By Alessandra Silveira (Editor) and Tiago Sérgio Cabral (Managing Editor)

▪

As we have highlighted in this blog, in the recent judgment 268/2022 of 19 April, the Portuguese Constitutional Court finally declared the unconstitutionality of some provisions of Law 32/2008.  Law 32/2008 transposed the rules of Directive 2006/24, which were declared invalid eight years ago by the Court of Justice of the European Union (“CJEU”) in the Digital Rights Ireland judgment, for introducing a system of generalised and indiscriminate retention of personal data. This case-law of the CJEU has recently (again) been confirmed in the G. D. judgment, according to which: Article 15(1) of Directive 2002/58 (Directive on privacy and electronic communications), read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union (“CFREU”), must be interpreted as precluding legislative measures which, as a preventive measure for the purposes of combating serious crime and preventing serious threats to public security, provide for the general and indiscriminate retention of traffic and location data (recital 129).

Fortunately, the idea of amending the Portuguese Constitution to overcome the problem of the generalised and indiscriminate retention of metadata – which is, first and foremost, a matter of EU law – is losing steam. But there have been some voices that, surprisingly, suggest a change of course in the case-law of the CJEU and the Portuguese Constitutional Court. It is worth remembering that, in a State governed by the rule of law and a Union based on the rule of law, judicial decisions against which there is no appeal must be respected – whether one agrees with them or not. This is our most precious constitutional heritage. In fact, one could argue that if we had carefully considered the implications and respected the decision of the CJEU in Digital Rights Ireland when it was originally ruled, we could have avoided this entire issue.

The Portuguese Parliament is now seeking a legislative solution to this problem, which should have been solved by the national authorities years ago – and the German legislative solution has been considered as a possible source of inspiration (Telekommunikationsgesetz, Law on Telecommunications, “the TKG”). However, a particularly relevant reference for a preliminary ruling from the Bundesverwaltungsgericht (Federal Administrative Court, Germany) is currently under analysis by the CJEU. In this case, the CJEU will address the compatibility of German legislation with EU law – and it is appropriate to await the decision of the CJEU in order to avoid hasty conclusions as to the conformity of German legislation, and certainly before “copy and pasting it” to the Portuguese legal framework.

According to the facts described in the Opinion of Advocate General Campos Sánchez-Bordona delivered on 18 November 2021 in the joined cases C‑793/19 and C‑794/19 (SpaceNet), the SpaceNet AG and the Telekom Deutschland GmbH are companies that provide publicly available internet access services in Germany – and they lodged actions objecting to the obligation set out the TKG to store customers’ telecommunications traffic data as from 1 July 2017. According to the referring court, the German legislation requires “the general retention, without any reason, and without any distinction in terms of personal, temporal or geographical factors, of a large part of the traffic data of the relevant telecommunications”. The national legislation at issue does not simply authorise the competent authorities to require the retention of traffic and location data for a limited period: the legislature directly imposes an obligation to retain the data in an indefinite manner (recitals 53-54).

The Advocate General Campos Sánchez-Bordona clarifies that national legislation which requires providers of electronic communications services to retain traffic and location data for the purposes of protecting national security and combating crime, such as the legislation at issue in the main proceedings, falls within the scope of Directive 2002/58 (on the processing of personal data and protection of privacy in the electronic communications sector). At the heart of the case-law of the CJEU concerning Directive 2002/58 is the notion that the users of electronic communications services are entitled to expect, in principle, that their communications and data relating thereto will remain anonymous and may not be recorded, unless they have agreed otherwise. Article 15(1) of Directive 2002/58 allows exceptions to the obligation to ensure confidentiality – and the CJEU in the La Quadrature du Net judgment considers at length how to reconcile those exceptions with the fundamental rights whose exercise may be affected.

This is the risk which has clearly inspired the case-law of the CJEU on the matter: “(…) traffic and location data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health, given that such data moreover enjoys special protection under EU law. Taken as a whole, that data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, that data provides the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications” (La Quadrature du Net judgment, recital 117).

According to the CJEU, the generalised and indiscriminate retention of metadata could be justified on grounds of safeguarding national security (Quadrature du Net judgment, recital 137). The objective of protecting national security corresponds to the primary interest in protecting the essential functions of the State and the fundamental interests of society through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities (GD judgment, recitals 61 and 105). So, EU law “does not preclude legislative measures that allow, for the purposes of safeguarding national security, recourse to an instruction requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable, where the decision imposing such an instruction is subject to effective review, either by a court or by an independent administrative body whose decision is binding, the aim of that review being to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed, and where that instruction may be given only for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists” (emphasis added) (Quadrature du Net judgment, recital 229).

Safeguarding national security should not be mistaken for combating crime, even serious crime. As explained by the CJEU, unlike crime, even particularly serious crime, a threat to national security must be genuine and present, or, at the very least, foreseeable, which presupposes that sufficiently concrete circumstances have arisen to be able to justify a generalised and indiscriminate measure of retention of traffic and location data for a limited period of time. Such a threat is therefore distinguishable, by its nature, its seriousness, and the specific nature of the circumstances of which it is constituted, from the general and permanent risk of the occurrence of tensions or disturbances, even of a serious nature, that affect public security, or from that of serious criminal offences being committed (G.D. judgment, recital 62).

As explained by the Advocate General Campos Sánchez-Bordona in SpaceNet, those provisions certainly result in a more rigorous and stricter regime than the one which emerges from the case-law of the European Court of Human Rights (“ECtHR”) on Article 8 ECHR. The fact that the meaning and scope of rights in the CFREU that correspond to rights guaranteed by the ECHR must be the same as those laid down by the latter does not prevent EU law providing more extensive protection, in accordance with the final sentence of Article 52(3) of the CFREU (recital 39).

Outside of that hypothesis – national security – one must analyse whether the national regulations are founded on criteria that are sufficiently targeted to satisfy the conditions which, according to the case-law of the CJEU, may justify a particularly serious interference in the fundamental rights that are affected (such as retention of data). The targeted retention of traffic and location data is the cornerstone of the reasoning in the judgments of the CJEU on this matter. That targeting may be established in accordance with the categories of persons concerned or based on geographical criteria, among others (Campos Sánchez-Bordona, SpaceNet, recitals 42-43).

In any case, the legislative difficulty of providing a detailed definition of the circumstances and conditions under which targeted retention is feasible is no reason for the Member States, by turning the exception into a rule, to make the general retention of personal data the core principle of their legislation (idem, recital 50). In that regard, it must be observed, in the first place, that the effectiveness of criminal proceedings generally depends not on a single means of investigation but on all the means of investigation available to the competent national authorities for those purposes (G.D. judgment, recital 69). EU law allows Member States to adopt, for the purposes of combating serious crime and preventing serious threats to public security, not only measures for targeted retention and expedited retention (quick freeze), but also measures providing for the generalised and indiscriminate retention, first, of data relating to the civil identity of users of electronic communications systems and, second, of IP addresses assigned to the source of a connection (G.D. judgment, recital 70).

Concerning the German legislation at stake (the TKG) in SpaceNet, in the view of Campos Sánchez-Bordona the typology of the retained data (there is no storage of data relating to the internet sites visited, email data and data concerning communications to or from social or religious telephone helplines) does not obscure the fact that the generalised and indiscriminate storage requirement applies to a very broad set of traffic and location data. And the fact that content (whether of internet sites visited or of emails) is not covered by the retention obligation is not a decisive factor (recitals 60-62).

Campos Sánchez-Bordona states that the most significant difference of the TKG as compared with the national legislation analysed in other CJEU´s judgments concerns the retention period which is 4 weeks for location data and 10 weeks for other data. Both the referring court and some governments who entered an appearance emphasise this point, stressing that the legislation at issue significantly reduces the data retention period. In the view of the referring court, the shorter duration reduces the risk of being able to establish a comprehensive profile of the persons involved. However, while the time limit on the retention period is a relevant factor in assessing the legislation at issue, it cannot correct for the fact that the legislation imposes a generalised and indiscriminate requirement to retain traffic and location data. Under the case-law of the CJEU, other than in the case of safeguarding national security, electronic communications data may be retained only on a targeted basis, because of the serious risk entailed by general retention of data (recitals 63-67).

It is true that, as noted by the referring court, a very limited retention period may make it harder to establish profiles. However, as states Campos Sánchez-Bordona, the extent of the difficulty in this regard is determined not only by the length of the retention period but also by the quantity and nature of the data that are retained: the greater the amount of data, the greater the likelihood of obtaining sensitive information during time periods the length of which will, in turn, be dependent on developments in techniques for monitoring, correlating and evaluating the set of electronic communications data. What may at present be an insufficient period in which to accumulate enough information to produce profiles may be more than enough to do so at some point in the future (recitals 69-70).

Some legal scholars and legal professionals argue in Portugal that metadata of users of electronic communication services should be retained and accessible for combating serious crimes or addressing threats to public security for the same period that is available to providers of electronic communications services for billing purposes. This is a misleading argument because the types of metadata stored for billing are more restricted than what was established for law enforcement purposes. Only data that is strictly necessary for billing purposes can be stored (not all traffic data). As established by the CJEU in the G.D. judgment “Article 6 of Directive 2002/58 provides, in paragraph 1, that those data [traffic data] must be erased or made anonymous when they are no longer needed for the purpose of the transmission of a communication, and states, in paragraph 2, that the traffic data necessary for the purposes of subscriber billing and interconnection fees may only be processed up to the end of the period during which the bill may lawfully be challenged or payments pursued in order to obtain payment. As regards location data other than traffic data, Article 9(1) of that directive provides that those data may be processed only subject to certain conditions and after they have been made anonymous or the consent of the users or subscribers obtained” (recital 38).

Moreover, according to the CJEU, the interference with the fundamental rights enshrined in Articles 7 and 8 of the CFREU that is entailed by a public authority’s access to a set of traffic or location data – that are liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she use –, it is in any event serious regardless of the length of the period in respect of which access to those data is sought and the quantity or nature of the data available in respect of such a period, when that set of data is liable to allow precise conclusions to be drawn concerning the private life of the person or persons concerned (Prokuratuur judgment,  recital 39).

Finally, according to the referring court in SpaceNet, the German legislation provides effective protection for retained data against the risks of misuse and unlawful access. But it cannot be forgotten that, for the CJEU, the retention of traffic and location data constitutes in itself an interference with the fundamental rights to respect for private life and the protection of personal data. In this regard, access to such data is a separate interference with those fundamental rights, irrespective of the subsequent use made of it. So, according to Campos Sánchez-Bordona, it is therefore irrelevant that the data protection arrangements for retained data provided for in the German legislation: (i) provide effective safeguards to protect those data; (ii) place rigorous and effective limits on access conditions, restricting the circle of people who can access the data; and (iii) allow the retained data to be used solely for the purposes of investigating serious offences and preventing specific risks to life or a person’s freedom or to the security of the State. The truly decisive element is that, as also noted by the referring court, the retention obligation at issue is not in itself subject to any specific conditions (recitals 73-76).

In the light of the above, the Advocate General suggests to the CJEU that it should reply to the Federal Administrative Court (Germany) that Article 15(1) of Directive 2002/58, in the light of Articles 7, 8 and 11 and Article 52(1) of the CFREU and Article 4(2) TEU, must be interpreted as precluding national legislation (as TKG) which obliges providers of publicly available electronic communications services to retain traffic and location data of end users of those services on a precautionary, general and indiscriminate basis for purposes other than that of safeguarding national security in the face of a serious threat that is shown to be genuine and present or foreseeable (recital 84).

It is important to emphasise that EU law does not preclude legislative measures that provide, for the purposes of combating serious crime and preventing serious threats to public security, for:

(i) the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended;

(ii) the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary;

(iii) the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and

(iv) the recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention (quick freeze) of traffic and location data in the possession of those service providers.

Provided that those measures ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse (G.D. judgment, recital 129).

Picture credits: Colossus Cloud.