling. At a general level, then, it cannot be ruled out that the thinking behind the judgment will affect the interpretation of the Data Protection Directive when it comes to these kinds of databases. Questions also arise about whether some of the judgment’s requirements can be extended to some databases outside the scope of the e-Privacy Directive. That might be the case for some requirements, as discussed in the following. Data retention duties under national law The judgment establishes certain requirements/limitations with which national legislation must comply in order to request that telecom operators retain the communications data covered by the e-Privacy Directive. The Court derives these limitations from an interpretation of Article 15(1) of the e-Privacy Directive. However, the Court’s interpretation places much emphasis on Articles 7, 8 and 11 of the Charter, and it is possible that the Court would reach a similar conclusion if national legislation were to require the retention of other types of data, which (formally) fall outside the scope of the e-Privacy Directive, but which, nevertheless, may be used in a similar way for drawing very precise conclusions concerning the private lives of the persons whose data has been retained. This is supported by the fact that the Digital Rights Ireland judgment sets up similar limitations based solely on the Charter. The data retention schemes of the Swedish and UK laws in question served the purpose of fighting crime. Given the extent to which they interfere with rights stipulated in the Charter, defining what constitutes a ‘proportionate’ purpose for such schemes is an essential part of the Court’s analysis in the Tele2 judgment, especially the part of the judgment setting up limitations for providing duties to retain the data under national law. If national legislation provides private parties with a duty to retain other types of data for the purposes of fighting (serious) crime, the judgment is very likely to have an impact. An example of this could be national law requiring providers of communication services not covered by the e-Privacy Directive to retain the communication data of their users. As described, communications data of services like messaging and webmail services are not covered by the e-Privacy Directive (though the presented proposal for a new e-Privacy Regulation suggests that such services be included under the regulation). This will be addressed in ‘The draft e-Privacy Regulation’ section below. Yet, regardless of the outcome of the proposal, it is likely that the Court would find that the Charter requires the same type of limitations for national rules on retention of other kind of communications data than those covered by the present e-Privacy Directive. Access to data The Tele2 judgment requires national legislation to be based on objective criteria and to define the circumstances and conditions under which the competent national authorities are to be granted access to the retained data. The Court derives this obligation from the general requirement that legislative means must be proportionate to the seriousness of the interference with fundamental rights that it entails. The judgment further states that pursuant to the principle of proportionality, access to the database must normally be subject to a prior review carried out by a court or an independent administrative body. Again, to reach this conclusion, the Court is interpreting Article 15(1) of the e-Privacy Directive, but draws heavily on the Charter and refers once again to its previous judgment in Digital Rights Ireland. Therefore, it seems likely that the judgment will also have an impact on legislation concerning access (including prior review of access) to types of databases similar to the databases covered by the directive. First, Tele2 may have ramifications for databases either because they contain identical types of data or similar types of data (ie data that are not communications data within the meaning of the e-Privacy Directive, but sensitive data or other data that allow precise conclusions to be drawn about the private lives of the data subjects and thus enable profiling). As an example of this distinction, Danish tax legislation provides the Danish tax authorities with the right to request access to data from private parties, for the purposes of tax control, without a prior review by a court. (As a general rule, a prior court order is required when the police are requesting access to data as part of their investigations.) Based on both Digital Rights Ireland and Tele2, it seems clear that the tax authorities cannot request access to databases covered by the e-Privacy Directive without such prior review.76 Yet, what of similar data types? In our view, despite the rule in the tax regulation, it is also likely that the same would apply to similar databases not covered by the e-Privacy Directive to the extent that they contain data similar to those covered by the e-Privacy Directive. The retention of Passenger Name Records (PNR) might constitute an example. Pursuant to Danish law, for the purposes of border and customs control and fighting serious crime, the Danish Tax Authorities systematically receive PNR data from the airlines on all passengers travelling to Denmark by air and disclose them (under certain conditions) to the Danish intelligence services without prior review.77 PNR data are different from communications data, but they provide information about the travel patterns of the data subjects, and thus aspects of their private lives. They are collected without exception (irrespective of any link to crime) and without most passengers being aware.78 Hence, Tele2 might influence, indirectly, how the retention of and access to PNR data is perceived.79 Secondly, the data concerned in Tele2 were retained pursuant to a legal obligation. Provided the retention has a legal basis and meets the additional requirements of general EU data protection law, data may also be retained voluntarily (ie not pursuant to a legal obligation, but as part of the business model of the commercial entity retaining it). Notwithstanding the fact that private entities are not directly bound by human rights, which affects the direct impact of some aspects of the judgment, it is possible that Tele2 will exert influence on such databases to the extent that they allow precise conclusions to be drawn about the private lives of subjects. Whether Tele2 would also apply to such data remains a far-reaching question. Though their data does not constitute communications data within the meaning of the e-Privacy Directive, private corporations, such as Google or Facebook, collect a tremendous amount of data concerning the personal lives of users, and much of it is likely to provide detailed information about private lives, such as search history and locations data from geo-tracking. Looking solely at the nature of the data, the extent of the databases, and their potential to influence the private lives of the data subjects, our opinion is that there seems to be little reason to make a fundamental distinction between databases established under legislative retention obligations and voluntarily established databases. The rationale behind the Court’s ruling is that the police and other competent authorities should not have an unlimited capacity to ‘angle’ for data in databases containing large amounts of sensitive data about a large part of the population. This rationale must be equally relevant to such voluntarily established databases. If a distinction were to be made between access to data from mandatory and voluntary databases (based on the limited scope of application of the ECHR or the Charter) there would be a risk of depriving both judgments of their importance. Especially given that more and more data are collected by private entities as a part of their business model, not due to any legal obligation. In other words, the reluctance of the Court to provide state authorities with surveillance tools that are too powerful is equally relevant regardless of whether the tool is provided with respect to mandatory or voluntary databases. Data retention in EU territory According to Article 4 of the e-Privacy Directive, the provider must take appropriate technical and organizational measures to safeguard security of its services. In Tele2, the Court states that as part of the security requirements national rules must make provision for the data to be retained within the EU, cf paragraph 122. This conclusion was already drawn by the Court in Digital Rights Ireland, paragraph 68: In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data. The Court’s finding that the control of an independent authority required by Article 8(3) of the Charter is not fully ensured if the data is stored outside of the EU, raises a question about the extent to which this may affect other types of databases containing personal data. Formally, this part of the judgment is an interpretation of the terms ‘appropriate technical and organisational measures to safeguard security of its services’ under Article 4 of the e-Privacy Directive. However, the words ‘appropriate technical and organisational measures’ are identical to the wording of Article 17 of the Data Protection Directive. Furthermore, both the Data Protection Directive and the e-Privacy Directive must be interpreted in light of the Charter. This indicates that the Court’s finding could have an impact on interpretation of Article 17 of the Data Protection Directive. In other words, if a data retention database cannot be placed outside the EU because the national data protection authority would not be sufficiently able to control compliance with the data protection requirements, it seems logical that the same would apply to other databases that contain equally large amounts of sensitive data. As mentioned above, large Internet companies like Google and Facebook collect and retain a large amount of data about their users. On the basis of such data, in a similar vein to retained communications data, it is possible to draw very precise conclusions about users’ private lives. However, one might also posit reasons why the requirement to keep the database within the EU should not be extended to cover the Data Protection Directive. Although the e-Privacy Directive and the Data Protection Directive are closely interlinked and use the same terms (‘appropriate technical and organisational measures to safeguard security of its services’), they do represent different regimes, and the terms used within each directive will not automatically carry the same meaning. Furthermore, in contrast to the e-Privacy Directive, the Data Protection Directive has a detailed regulation on the transfer of data to third countries. None of these rules indicate that certain types of personal data or databases should not be subject to international data transfers provided the requirements laid down in the rules are met. Had that been the intention of the EU legislature, it would have been natural to make an explicit rule regarding this. It is also noteworthy that the retained data and the purpose and nature of data retention legislation, which entails a very broad surveillance of the citizens by the State, calls for particularly strict independent control. Thus, the judgment does not establish a general prohibition against maintaining databases with large amounts of (sensitive) personal data in third countries. On the other hand, it cannot be ruled out that the thinking behind this part of the judgment may have an impact on the interpretation of the Data Protection Directive’s data transfer rules and security requirements for databases with large amounts of sensitive data stored in third countries.80 The draft e-Privacy Regulation On 10 January 2017, the European Commission issued its proposal for a new e-Privacy Regulation to replace the e-Privacy Directive.81 According to the proposal, it shall apply from 25 May 2018 (the same date as the General Data Protection Regulation (regulation 2016/679)). However, the proposal still needs to go through the ordinary legislative procedure and thus be negotiated and approved of the Parliament and the Council. The final text and date of effect may therefore, be subject to changes. In the current draft version, the regulation seems to leave the same room for national rules on data retention as the e-Privacy Directive. Pursuant to Article 11 of the draft regulation, Member States may use national law to restrict the scope of the rights and obligations provided for in Articles 5–8 which include the limitations on the processing and storing of electronic communications data. Such restrictions must respect the essence of the fundamental rights and freedoms, and they must constitute a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public’s interests referred to in Article 23(1)(a) to (e) of the General Data Protection Regulation (regulation 2016/679), which includes national and public security, defence, along with the prevention, investigation, detection, and prosecution of criminal offences. In other words, the restrictions must meet the principle of proportionality for theses specific reasons. Though the wording of draft Article 11 is not identical to Article 15 of the current directive, and though it does not specifically mention data retention as Article 15 does, there seems to be no reason to believe that the draft e-Privacy Regulation aims to provide Member States with more room to manoeuvre than the e-Privacy Directive. This is confirmed by the explanatory memorandum of the proposal, in which the Commission states: The proposal does not include any specific provisions in the field of data retention. It maintains the substance of Article 15 of the e-Privacy Directive and aligns it with specific wording of Article 23 of the General Data Protection Regulation (regulation 2016/679), which provides grounds for Member States to restrict the scope of the rights and obligations in specific articles of the e-Privacy Directive. Therefore, Member States are free to keep or create national data retention frameworks that provide, inter alia, for targeted retention measures, in so far as such frameworks comply with Union law, taking into account the case-law of the Court of Justice on the interpretation of the e-Privacy Directive and the Charter of Fundamental Rights. One of the most important changes evident in the draft regulation is the extension of the scope of services and data. Whereas the e-Privacy Directive covers the classic telecom services, the draft regulation also covers so-called ‘Over-the-Top communications serviceś’(OTTs) that include Voice over Internet Protocol, instant messaging, and web-based e-mail services (which spans services such as WhatsApp, Facebook Messenger, Gmail, and Skype). Consequently, national data retention rules also covering these kinds of services will be subject to the requirements following from the e-Privacy Regulation. However, as outlined in ‘Consequences for other types of data?’ section above, it seems likely that this might already be the case following Digital Rights Ireland and Tele2. Another change concerns the regulation of security requirements with which the service providers must comply. As explained in the body of our article, Article 4 of the e-Privacy Directive requires that service providers take appropriate technical and organizational measures to safeguard the security of its services. The draft regulation does not contain a similar provision. Instead, the service providers will be covered by Article 32 of the General Data Protection Regulation (regulation 2016/679), which also requires that providers take appropriate technical and organizational measures. Thus, the provisions on security requirements (both in general and in relation to electronic communications) are to be found in one single legal act. It must, therefore, be expected that the requirement to store the data within the EU, as established by the CJEU in Digital Rights Ireland and Tele2, will continue to apply. Nothing in the draft regulation, including the text of its preamble, indicates otherwise, meaning that the judgments’ use of the Charter Article 8(3) will be equally relevant when interpreting the security requirements of Article 32. The fact that this requirement will follow directly from the General Data Protection Regulation (regulation 2016/679) makes it all the more relevant to consider whether other types of data and databases could be subject to a similar requirement under Article 32 of the General Data Protection Regulation (regulation 2016/679). We do not conclude that the two CJEU judgments limit the possibility of storing other types of data and of keeping databases in third countries in general; but time will tell whether the Court extends this ‘non-export’ rule to other areas. Footnotes 1 United Nations, International Convention for the Suppression of the Financing of Terrorism [1999] 54/109. 2 United Nations, Resolution 1373 [2001] S/RES/1373. 3 Council Framework Decision of 13 June 2002 on combating terrorism, OJ 2002 L 164. 4 Council of the European Union, 2477th Council Meeting—Justice and Home Affairs Council—Brussels, 19 December 2002, C/02/404. 5 See, for instance, the Danish anti-terrorism amendments (Terrorpakke I) of June 2002. Information available in Danish at: <www.justitsministeriet.dk/arbejdsomraader/politi-og-straf/terrorbekaempelse> accessed 29 October 2017. 6 Declaration on Combatting Terrorism [2004] and Council Declaration on the EU Response to the London Bombings [2005] C/05/187. 7 Council Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provisions of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54, Recitals 5 and 6. 8 Ibid. 9 Ibid Art 3, cf Art 5. 10 Monica Ermert, ‘EU Data Retention Directive Finally before European Court of Justice’ (2013) Internet Policy Review, Journal on Internet Regulation <https://policyreview.info/articles/news/eu-data-retention-directive-finally-european-court-justice/162> accessed 3 February 2017. 11 Joined cases C-293/12 and C-594/12 Digital Rights Ireland [2014] ECR I-238. 12 Ibid, para 37. 13 European Union Agency for Fundamental Rights, Fundamental Rights Report 2016 [2016] 124 et seq. 14 Opinion of Advocate General Saugmandsgaard Øe delivered on 19 July 2016 in Joined cases C-203/15 and C-698/15 Tele2 Sverige AB and Watson [2016]. 15 Joined cases C-203/15 and C-698/15 Tele2 Sverige AB and Watson [2016] OJ C 221. 16 Ibid, paras 17 and 29 of the ruling. 17 Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37 (e-Privacy Directive). 18 Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data [1995] OJ L 281/31 (Data Protection Directive). 19 Recital 4 to the e-Privacy Directive (n 17). 20 See also Tele2 Sverige AB and Watson (n 15), paras 82 and 92 of the ruling. 21 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications network and services [2002] OJ L 108/33 (Framework Directive). 22 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) [2000] OJ L 178/1 (e-Commerce Directive). 23 Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) [2010] OJ L 95/1. See Recital 5 of the Framework Directive (n 21). See in more detail Sandfeld Jakobsen, ‘EU Internet Law and the Era of Convergence: The Interplay with EU Telecoms and Media Law’ in Savin and Trzaskowski (eds), Research Handbook on EU Internet Law (Edward Elgar Publishing, UK 2014). 24 e-Privacy Directive (n 17) Recitals 17 and 29. 25 See also the invalidated Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105 (Invalidated Data Retention Directive), Art 5. 26 The e-Privacy Directive (n 17) Recitals 2 and 3. 27 Ibid, Recital 15. 28 Tele2 Sverige AB and Watson (n 15) para 97. 29 Ibid, para 65 et seq. 30 Ibid, para 73 et seq. 31 The Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) [2017] COM/2017/010 final—2017/03 (COD), a proposal for a regulation which updates (and repeals) the e-Privacy Directive equally operates with a general exception regarding State activities in the area of criminal law which are entirely outside the scope of the directive (cf Art 2(2)(c)), and a more specific exception provision concerning legitimate restrictions (eg with regard to combating crime) to the right to confidentiality of electronic communications data, cf Art 11 (which refers to Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119 (the new Data Protection Regulation)). 32 This analysis relates solely to the questions referred to the Court by the referring Swedish court, as it asked specifically about the EU law compliance of the mere retention obligation, irrespective of the rules governing access to the retained data. See, in particular, Tele2 Sverige AB and Watson (n 15), paras 51 and 59. 33 See also C-275/06, Promusicae [2008] ECR I-271, paras 47 et seq. 34 Tele2 Sverige AB and Watson (n 15) para 89. Reference is also made, by analogy, to C-119/12, Probst [2012] para 23. 35 Tele2 Sverige AB and Watson (n 15) para 91. See also by analogy, Joined cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989, para 68 and Case C-131/12, Google Spain vsAEPD [2014] para 68. 36 Tele2 Sverige AB and Watson (n 15) para 92, cf para 99. 37 Opinion of Advocate General Øe (n 14) para 185. 38 e-Privacy Directive (n 17) Recital 11. 39 Tele2 Sverige AB and Watson (n 15) para 96. Hereby, the CJEU refers to, among other cases, C-73/07, Satamedia Oy [2008] ECR I-9831. It is remarkable that this reference relates to yet another derogation from a general rule, more precisely that of freedom of expression under the Data Protection Directive (n 18). However, in the present judgment, the CJEU seems to extend it to limitations to the right to respect for private life as such. 40 Tele2 Sverige AB and Watson (n 15) para 98. 41 Ibid, para 99, cf by analogy, Digital Rights Ireland (n 11) para 27. 42 Ibid, para 99, also referring to Opinion of Advocate General Øe (n 14) para 253 et seq. 43 Digital Rights Ireland (n 11) para 39. 44 Tele2 Sverige AB and Watson(n 15) para 100, cf by analogy, Digital Rights Ireland (n 11), para 37. 45 Tele2 Sverige AB and Watson (n 15) para 101, cf by analogy, Digital Rights Ireland (n 11) paras 39 and 28. 46 Tele2 Sverige AB and Watson (n 15) para 102 et seq, cf by analogy Digital Rights Ireland (n 11) paras 60 and 54. 47 Tele2 Sverige AB and Watson (n 15) para 104. 48 Ibid, para 105 et seq. Likewise, referring to Digital Rights Ireland (n 11) para 57 et seq. 49 Tele2 Sverige AB and Watson (n 15) para 106. 50 Digital Rights Ireland (n 11) para 60 et seq. 51 Opinion of Advocate General Øe (n 14). 52 Tele2 Sverige AB and Watson (n 15) para 108. 53 Ibid, para 109. 54 Ibid, para 54 with reference to the following rulings from the ECtHR, Liberty and Others vthe United Kingdom (2008) ECHR 568; Rotaru vRomania (2000) ECHR 192 , and S and Marper vthe United Kingdom (2008) ECHR 1581. 55 Digital Rights Ireland (n 11) paras 54 et seq. 56 Ibid, paras 117–18. 57 Ibid, para 111. 58 See also the ‘positive list’ in Art 2 of the Council Framework Decision of 13 June 2002 on the European Arrest warrant and the surrender procedures between Member States [2002] PB L 190 2002/548/JHA (European Arrest Warrant). 59 Tele2 Sverige AB and Watson (n 15) para 106. 60 Ibid, para 119. 61 Directive 2006/24/EC (n 7), Art 7 stipulated that the data should be retained for no less than 6 months and no longer than 2 years from the date of the communication. 62 Tele2 Sverige AB and Watson (n 15) para 108. In Digital Rights Ireland (n 11) the Court was critical of the retention period set out by the now invalidated Data Retention Directive—between 6 and 24 months—without stating that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary, cf para 64. 63 Tele2 Sverige AB and Watson (n 15) para 122. 64 In Digital Rights Ireland (n 11), the Court noted that because the systematic retention of the general population’s traffic data entails an interference with the fundamental rights of practically the entire European population, the criminal offences must be sufficiently serious to justify such interference, cf paras 56 and 60. 65 Tele2 Sverige AB and Watson (n 15) para 102. 66 Ibid, para 115. 67 Ibid, para 103. 68 Ibid, para 111. 69 Digital Rights Ireland (n 11) para 62. 70 Tele2 Sverige AB and Watson (n 15) para 120. 71 Ibid, para 120, cf Digital Rights Ireland (n 11) para 62. 72 Tele2 Sverige AB and Watson (n 15) para 122. 73 Digital Rights Ireland (n 11) para 66–68. 74 Opinion of Advocate General Cruz Villalón delivered on 12 December 2013 in C-293/12, Digital Rights Ireland [2016] para 221. 75 In order to ensure the legal safety of the persons whose data are retained, the decision from the competent national authority should be public available, unless, of course, the purpose of the data retention in the given situation may be forfeited by the publication. 76 It should be noted that due to the legal uncertainty caused by Digital Rights Ireland, the Danish tax authorities have since refrained from applying the rule. 77 Due to the Danish opt-out with respect to EU policy on Justice and Police Affairs, Denmark has established its own PNR system. 78 In preparatory works of the Act providing access to PNR data for the Danish Military Intelligence Service, the Ministry of Defence acknowledges the possible influence of Tele2 Sverige AB and Watson, but dismisses it on the grounds that that PNR data, unlike communications data under the Swedish and UK data retention schemes, are not collected from the entire population, only those travelling to Denmark by flight. 79 For similar speculations, see also Irena Nesterova, Crisis of Privacy and Sacrifice of Personal Data in the Name of National Security: The CJEU Rulings Strengthening EU Data Protection Standards (European Society of International Law (ESIL) 2016 annual conference, Riga, 2017); Lorna Woods, ‘Data Retention and National Law: The ECJ Ruling in Joined Cases C-203/15 and C-698/15 Tele2 and Watson (Grand Chamber)’, in EU Law Analysis (21 December 2016), available at: <http://eulawanalysis.blogspot.com/2016/12/data-retention-and-national-law-ecj.html>. 80 In its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, adopted on 4 April 2017 [2017] WP 248, the Art 29 Working Party mentions transfer of data outside the EU as one the criteria that could make data processing a high-risk factor triggering the requirement for a DPIA. 81 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM (2017) 10 final. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png International Data Privacy Law Oxford University Press

Data retention in Europe—the Tele 2 case and beyond

International Data Privacy Law , Volume Advance Article (2) – Feb 24, 2018

Loading next page...
 
/lp/ou_press/data-retention-in-europe-the-tele-2-case-and-beyond-qu08z1zoa0
Publisher
Oxford University Press
Copyright
© The Author(s) 2018. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com
ISSN
2044-3994
eISSN
2044-4001
D.O.I.
10.1093/idpl/ipx026
Publisher site
See Article on Publisher Site

Abstract

Key Points Provides an introduction to data retention case law from the CJEU. Analyses the Tele2 judgment (joined cases C-203/15 and C-698/15, Tele2 Sverige AB and Watson). Evaluates the impact of the judgment on national data retention regimes. Considers whether the judgment may have an impact on data protection law beyond data retention regulation. Introduction In 1999, the United Nations General Assembly adopted the International Convention for the Suppression of the Financing of Terrorism.1 Yet in the aftermath of 9/11, a need emerged for further legal means to detect, investigate, and prosecute criminal acts relating to terrorism. Prevention of further attacks was deemed paramount. This led to the adoption of the Security Council Resolution 1373 (2001) in September 2001,2 and the Council Framework Decision on combating terrorism in June 2002.3 The Council Conclusions of December 2002 proposed various means for countering terrorism and other serious crime, but particularly mentioned the retention of communications data.4 In the wake of these international initiatives, European Union (EU) Member States adopted antiterrorism legislation, including national provisions on data retention.5 In the year 2004 saw the Madrid train bombings, while 2005 brought the bombings in London. This made the threat of terrorism within EU borders imminent, and it ushered in diverse legal means for countering this danger, including common EU legislation on data retention.6 National data retention schemes did already exist, but they varied considerably across Member States, creating obstacles for the cross border, internal market in terms of delivering electronic communications services.7 Seeking to harmonize existing national provisions, and moving to ensure that communications data were available for the investigation, detection, and prosecution of serious crime, the European Parliament and the Council adopted Directive 2006/24/EC on data retention (the Data Retention Directive).8 This required that Member States adopt provisions to ensure the retention of traffic and location data (as opposed to content data) within national legal orders.9 However, several Member States were opposed to the implementation, declaring the Data Retention Directive, or parts of it, unconstitutional.10 This led to the referral of both an Austrian and an Irish case to the Court of Justice of the European Union (CJEU), culminating in the invalidation of the Data Retention Directive in Digital Rights Ireland.11 The Court acknowledged that legal problems extended beyond those pertaining to retention of content data, stating that the retention of traffic and location data (metadata) also constituted a ‘particularly serious’ interference with the rights to privacy and data protection afforded in Articles 7 and 8 of the EU Charter of Fundamental Rights (the Charter).12 However, as the CJEU did not restrict its argumentation to the matter of mere retention, but continued to elaborate on the importance of safeguards surrounding subsequent access to the retained data, uncertainty persisted as to whether the invalidation of the Data Retention Directive was caused by mere retention, or solely by insufficient safeguards surrounding access to the retained data. Likewise, uncertainty lingered as to what the consequences of this judgment would be for national data retention schemes. While some Member States amended or repealed national data retention provisions, others remained passive.13 As a result, actions were filed before national courts and two were referred to Luxembourg, known subsequently as Tele2 Sverige AB and Watson (hereinafter referred to as Tele2). In the Swedish case, the referring court asked the Court to assess, specifically, the implications attached to the mere retention of data (unconflated with the matter of access to retained data). While emphasizing the serious nature of the interference with fundamental rights caused by mere retention, the Advocate General’s opinion of 19 July 2016 held the door open for national data retention schemes if accompanied by sufficient safeguards surrounding access to the retained data.14 Yet on 21 December 2016, the Court delivered a ruling questioning not only the existing data retention schemes, but also whether data retention could still be used as a means for detecting, investigating, and prosecuting serious crime.15 The present article undertakes an analysis of the Court’s ruling of 21 December 2016, assessing its impact on current and future provisions on data retention. First, the article will set out the direct scope of application of the ruling, focusing on Directive 2002/58/EC. Secondly, it will determine whether data retention (namely, general and undifferentiated collection of communications data) may still be used as a means for detecting, investigating, and prosecuting serious crime. The article’s third main concern is to scrutinize the criteria that such retention provisions must meet if they are to comply with Articles 7, 8, and 52 of the Charter. Finally, the article will assess the broader consequences of the ruling outside its direct scope of application (ie the implications for other service providers and data). Scope of application of Tele2 Sverige AB and Watson Directive 2002/58/EC and EU Charter of Fundamental Rights Articles 7 and 8 The Tele2 ruling concerns data retention rules in Sweden and the UK: namely, whether obligations imposed by these jurisdictions comply with EU law following the invalidation of the Data Retention Directive. As such, the ruling is one measure of the room to manoeuvre retained by national data retention rules within the framework of EU law. The abiding questions posed are: which rules apply, and to whom? After the invalidation of the Data Retention Directive there are no longer data retention rules at the EU level. However, because the national data retention rules in question—Swedish and UK—concern the processing of communications data by providers of telecommunication services,16 what applies here is Directive 2002/58/EC on Privacy and Electronic Communication (the e-Privacy Directive),17 which is part of the EU legal framework on telecommunications. Since communications data is personal data (revealing who has been communicating with whom, when and where etc), the e-Privacy Directive translates the principles set out in Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Directive)18 into specific rules for the telecommunications sector.19 In both Swedish and UK legislation the e-Privacy Directive is partly implemented, within an area harmonized in general by Directive 95/46/EC, which also means that the Charter applies here (notably Articles 7 and 8 regarding privacy and protection of personal data, and, more indirectly, Article 11 regarding freedom of speech, cf Article 51 of the Charter).20 Providers of electronic communications services It follows that the scope of the ruling is primarily delimited to the special category of service providers and communications data covered by the e-Privacy Directive. This directive applies to providers of ‘publicly available electronic communications services’, which is defined not in the e-Privacy Directive itself, but in the main telecommunications directive, the so-called Framework Directive,21 which is referred to in Article 2 of the e-Privacy Directive. According to Article 2(c) of the Framework Directive, an electronic communications service consists—wholly or mainly—in electronic conveyance (transmission or transportation) of communication through a publicly available network (eg by transporting phone calls, e-mails, and internet traffic between communicating parties). Services providing content (eg web services, mobile apps or broadcasting services) are not covered, but are instead most likely ‘information society services’ covered by the e-Commerce Directive (2000/31/EC),22 or ‘Audiovisual Media Services’ covered by the Audiovisual Media Service Directive (2007/65/EC), now consolidated Directive 2010/13/EU.23 Hence, the e-Privacy Directive applies to telecommunication operators (such as those regulated by the Swedish and UK legislation which pertains in Tele2).24 This encompasses the telecom operators who transmit electronic communication between communicating parties and who are able to store and process data regarding this communication. Most pertinent here is traffic and location data revealing who is communicating with whom, the means of communication used, along with information about when and where the exchange occurs: in other words, the data that constitutes the foundation of data retention regimes.25 So far, it is only the telecom operators who have been subject to general and systematic data retention obligations (whether in the now invalidated Data Retention Directive or in the Swedish and the UK regulations covered by the Tele2 ruling). Traffic and location data Communications data are protected by the fundamental right to confidentiality of communications, which is guaranteed by Article 8 of the European Convention on Human Rights (ECHR) and also covered by Article 7 of the Charter, cf Article 52(3).26 Article 5(1) of the e-Privacy Directive restates this fundamental right and it prohibits as a main rule any listening, tapping, storage, other kinds of interception, or surveillance of communications and the related traffic data. It appears, then, that the right to confidentiality applies not only to the relevant communicative content, but also to the related traffic data. The notion of ‘traffic data’ is defined as any data processed for the purposes of the conveyance of a communication on an electronic communications network or for the billing thereof, cf Article 2(b). ‘Traffic data’ includes, inter alia, data regarding the identity of the sender and recipient of the communication, the location of the parties’ terminal equipment, the time and duration of the communication, the applied network and communication equipment, and the format of the communication.27 Under the Swedish and UK legislation scrutinized in the Tele2 CJEU ruling, and in line with the invalidated Data Retention Directive, it is storage of traffic data which is at issue—traffic data covered by Article 2(b) of the e-Privacy Directive.28 As such, the ruling does not – at least not directly—cover communications data other than traffic data (including location data) comprised and defined by the e-Privacy Directive. The e-Privacy Directive covers both the retention of data and access to that data The right to confidentiality is not absolute. Neither the ECHR nor the e-Privacy Directive extend the matter this far. Traffic data may be processed by the telecom providers themselves for the purposes of transmitting a communication or for subscriber billing and interconnection payment, cf Article 6(1) and (2) of the e-Privacy Directive. Additionally, and more importantly in the present context, according to Article 15(1), Member States can restrict rights granted under the e-Privacy Directive when such restrictions constitute a necessary, appropriate, and proportionate measure within a democratic society to safeguard national security (ie State security), defence, public security, or to prevent, investigate, detect, and prosecute criminal offences or unauthorized use of the electronic communication system, as referred to in Article 13(1) of the Data Protection Directive. Article 15(1) explicitly states that to achieve the legitimate ends laid down in the provision (safeguard security, prevent crime etc), Member States may adopt legislative measures providing for the retention of data, though only for a limited period. Ultimately, it is the interpretation of Article 15(1)—informed by the Charter, and pertaining to the Swedish and UK data retention legislation – which forms the pivotal point of the CJEU’s decision in Tele2. In this context it should be noted that it was argued before the CJEU that national legislation on data retention and access to that data by the national authorities for the purpose of combating crime either falls entirely outside the scope of the e-Privacy Directive, or that the directive only applies to national legislation regarding the mere retention of data, not rules relating to national authorities’ access to that data.29 The reason for both arguments is that Article 1(3) of the e-Privacy Directive excludes from its scope activities of the State in respect to realms such as criminal law. The CJEU, however, correctly rejected these arguments. The purpose of the e-Privacy Directive is to regulate the right to privacy and confidentiality in the electronic communications sector, as well as the activities of providers of electronic communications services. Data retention regimes that impose the retention of users’ traffic and location data upon providers of electronic communications services affect both the privacy of said users and the activities of the providers and thus cannot fall entirely outside of the scope of the directive. Further, as the Court also reasoned, if any Article 1(3)-related State activity within the realm of criminal law automatically falls outside the scope of the directive, then Article 15(1), with its grounds (including combatting crime) for exceptions to some of the basic rules of the directive, would be deprived of any purpose.30 The essential issue is not whether the national regulation pursues a criminal law purpose, but whether it concerns electronic communications service providers’ protection of their users’ privacy and communications confidentiality. If so, the e-Privacy Directive applies. This being the case, the e-Privacy Directive applies to both the retention of and subsequent access to the retained data. Accordingly, the directive applies not only to the retention itself, but also to the access to the retained data by the competent authorities when such access is granted by the provider eg in accordance with a court order or similar legal process in accordance with national law.31 In sum, the ruling in Tele2 applies to national data retention regulations governing providers of telecommunications services covered by the e-Privacy Directive (read in light of the Charter). It applies to such providers’ retention of traffic and location data (as defined by the e-Privacy Directive) as well as national authorities’ access to said data retained by the provider. This raises the issue of the scope of the ruling with regard to possible data retention measures directed not merely at telecom providers but also at content providers who, as noted above, presently fall outside the scope of the e-Privacy Directive. This issue will be considered in ‘Consequences for other types of data?’section of this article. General collection of communications data post-Tele2 Introduction In Tele2, the CJEU was once again asked its opinion on the legality of a general data retention scheme. While the judgment in Digital Rights Ireland concerned the EU data retention scheme established by the Data Retention Directive and its direct compliance with the Charter, Tele2 concerned national data retention schemes under the e-Privacy Directive, and thus an interpretation of that directive read in light of the Charter. Tele2 raised the question of whether the mere retention of traffic and location data, as seen in the legislation concerned in the Swedish case,32 complied with Article 15(1) of the e-Privacy Directive read in light of Articles 7, 8, 11, and 51 of the Charter, irrespective of the existence of sufficient safeguards surrounding access to the retained data. Consequently, having established that the e-Privacy Directive governs such national data retention schemes, the Court set out to define the room to manoeuvre retained by such national rules under Article 15 of the e-Privacy Directive. Seeking to ensure confidentiality in electronic communications, Article 5(1) of the e-Privacy Directive prohibits, ‘as a general rule’, anyone other than the user from storing of traffic data relating to electronic communications without the user’s consent. Aside from the technical storage necessary for the conveyance of a communication and for billing purposes,33 Article 15(1) thus provides for the only exceptions to that rule and, according to settled case law, must, therefore, be interpreted strictly.34 It also follows directly from Article 15(1)(3) that such exceptions shall be in accordance with the general principles of EU law and fundamental rights now guaranteed by the Charter.35 As already mentioned, the latter involves in particular Articles 7 and 8, but also Article 11 on freedom of expression, as extensive data retention may affect the use of electronic communications and thus the service users’ freedom of expression.36 Furthermore, pursuant to Article 52(1) of the Charter, any limitation to the rights enshrined in the EU Charter must be provided for by-law and respect the essence of those rights. Subject to the principle of proportionality, limitations are allowed only if they are necessary and if they genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedom of others. With respect to ‘necessity’, it is stipulated that the measure is ‘necessary, appropriate and proportionate’ or—as expressed by the Advocate General—that no other measures exist that would be equally appropriate and less restrictive.37 Hence, as introduced above, under Article 15(1) of the e-Privacy Directive, Member States may adopt measures that derogate from the general principle of confidentiality to the extent that they are ‘necessary, appropriate and proportionate’ in a democratic society, or, in other words, ‘strictly’ proportionate.38 It follows from Article 15(1)(2), specifically relating to data retention, that data should be retained ‘for a limited period’ only, and should be justified by reference to one of the objectives listed in Article 15(1)(1). Also, more generally, with respect to the protection of the fundamental right to respect for private life, limitations apply only in so far as ‘strictly necessary’.39 In sum, pursuant to Article 15(1) of the e-Privacy Directive, Member States may adopt national data retention provisions only in so far as they are strictly necessary and proportionate. Did the Court find that national legislation such as that examined in Tele2 is situated to meet these criteria? The CJEU recalled that such national legislation provides for a general and indiscriminate retention of all data of all subscribers and registered users relating to all means of electronic communications. Furthermore, it imposes on providers of electronic communications services an obligation to retain such data systematically and continuously, with no exception. The categories of data covered by such legislation thus correspond, in essence, to data retained under the Data Retention Directive. Such data makes it possible ‘in particular, to identify the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. Furthermore that data makes it possible to know how often the subscriber or registered user communicated with certain persons in a given period.’40 As already acknowledged in Digital Rights Ireland, ‘that data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning private lives of the persons whose data has been retained’.41 With reference to the Advocate General, the Court recalled that such data thus provide for the means of establishing a profile of the individuals concerned, information that is no less sensitive regarding the right to privacy, than the actual content of communications.42 In Digital Rights Ireland, reaching the conclusion that the inference with the rights in Article 7 and 8 of the Charter caused by the Data Retention Directive did not adversely affect the ‘essence’ of the rights, the Court relied on the distinction between content data on the one hand, and traffic and location data on the other.43 Yet the above statement questions the extent of that distinction and may have the potential to influence areas outside retention of communications data. From there, the CJEU essentially followed, by analogy, its judgment in Digital Rights Ireland. Accordingly, it recalled that the interference with the rights safeguarded by Articles 7 and 8 of the Charter caused by such legislation is very far-reaching and must be considered particularly serious. Moreover, the fact that data is retained without informing the subscriber or registered user of the means of communication is likely to cause those persons to feel that their private lives are the subject of constant surveillance.44 Even if the legislation only permits retention of traffic and location data, not content data, and does not adversely affect the ‘essence’ of the rights, it could have an effect on prospective use of electronic communications and on the users’ exercise of their freedom of expression under Article 11 of the Charter.45 Given the seriousness of the interference, only the objective of fighting serious crime is capable of justifying it. However, even the most fundamental objective of general interest cannot, in itself, justify a national law that provides for the general and indiscriminate retention of all traffic and location data as being deemed ‘necessary’ for the purpose of fighting such crime.46 The assessment of the necessity of the retention obligation follows two main arguments. First, as opposed to Digital Rights Ireland, in which the Data Retention Directive was assessed in light of the Charter directly, the national provisions concerned in Tele2 are assessed pursuant to Article 15(1) of the e-Privacy Directive read in light of the Charter. Thus, while the system put in place by the directive requires data retention to be the exception, under the Swedish rules concerned it had become the rule.47 Secondly, the national rules cover, in a generalized manner, all subscribers and registered users and all means of electronic communication as well as all traffic data, providing for no differentiation, limitation or exception according to the objective pursued. It even applies to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Such rules do not require there to be any relationship between the data retained and a threat to public security. In particular, they are not restricted to retention of (i) data pertaining to a particular period of time and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime.48 Consequently, such rules exceed the limits of what is strictly necessary in a democratic society, as required by Article 15(1), read in light of Articles 7, 8, 11 and 52(1) of the EU Charter.49 As noted, those criteria were already established by the CJEU in Digital Rights Ireland. However, following that judgment, it remained unclear whether a general data retention scheme as a matter of principle exceeds the legitimate limits of the Charter, or whether it depends on the safeguards surrounding access to the retained data. The latter interpretation is supported by the fact that the CJEU in Digital Rights Ireland continued to assess the scheme surrounding access to the retained data.50 In Tele2, even though the Advocate General strengthened the assessment of the fundamental rights implications of such general data retention rules, he did hold the door ajar for these rules provided that they follow the criteria established by the CJEU in Digital Rights Ireland.51 Nonetheless, Tele2 saw the CJEU reach the opposite broader conclusion. Few would have foreseen this as a probable consequence of Digital Rights Ireland and it will force a number of Member States to amend their national rules on data retention. Criteria for imposing national data retention regulation It is important to note that the ruling in Tele2 does not preclude Member States from imposing national data retention legislation as a matter of principle. The Court explicitly states that preventive national data retention regimes can be adopted ‘… for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.’52 Within this overall principle of proportionality, the Court elaborates, lie both formal requirements to the character of the regulation as such, and more substantial conditions in the regulation, ie how retention is ‘targeted’. These formal and substantial requirements concern the retention itself, the authorities’ subsequent access to the retained data, or both. Formal requirements With regard to the formal requirements, the ruling stipulates that national data retention legislation must lay down clear and precise rules governing the scope and application of such data retention measures and impose minimum safeguards, providing persons whose data have been retained with sufficient guarantees for the effective protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what circumstances and under which conditions provisions on data retention may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary, ie is proportionate.53 The Court, referring back to its ruling in Digital Rights Ireland,54 leans here on case law under Article 8 of the ECHR, wherein the European Court of Human Rights has stated repeatedly that in order to enact exemption from the right to privacy, the exemption must not only be prescribed by law, but that law must also be clear and precise and contain sufficient safeguards to effectively protect against the risk of abuse and against any unlawful access and use of the relevant data. Thus, a clear legal basis must apply, based on objective criteria, and sufficient minimum safety guarantees, both with regard to the data retention itself and the authorities’ subsequent access to the retained data. With regard to the latter, the CJEU, in line with its previous statements in Digital Rights Ireland,55 highlights that national provisions on data retention must lay down clear and precise rules indicating in what circumstances and under which conditions the providers of electronic communications services must grant the competent national authorities access to the data.56 The Court makes clear that Member States cannot circumvent this requirement simply by requiring that access should be for one of the objectives referred to in Article 15(1) of the e-Privacy Directive, even if that objective is to fight serious crime. In order to ensure that the measure in question is, in fact, necessary and proportionate, the national legislation must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. Substantial requirements Possibility of creating a link between the persons affected and serious criminal offences Besides these formal conditions—that the national law is clear, precise, and contains minimum safeguards—it must also comply with certain substantial conditions. Recognizing that those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the Court makes it clear that retention of data must continue nonetheless to meet objective criteria that establish a connection between the data to be retained and the objective pursued. Such conditions must circumscribe, in practice, the extent of that measure and, thus, the persons affected. More precisely, the Court notes that the national legislation must be based on objective evidence, which makes it possible to identify persons whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fight serious crime or to prevent a serious risk to public security.57 Thus, as mentioned above, the Court makes it very clear, as stated in paragraph 97 of the ruling, that national legislation that provides for a general, systematic, continuous, and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication does not conform to EU law and thus cannot be upheld or adopted. The national data retention legislation must render it possible to create a link between the persons whose data are retained and the prevention of or fight against serious crime. Use of a geographical criterion? However, this does not mean that the persons whose data are retained can never be identified based on a geographical criterion alone (and thus cover all persons within that geographical area). According to the Court, the required limits (with regard to the public affected by the data retention measure) may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences. This probably means that a geographically based data retention—covering all persons within that specific area—cannot be automatic and continuous, but requires (i) that a competent authority has issued a retention order in accordance with general legislation, (ii) that the order is based on objective evidence corresponding with objective criteria laid down in the national legislation, (iii) that the evidence indicates not only a risk, but a high—and thus probably also relatively specific—risk of serious criminal offences being prepared or executed. This also, by implication, means that when the risk is no longer high, the data retention must cease. All of this must all be reflected in the national regulation: only subject to these conditions may the data retention be based (solely) on a geographical criterion (cf above regarding the formal requirement that the national regulation is clear, precise, and must contain sufficient safety guarantees). Yet a certain paradox ought to be noted in the Court’s conditions regarding the geographical criterion. Given that serious crime in practice58 covers a rather wide spectrum including homicide, attempted homicide, organized narcotics trade, human trafficking, serious violent assault etc, most—if not all—areas of major population concentrations in the EU will be the scene of the planning or execution of such crime on a daily basis. In practice, then, one could argue—while remaining strictly within the reasoning of the Court—that most major cities in the EU will at any given time warrant geographically based data retention. It is also noteworthy that the ruling indicates that the criteria which must be applied for restricting the data retention to what is proportionate may differ depending on the situation. The Court expressly refers to restrictions due to (i) data pertaining to a particular time-period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime.59 Hence, it seems that the Court leaves some latitude for national data retention regimes to stipulate that under certain conditions some of the three listed criteria need not be applied. If, for example, a Member State encounters a specific situation with a high risk of terror-related crime being conducted, that Member State’s data retention regime can prescribe retention of data only restricted by a time criterion (provided the terror risk is imminent), but not subject to restriction in terms of the geographical area or the group of persons likely to be involved. Other persons than the individuals suspected? It is constructive to question the requirement set forth by the Court that under the national regulation there must be an (in)direct link between the persons whose data are being retained and the prevention of or fight against serious crime. Namely—in terms of access to the retained data—is it only the data of individuals suspected of planning, committing, or having committed a serious crime, or of being implicated in one way or another in such a crime, to which the authorities can gain access? The Court establishes that this is indeed the general rule.60 However, as an exception hereto, the Court affirms that ‘in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities’. Hence, it is possible for national data retention regimes to allow for the retention of data and access to retained data on persons who are not linked to serious crime, but only in relation to a specific case and only in particular situations where ‘vital interests’ are threatened by forces such as terrorist activities. Again, a systematic and continuous retention of the wider population’s communications data without limitations is not permissible. Duration It follows that national data retention legislation may no longer be based on a retention, which takes place automatically and continuously, but must instead be targeted and based on a specific order in compliance with the rules and safeguards laid down in the legislation. When the risk of a serious criminal offence is no longer present, the data retention must cease. A question persists, however, how long may the national legislation subsequently require that data remains stored, allowing the competent authorities to gain access to data in accordance with the conditions set forth in national law? The ruling from the CJEU does not stipulate a specific time-period (unlike the now invalidated Data Retention Directive).61 The ruling states only that the retention period should comply with the principle of proportionality (ie be based on objective criteria and limited to what is strictly necessary).62 Hence, it is up to the Member States to determine the retention period within these limits. Importantly, the ruling also specifies that national legislation must make provision for the data to be retained within the EU and for the irreversible destruction of the data at the end of the data retention period.63 This requirement to store data within the EU is discussed further in ‘Consequences for other types of data?’ section below. Retention and access only with the object of fighting serious crime The Court has reiterated many times that data retention may only be imposed for the purpose of fighting ‘serious crime’.64 Concerning the mere retention of data specifically, the Court notes that since national data retention legislation represents such a serious interference with fundamental rights, only the objective of fighting serious crime is capable of justifying such a measure.65 With regard to access to the retained data, the Court also emphasizes that, since the objective pursued by the national legislation must be proportionate to the seriousness of the interference with fundamental rights that such access entails, it follows, with regard to fighting criminal offences, that only the objective of fighting serious crime is a worthy justification.66 Hence, the Court creates a distinction between serious crime and other kinds of crime; yet without defining, or otherwise making clear, how this distinction shall be made. As examples of ‘serious crime’, the ruling mentions organized crime, terror,67 and serious threats to public security.68 These are types of crime which all clearly indicate that only the most severe types of crime can legitimize a national data retention regime. Although other EU instruments (eg the aforementioned European Arrest Warrant) may provide some guidelines regarding the notion of ‘serious crime’, the CJEU makes no reference hereto in the ruling, and thereby, to a large extent, leaves the definition of ‘serious crime’ up to the Member States and national courts. This may create legal uncertainty and national differences across the EU. Notwithstanding the interpretational problems, the requirement regarding serious crime will no doubt represent an unwelcome barrier for several Member States whose current data retention regimes may also allow access to retained data (eg location data) with regard to crimes which cannot be deemed serious to the degree stipulated by the Court. Access only subject to a prior review As stated in ‘The e-Privacy Directive covers both the retention of data and access to that data’ section, the Court decided that the e-Privacy Directive covers both the retention of data and access to that data. In order to ensure that the conditions for the authorities’ access to the retained data are respected, the Court, in line with its ruling in Digital Rights Ireland,69 stresses that, apart from cases of validly established urgency, access should be subject to a prior review carried out either by a court or by an independent administrative body.70 Regardless of whether this requirement is seen as a substantial requirement, or rather as a procedural minimum safeguard and thus part of the formal requirements, it underlines the seriousness the Court ascribes to the sensitivity of traffic and location data. Access to such data cannot rely only on an assessment delivered by any given authority, but must be scrutinized by either a court or by an independent administrative body. Moreover, the Court reiterates what it stated in Digital Rights Ireland, namely that the decision of that court or administrative body should be made following ‘a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime’.71 Hence, not only must a request for access be reasoned, ie comply with the substantial conditions for gaining access (clear and precise rules, serious crime, only persons related to that crime, cf above). It must also adhere to normal criminal procedural rules and safety guarantees. This means that in case it is not a court, but an administrative body which carries out the prior review, the procedural rules governing such administrative body must be very similar to the procedural rules before the ordinary courts. An administrative body cannot act as simply a rubber stamp for an authority’s submission for access to retained data. Security The requirements that competent authorities legitimate and regulate access to retained data is one matter. Quite another matter is the risk of illegitimate, third-party access to the data due to lack of security. Pursuant to Articles 4(1) and 4(1)(a) of the e-Privacy Directive, providers of electronic communications services must take appropriate technical and organizational measures to ensure the effective protection of retained data against risks of misuse and any unlawful access to that data. Hence, the security level must correspond with the risks and consequences of a security breach. As the Court also notes, the quantity and sensitivity of retained data, and the risk of unlawful access to it, require a particularly high level of protection and security with regard to retained data.72 In this connection, the Court requires that national legislation should accord in two further ways, both of which followed from Digital Rights Ireland:73 namely, that the legislation makes provision for the data to be retained within the EU and that it provides for the irreversible destruction of the data at the end of the retention period. The requirement that the data must be retained within the EU may seem somewhat surprising and is not explained further in the ruling. However, in Digital Rights Ireland, to which the Court expressly refers (by analogy), it is explained that if the data is not stored within the EU, it cannot be ensured that the requirements regarding protection and security of the data are controlled by an independent authority as prescribed by Article 8(3) of the Charter. Are the requirements cumulative? In Digital Rights Ireland, where the Court applied some of the requirements also followed in Tele2, it is not entirely clear whether the requirements are meant to be cumulative (as opposed to an assessment as a whole whereby only some of the requirements need to be fulfilled). In the Advocate General’s proposal, it is argued that the safety guarantees established in Digital Rights Ireland shall be cumulative.74 In the present ruling, however, the Court does not explicitly address the issue, but the wording and structure of the ruling leaves little doubt that the requirements—which have now increased to encompass requirements regarding the retention as such—are cumulative. Hence, national data retention legislation must conform to all the requirements. Conclusion In sum, the Tele2 ruling does not preclude Member States from imposing national data retention legislation as general, preventive regimes. However, such rules must conform to both formal and substantial conditions, and these conditions pertain to both the retention as such and the subsequent access to the retained data by the authorities. This means an end to the type of national data retention measures exhibited by Sweden and the UK in Tele2—measures that provide for a general, systematic, continuous, and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communications. The legislation must be, in itself, clear and precise, based on objective criteria, and contain sufficient minimum safeguards, both with regard to the retention of data and the subsequent access to retained data. Moreover, the regulation must contain objective criteria that establish a connection between the data to be retained and the objective pursued. In this connection, the legislation must be based on objective evidence, which makes it possible to identify persons whose data is likely to reveal a link, at least an indirect one, with serious criminal offences. Identification of the relevant persons using a geographical criterion may be applied, but only where the competent national authorities deem, based on objective evidence, that there is an existing high risk of preparation for or commission of such offences in one or more (specific) geographical areas.75 Moreover, data retention can only be imposed for the purpose of fighting ‘serious crime’ which remains far from clear as a concept. Specifically, concerning access to the retained data, national legislation must set forth that, apart from cases of validly established urgency, access should be subject to a prior review carried out either by a court or by an independent administrative body. Further, the quantity and the sensitivity of retained data, and the risk of unlawful access to it, require a particularly high level of protection and security with regard to retained data. Finally, the national legislation must make provision for the data to be retained within the EU. Consequences for other types of data? Tele2 is a case about the interpretation of Article 15 of the e-Privacy Directive. The judgment focuses on data retention activities covered by Article 15 and does not deal directly with activities beyond this. In other words, the judgment does not provide interpretations of the Data Protection Directive. For several reasons, the judgment may nonetheless have an impact on other areas of data protection law. Not least, this is because the Court draws heavily on the Charter in reaching its conclusions. Both the Data Protection Directive and the e-Privacy Directive must be interpreted in light of the Charter. Furthermore, the Court’s basic line of thought and the requirements stipulated in its judgment seem to indicate that a database containing personal data about a (potentially) huge sector of a population with content that enables possible detailed profiling of the data subjects, must be subject to extraordinarily strict data protection measures and requirements. Regarding the content of the retained data, the Court states the following (paragraph 99): That data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 27). In particular, that data provides the means, as observed by the Advocate General in points 253, 254 and 257 to 259 of his Opinion, of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications. At a general level, this raises the question whether other kinds of databases (containing very sensitive data about a very large group of data subjects) may, in the same way, be subject to extraordinarily strict requirements in the light of the protection provided for by Articles 7 and 8 of the Charter. The judgment must be read and understood in the light of the intrusive nature of data retention schemes, which does not necessarily apply to other types of databases. However, not all parts of the judgment are linked closely to this intrusion aspect, and this prompts questions about whether some aspects of the judgment could inform efforts to analyse the processing of some other types of data (data which may be even more sensitive than retention data). With the Court emphasizing the profiling potential of data retention databases, analysts might be prompted to evaluate the status of other databases established by private parties with a large profiling potential. In this regard, it is well known that companies like Google and Facebook collect large amounts of data about their users, enabling extremely detailed profiling. At a general level, then, it cannot be ruled out that the thinking behind the judgment will affect the interpretation of the Data Protection Directive when it comes to these kinds of databases. Questions also arise about whether some of the judgment’s requirements can be extended to some databases outside the scope of the e-Privacy Directive. That might be the case for some requirements, as discussed in the following. Data retention duties under national law The judgment establishes certain requirements/limitations with which national legislation must comply in order to request that telecom operators retain the communications data covered by the e-Privacy Directive. The Court derives these limitations from an interpretation of Article 15(1) of the e-Privacy Directive. However, the Court’s interpretation places much emphasis on Articles 7, 8 and 11 of the Charter, and it is possible that the Court would reach a similar conclusion if national legislation were to require the retention of other types of data, which (formally) fall outside the scope of the e-Privacy Directive, but which, nevertheless, may be used in a similar way for drawing very precise conclusions concerning the private lives of the persons whose data has been retained. This is supported by the fact that the Digital Rights Ireland judgment sets up similar limitations based solely on the Charter. The data retention schemes of the Swedish and UK laws in question served the purpose of fighting crime. Given the extent to which they interfere with rights stipulated in the Charter, defining what constitutes a ‘proportionate’ purpose for such schemes is an essential part of the Court’s analysis in the Tele2 judgment, especially the part of the judgment setting up limitations for providing duties to retain the data under national law. If national legislation provides private parties with a duty to retain other types of data for the purposes of fighting (serious) crime, the judgment is very likely to have an impact. An example of this could be national law requiring providers of communication services not covered by the e-Privacy Directive to retain the communication data of their users. As described, communications data of services like messaging and webmail services are not covered by the e-Privacy Directive (though the presented proposal for a new e-Privacy Regulation suggests that such services be included under the regulation). This will be addressed in ‘The draft e-Privacy Regulation’ section below. Yet, regardless of the outcome of the proposal, it is likely that the Court would find that the Charter requires the same type of limitations for national rules on retention of other kind of communications data than those covered by the present e-Privacy Directive. Access to data The Tele2 judgment requires national legislation to be based on objective criteria and to define the circumstances and conditions under which the competent national authorities are to be granted access to the retained data. The Court derives this obligation from the general requirement that legislative means must be proportionate to the seriousness of the interference with fundamental rights that it entails. The judgment further states that pursuant to the principle of proportionality, access to the database must normally be subject to a prior review carried out by a court or an independent administrative body. Again, to reach this conclusion, the Court is interpreting Article 15(1) of the e-Privacy Directive, but draws heavily on the Charter and refers once again to its previous judgment in Digital Rights Ireland. Therefore, it seems likely that the judgment will also have an impact on legislation concerning access (including prior review of access) to types of databases similar to the databases covered by the directive. First, Tele2 may have ramifications for databases either because they contain identical types of data or similar types of data (ie data that are not communications data within the meaning of the e-Privacy Directive, but sensitive data or other data that allow precise conclusions to be drawn about the private lives of the data subjects and thus enable profiling). As an example of this distinction, Danish tax legislation provides the Danish tax authorities with the right to request access to data from private parties, for the purposes of tax control, without a prior review by a court. (As a general rule, a prior court order is required when the police are requesting access to data as part of their investigations.) Based on both Digital Rights Ireland and Tele2, it seems clear that the tax authorities cannot request access to databases covered by the e-Privacy Directive without such prior review.76 Yet, what of similar data types? In our view, despite the rule in the tax regulation, it is also likely that the same would apply to similar databases not covered by the e-Privacy Directive to the extent that they contain data similar to those covered by the e-Privacy Directive. The retention of Passenger Name Records (PNR) might constitute an example. Pursuant to Danish law, for the purposes of border and customs control and fighting serious crime, the Danish Tax Authorities systematically receive PNR data from the airlines on all passengers travelling to Denmark by air and disclose them (under certain conditions) to the Danish intelligence services without prior review.77 PNR data are different from communications data, but they provide information about the travel patterns of the data subjects, and thus aspects of their private lives. They are collected without exception (irrespective of any link to crime) and without most passengers being aware.78 Hence, Tele2 might influence, indirectly, how the retention of and access to PNR data is perceived.79 Secondly, the data concerned in Tele2 were retained pursuant to a legal obligation. Provided the retention has a legal basis and meets the additional requirements of general EU data protection law, data may also be retained voluntarily (ie not pursuant to a legal obligation, but as part of the business model of the commercial entity retaining it). Notwithstanding the fact that private entities are not directly bound by human rights, which affects the direct impact of some aspects of the judgment, it is possible that Tele2 will exert influence on such databases to the extent that they allow precise conclusions to be drawn about the private lives of subjects. Whether Tele2 would also apply to such data remains a far-reaching question. Though their data does not constitute communications data within the meaning of the e-Privacy Directive, private corporations, such as Google or Facebook, collect a tremendous amount of data concerning the personal lives of users, and much of it is likely to provide detailed information about private lives, such as search history and locations data from geo-tracking. Looking solely at the nature of the data, the extent of the databases, and their potential to influence the private lives of the data subjects, our opinion is that there seems to be little reason to make a fundamental distinction between databases established under legislative retention obligations and voluntarily established databases. The rationale behind the Court’s ruling is that the police and other competent authorities should not have an unlimited capacity to ‘angle’ for data in databases containing large amounts of sensitive data about a large part of the population. This rationale must be equally relevant to such voluntarily established databases. If a distinction were to be made between access to data from mandatory and voluntary databases (based on the limited scope of application of the ECHR or the Charter) there would be a risk of depriving both judgments of their importance. Especially given that more and more data are collected by private entities as a part of their business model, not due to any legal obligation. In other words, the reluctance of the Court to provide state authorities with surveillance tools that are too powerful is equally relevant regardless of whether the tool is provided with respect to mandatory or voluntary databases. Data retention in EU territory According to Article 4 of the e-Privacy Directive, the provider must take appropriate technical and organizational measures to safeguard security of its services. In Tele2, the Court states that as part of the security requirements national rules must make provision for the data to be retained within the EU, cf paragraph 122. This conclusion was already drawn by the Court in Digital Rights Ireland, paragraph 68: In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data. The Court’s finding that the control of an independent authority required by Article 8(3) of the Charter is not fully ensured if the data is stored outside of the EU, raises a question about the extent to which this may affect other types of databases containing personal data. Formally, this part of the judgment is an interpretation of the terms ‘appropriate technical and organisational measures to safeguard security of its services’ under Article 4 of the e-Privacy Directive. However, the words ‘appropriate technical and organisational measures’ are identical to the wording of Article 17 of the Data Protection Directive. Furthermore, both the Data Protection Directive and the e-Privacy Directive must be interpreted in light of the Charter. This indicates that the Court’s finding could have an impact on interpretation of Article 17 of the Data Protection Directive. In other words, if a data retention database cannot be placed outside the EU because the national data protection authority would not be sufficiently able to control compliance with the data protection requirements, it seems logical that the same would apply to other databases that contain equally large amounts of sensitive data. As mentioned above, large Internet companies like Google and Facebook collect and retain a large amount of data about their users. On the basis of such data, in a similar vein to retained communications data, it is possible to draw very precise conclusions about users’ private lives. However, one might also posit reasons why the requirement to keep the database within the EU should not be extended to cover the Data Protection Directive. Although the e-Privacy Directive and the Data Protection Directive are closely interlinked and use the same terms (‘appropriate technical and organisational measures to safeguard security of its services’), they do represent different regimes, and the terms used within each directive will not automatically carry the same meaning. Furthermore, in contrast to the e-Privacy Directive, the Data Protection Directive has a detailed regulation on the transfer of data to third countries. None of these rules indicate that certain types of personal data or databases should not be subject to international data transfers provided the requirements laid down in the rules are met. Had that been the intention of the EU legislature, it would have been natural to make an explicit rule regarding this. It is also noteworthy that the retained data and the purpose and nature of data retention legislation, which entails a very broad surveillance of the citizens by the State, calls for particularly strict independent control. Thus, the judgment does not establish a general prohibition against maintaining databases with large amounts of (sensitive) personal data in third countries. On the other hand, it cannot be ruled out that the thinking behind this part of the judgment may have an impact on the interpretation of the Data Protection Directive’s data transfer rules and security requirements for databases with large amounts of sensitive data stored in third countries.80 The draft e-Privacy Regulation On 10 January 2017, the European Commission issued its proposal for a new e-Privacy Regulation to replace the e-Privacy Directive.81 According to the proposal, it shall apply from 25 May 2018 (the same date as the General Data Protection Regulation (regulation 2016/679)). However, the proposal still needs to go through the ordinary legislative procedure and thus be negotiated and approved of the Parliament and the Council. The final text and date of effect may therefore, be subject to changes. In the current draft version, the regulation seems to leave the same room for national rules on data retention as the e-Privacy Directive. Pursuant to Article 11 of the draft regulation, Member States may use national law to restrict the scope of the rights and obligations provided for in Articles 5–8 which include the limitations on the processing and storing of electronic communications data. Such restrictions must respect the essence of the fundamental rights and freedoms, and they must constitute a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public’s interests referred to in Article 23(1)(a) to (e) of the General Data Protection Regulation (regulation 2016/679), which includes national and public security, defence, along with the prevention, investigation, detection, and prosecution of criminal offences. In other words, the restrictions must meet the principle of proportionality for theses specific reasons. Though the wording of draft Article 11 is not identical to Article 15 of the current directive, and though it does not specifically mention data retention as Article 15 does, there seems to be no reason to believe that the draft e-Privacy Regulation aims to provide Member States with more room to manoeuvre than the e-Privacy Directive. This is confirmed by the explanatory memorandum of the proposal, in which the Commission states: The proposal does not include any specific provisions in the field of data retention. It maintains the substance of Article 15 of the e-Privacy Directive and aligns it with specific wording of Article 23 of the General Data Protection Regulation (regulation 2016/679), which provides grounds for Member States to restrict the scope of the rights and obligations in specific articles of the e-Privacy Directive. Therefore, Member States are free to keep or create national data retention frameworks that provide, inter alia, for targeted retention measures, in so far as such frameworks comply with Union law, taking into account the case-law of the Court of Justice on the interpretation of the e-Privacy Directive and the Charter of Fundamental Rights. One of the most important changes evident in the draft regulation is the extension of the scope of services and data. Whereas the e-Privacy Directive covers the classic telecom services, the draft regulation also covers so-called ‘Over-the-Top communications serviceś’(OTTs) that include Voice over Internet Protocol, instant messaging, and web-based e-mail services (which spans services such as WhatsApp, Facebook Messenger, Gmail, and Skype). Consequently, national data retention rules also covering these kinds of services will be subject to the requirements following from the e-Privacy Regulation. However, as outlined in ‘Consequences for other types of data?’ section above, it seems likely that this might already be the case following Digital Rights Ireland and Tele2. Another change concerns the regulation of security requirements with which the service providers must comply. As explained in the body of our article, Article 4 of the e-Privacy Directive requires that service providers take appropriate technical and organizational measures to safeguard the security of its services. The draft regulation does not contain a similar provision. Instead, the service providers will be covered by Article 32 of the General Data Protection Regulation (regulation 2016/679), which also requires that providers take appropriate technical and organizational measures. Thus, the provisions on security requirements (both in general and in relation to electronic communications) are to be found in one single legal act. It must, therefore, be expected that the requirement to store the data within the EU, as established by the CJEU in Digital Rights Ireland and Tele2, will continue to apply. Nothing in the draft regulation, including the text of its preamble, indicates otherwise, meaning that the judgments’ use of the Charter Article 8(3) will be equally relevant when interpreting the security requirements of Article 32. The fact that this requirement will follow directly from the General Data Protection Regulation (regulation 2016/679) makes it all the more relevant to consider whether other types of data and databases could be subject to a similar requirement under Article 32 of the General Data Protection Regulation (regulation 2016/679). We do not conclude that the two CJEU judgments limit the possibility of storing other types of data and of keeping databases in third countries in general; but time will tell whether the Court extends this ‘non-export’ rule to other areas. Footnotes 1 United Nations, International Convention for the Suppression of the Financing of Terrorism [1999] 54/109. 2 United Nations, Resolution 1373 [2001] S/RES/1373. 3 Council Framework Decision of 13 June 2002 on combating terrorism, OJ 2002 L 164. 4 Council of the European Union, 2477th Council Meeting—Justice and Home Affairs Council—Brussels, 19 December 2002, C/02/404. 5 See, for instance, the Danish anti-terrorism amendments (Terrorpakke I) of June 2002. Information available in Danish at: <www.justitsministeriet.dk/arbejdsomraader/politi-og-straf/terrorbekaempelse> accessed 29 October 2017. 6 Declaration on Combatting Terrorism [2004] and Council Declaration on the EU Response to the London Bombings [2005] C/05/187. 7 Council Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provisions of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54, Recitals 5 and 6. 8 Ibid. 9 Ibid Art 3, cf Art 5. 10 Monica Ermert, ‘EU Data Retention Directive Finally before European Court of Justice’ (2013) Internet Policy Review, Journal on Internet Regulation <https://policyreview.info/articles/news/eu-data-retention-directive-finally-european-court-justice/162> accessed 3 February 2017. 11 Joined cases C-293/12 and C-594/12 Digital Rights Ireland [2014] ECR I-238. 12 Ibid, para 37. 13 European Union Agency for Fundamental Rights, Fundamental Rights Report 2016 [2016] 124 et seq. 14 Opinion of Advocate General Saugmandsgaard Øe delivered on 19 July 2016 in Joined cases C-203/15 and C-698/15 Tele2 Sverige AB and Watson [2016]. 15 Joined cases C-203/15 and C-698/15 Tele2 Sverige AB and Watson [2016] OJ C 221. 16 Ibid, paras 17 and 29 of the ruling. 17 Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37 (e-Privacy Directive). 18 Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data [1995] OJ L 281/31 (Data Protection Directive). 19 Recital 4 to the e-Privacy Directive (n 17). 20 See also Tele2 Sverige AB and Watson (n 15), paras 82 and 92 of the ruling. 21 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications network and services [2002] OJ L 108/33 (Framework Directive). 22 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) [2000] OJ L 178/1 (e-Commerce Directive). 23 Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) [2010] OJ L 95/1. See Recital 5 of the Framework Directive (n 21). See in more detail Sandfeld Jakobsen, ‘EU Internet Law and the Era of Convergence: The Interplay with EU Telecoms and Media Law’ in Savin and Trzaskowski (eds), Research Handbook on EU Internet Law (Edward Elgar Publishing, UK 2014). 24 e-Privacy Directive (n 17) Recitals 17 and 29. 25 See also the invalidated Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105 (Invalidated Data Retention Directive), Art 5. 26 The e-Privacy Directive (n 17) Recitals 2 and 3. 27 Ibid, Recital 15. 28 Tele2 Sverige AB and Watson (n 15) para 97. 29 Ibid, para 65 et seq. 30 Ibid, para 73 et seq. 31 The Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) [2017] COM/2017/010 final—2017/03 (COD), a proposal for a regulation which updates (and repeals) the e-Privacy Directive equally operates with a general exception regarding State activities in the area of criminal law which are entirely outside the scope of the directive (cf Art 2(2)(c)), and a more specific exception provision concerning legitimate restrictions (eg with regard to combating crime) to the right to confidentiality of electronic communications data, cf Art 11 (which refers to Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119 (the new Data Protection Regulation)). 32 This analysis relates solely to the questions referred to the Court by the referring Swedish court, as it asked specifically about the EU law compliance of the mere retention obligation, irrespective of the rules governing access to the retained data. See, in particular, Tele2 Sverige AB and Watson (n 15), paras 51 and 59. 33 See also C-275/06, Promusicae [2008] ECR I-271, paras 47 et seq. 34 Tele2 Sverige AB and Watson (n 15) para 89. Reference is also made, by analogy, to C-119/12, Probst [2012] para 23. 35 Tele2 Sverige AB and Watson (n 15) para 91. See also by analogy, Joined cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989, para 68 and Case C-131/12, Google Spain vsAEPD [2014] para 68. 36 Tele2 Sverige AB and Watson (n 15) para 92, cf para 99. 37 Opinion of Advocate General Øe (n 14) para 185. 38 e-Privacy Directive (n 17) Recital 11. 39 Tele2 Sverige AB and Watson (n 15) para 96. Hereby, the CJEU refers to, among other cases, C-73/07, Satamedia Oy [2008] ECR I-9831. It is remarkable that this reference relates to yet another derogation from a general rule, more precisely that of freedom of expression under the Data Protection Directive (n 18). However, in the present judgment, the CJEU seems to extend it to limitations to the right to respect for private life as such. 40 Tele2 Sverige AB and Watson (n 15) para 98. 41 Ibid, para 99, cf by analogy, Digital Rights Ireland (n 11) para 27. 42 Ibid, para 99, also referring to Opinion of Advocate General Øe (n 14) para 253 et seq. 43 Digital Rights Ireland (n 11) para 39. 44 Tele2 Sverige AB and Watson(n 15) para 100, cf by analogy, Digital Rights Ireland (n 11), para 37. 45 Tele2 Sverige AB and Watson (n 15) para 101, cf by analogy, Digital Rights Ireland (n 11) paras 39 and 28. 46 Tele2 Sverige AB and Watson (n 15) para 102 et seq, cf by analogy Digital Rights Ireland (n 11) paras 60 and 54. 47 Tele2 Sverige AB and Watson (n 15) para 104. 48 Ibid, para 105 et seq. Likewise, referring to Digital Rights Ireland (n 11) para 57 et seq. 49 Tele2 Sverige AB and Watson (n 15) para 106. 50 Digital Rights Ireland (n 11) para 60 et seq. 51 Opinion of Advocate General Øe (n 14). 52 Tele2 Sverige AB and Watson (n 15) para 108. 53 Ibid, para 109. 54 Ibid, para 54 with reference to the following rulings from the ECtHR, Liberty and Others vthe United Kingdom (2008) ECHR 568; Rotaru vRomania (2000) ECHR 192 , and S and Marper vthe United Kingdom (2008) ECHR 1581. 55 Digital Rights Ireland (n 11) paras 54 et seq. 56 Ibid, paras 117–18. 57 Ibid, para 111. 58 See also the ‘positive list’ in Art 2 of the Council Framework Decision of 13 June 2002 on the European Arrest warrant and the surrender procedures between Member States [2002] PB L 190 2002/548/JHA (European Arrest Warrant). 59 Tele2 Sverige AB and Watson (n 15) para 106. 60 Ibid, para 119. 61 Directive 2006/24/EC (n 7), Art 7 stipulated that the data should be retained for no less than 6 months and no longer than 2 years from the date of the communication. 62 Tele2 Sverige AB and Watson (n 15) para 108. In Digital Rights Ireland (n 11) the Court was critical of the retention period set out by the now invalidated Data Retention Directive—between 6 and 24 months—without stating that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary, cf para 64. 63 Tele2 Sverige AB and Watson (n 15) para 122. 64 In Digital Rights Ireland (n 11), the Court noted that because the systematic retention of the general population’s traffic data entails an interference with the fundamental rights of practically the entire European population, the criminal offences must be sufficiently serious to justify such interference, cf paras 56 and 60. 65 Tele2 Sverige AB and Watson (n 15) para 102. 66 Ibid, para 115. 67 Ibid, para 103. 68 Ibid, para 111. 69 Digital Rights Ireland (n 11) para 62. 70 Tele2 Sverige AB and Watson (n 15) para 120. 71 Ibid, para 120, cf Digital Rights Ireland (n 11) para 62. 72 Tele2 Sverige AB and Watson (n 15) para 122. 73 Digital Rights Ireland (n 11) para 66–68. 74 Opinion of Advocate General Cruz Villalón delivered on 12 December 2013 in C-293/12, Digital Rights Ireland [2016] para 221. 75 In order to ensure the legal safety of the persons whose data are retained, the decision from the competent national authority should be public available, unless, of course, the purpose of the data retention in the given situation may be forfeited by the publication. 76 It should be noted that due to the legal uncertainty caused by Digital Rights Ireland, the Danish tax authorities have since refrained from applying the rule. 77 Due to the Danish opt-out with respect to EU policy on Justice and Police Affairs, Denmark has established its own PNR system. 78 In preparatory works of the Act providing access to PNR data for the Danish Military Intelligence Service, the Ministry of Defence acknowledges the possible influence of Tele2 Sverige AB and Watson, but dismisses it on the grounds that that PNR data, unlike communications data under the Swedish and UK data retention schemes, are not collected from the entire population, only those travelling to Denmark by flight. 79 For similar speculations, see also Irena Nesterova, Crisis of Privacy and Sacrifice of Personal Data in the Name of National Security: The CJEU Rulings Strengthening EU Data Protection Standards (European Society of International Law (ESIL) 2016 annual conference, Riga, 2017); Lorna Woods, ‘Data Retention and National Law: The ECJ Ruling in Joined Cases C-203/15 and C-698/15 Tele2 and Watson (Grand Chamber)’, in EU Law Analysis (21 December 2016), available at: <http://eulawanalysis.blogspot.com/2016/12/data-retention-and-national-law-ecj.html>. 80 In its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, adopted on 4 April 2017 [2017] WP 248, the Art 29 Working Party mentions transfer of data outside the EU as one the criteria that could make data processing a high-risk factor triggering the requirement for a DPIA. 81 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM (2017) 10 final. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

Journal

International Data Privacy LawOxford University Press

Published: Feb 24, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off