By Alessandra Silveira (Editor) and Tiago Sérgio Cabral (Managing Editor)
The CJEU has recently added further pieces to the puzzle of retention of traffic and location data by providers of electronic communications services for the purpose of making them available to competent national authorities in the fight against serious crime. In addition to reiterating its constant jurisprudence on the matter, this CJEU judgment is particularly valuable to Member States that are legislating in order to adapt to EU law – as is the case of Portugal (judgment of 20 September 2022, SpaceNet, joined cases C-793/19 and C‑794/19, ECLI:EU:C:2022:702).
In several Recitals of the judgment, the CJEU left some clues as to its resistance to the generalised and indiscriminate retention of metadata, and it is possible to perceive that it lies in the uncontrolled profiling of users of electronic communications services. Profiling is often used to make such predictions about individuals. It involves the collection of information about a person and the assessment of their characteristics or behavioural patterns in order to place them in a certain category or group and drawing upon that an inference or prediction – be it of their ability to perform a task, of their interest or presumed behaviour.
The CJEU insists that traffic and location data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health, given that such data moreover enjoy special protection under EU law (Recital 61 SpaceNet). The CJEU bases its reasoning on the possibility of drawing very precise conclusions concerning the private lives of the persons whose data have been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, those data provide the means of establishing a profile of the individuals concerned (Recital 61 SpaceNet).
Furthermore, the CJEU emphasizes that the retention of traffic and location data for policing purposes is liable to infringe the right to respect for communications [Article 7 of the Charter of Fundamental Rights of the European Union (CFREU)], and to deter users of electronic communications systems from exercising their freedom of expression (Article 11 CFREU), effects that are all the more serious given the quantity and breadth of data retained (Recital 62 SpaceNet).
Additionally, in view of the significant quantity of traffic and location data that may be continuously retained under a general and indiscriminate retention measure, as well as the sensitive nature of the information that may be gleaned from those data, the mere retention of such data by providers of electronic communications services entails a risk of abuse and unlawful access (Recital 62 SpaceNet).
Thus, the retention of traffic or location data (on the one hand) and the access to those data (on the other hand) constitute separate interferences with the fundamental rights – which require a separate justification under Article 52(1) CFREU (Recital 91 SpaceNet). Taking this into account, the interference resulting from the retention of those data necessarily occurs before the data and the information resulting therefrom can be consulted. The assessment of the seriousness of the interference that the retention constitutes is necessarily carried out on the basis of the risk generally pertaining to the category of data retained for the private lives of the persons concerned, without it indeed mattering whether or not the resulting information relating to the person’s private life is in actual fact sensitive (Recital 89 SpaceNet).
Let us put the CJEU’s decision into context. This judgment has its origins in proceedings between the Federal Republic of Germany and SpaceNet and Telekom Deutschland – providers of publicly available internet and telephone services – which challenged in court the obligation under German law to retain traffic and location data relating to their customers’ telecommunications. The question whether the obligation of retention imposed by German law is contrary to EU law depended on the interpretation of Directive 2002/58 (concerning the processing of personal data and the protection of privacy in the electronic communications sector, hereinafter the “e-Privacy Directive”) and the Federal Supreme Court (Germany) made a preliminary reference.
Thus, the CJEU again interpreted Article 15(1) of the e-Privacy Directive and reiterated that that provision, read in light of Articles 7, 8, 11, and 52(1) CFREU, must be interpreted as precluding national legislative measures which provide, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data (Recital 131 SpaceNet).
In accordance with the national court, the national legislation at issue in the main proceedings does not require any reason for the retention of the data or any link between the data retained and a criminal offence or a risk to public security. That national legislation requires the general retention, without a reason, and without any distinction in terms of personal, temporal or geographical factors, of the majority of the traffic data relating to telecommunication (Recital 30 SpaceNet). In an attempt to balance, the legislation provided for a storage period of four weeks for location data and ten weeks for traffic data, and included strict limitations on the protection of and access to the retained data – potentially reducing, but not eliminating, the risk of comprehensive profiling of data subjects (Recitals 33 to 35 SpaceNet).
The CJEU pointed out that, pursuant to the first and second sentences of Article 5(1) of the e-Privacy Directive, Member States are required to ensure, through their national legislation, the confidentiality of communications by means of a public communications network and publicly available electronic communications services, as well as of the related traffic data (Recital 51 SpaceNet). In fact, the e-Privacy Directive’s aim is to ensure that a high level of protection of personal data and privacy will continue to be guaranteed for all electronic communications services regardless of the technology used (Recital 53 SpaceNet).
Therefore, in adopting the e-Privacy Directive, European legislator gave concrete expression to those fundamental rights, so that the users of electronic communications services are entitled to expect, in principle, that their communications and data relating thereto will remain anonymous and may not be recorded, unless they have agreed otherwise (Recital 54 SpaceNet). Therefore, the Article 6(1) of the e-Privacy Directive that those data must be erased or made anonymous, when they are no longer needed for the purpose of the transmission of a communication, and states, in paragraph 2, that the traffic data necessary for the purposes of subscriber billing and interconnection fees may only be processed up to the end of the period during which the bill may lawfully be challenged or payment pursued. As regards location data other than traffic data, Article 9(1) of that directive provides that those data may be processed only subject to certain conditions and after they have been made anonymous or the consent of the users or subscribers obtained (Recital 55 SpaceNet).
Thus, as Article 15(1) of Directive 2002/58 permits Member States to adopt legislative measures that restrict the scope of the rights and obligations laid down in Articles 5, 6 and 9 of that directive (such as those arising from the principles of confidentiality of communications and the prohibition on storing related data), that provision provides for an exception to the general rule provided for Articles 5, 6 and 9 – and must thus be the subject of a strict interpretation. Therefore, Article 15(1) of the e-Privacy Directive cannot permit the exception to the obligation of principle to ensure the confidentiality of electronic communications and data relating thereto and, in particular, to the prohibition on storage of those data, laid down in Article 5 of that directive, to become the rule, if the latter provision is not to be rendered largely meaningless (Recital 57 SpaceNet).
In that regard, the retention of traffic and location data constitutes, in itself, first, a derogation from the prohibition laid down in Article 5(1) of Directive 2002/58 barring any person other than the users from storing those data, and, secondly, an interference with the fundamental rights to the respect for private life and the protection of personal data, irrespective of whether the information in question relating to private life is sensitive, whether the persons concerned have been inconvenienced in any way on account of that interference, or, furthermore, whether the data retained will or will not be used subsequently (Recital 60 SpaceNet).
In addition, going back to the argument previously defended, if retention and access to data should be considered as separate with the fundamental rights guaranteed by of the CFREU, national legislation ensuring full respect for the conditions established by the case-law interpreting e-Privacy Directive as regards access to retained data cannot, by its very nature, be capable of either limiting or even remedying the serious interference, which results from the general retention of those data provided for under that national legislation (Recital 91 SpaceNet).
This interference occurs and is serious regardless of the length of the retention period and the quantity or nature of the data retained, when that set of data is liable to allow precise conclusions to be drawn concerning the private life of the person or persons concerned. Even retention of a limited amount of data by a short period may allow very precise conclusions to be drawn concerning the private lives of the persons whose data are retained (Recitals 88 to 90 SpaceNet).
It is important to note that the CJEU again rejected arguments by national governments and police authorities defending that generalised and indiscriminate data retention was necessary to pursue criminal proceedings. As reminded by the Court, the effectiveness of criminal proceedings generally depends not on a single means of investigation but on all the means of investigation available to the competent national authorities for those purposes (Recital 96 SpaceNet).
In addition, the Court repeated the argument that EU law allows Member States to adopt, for the purposes of combating serious crime and preventing serious threats to public security, not only measures for targeted retention and expedited retention, but also measures providing for the general and indiscriminate retention, first, of data relating to the civil identity of users of electronic communications systems and, secondly, of IP (Internet Protocol) addresses assigned to the source of a connection (Recital 97 SpaceNet).
Additionally, if national security is at risk (which is different from public security) EU law does not restrict recourse to an instruction requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where: i) the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable, ii) the decision imposing such an instruction is subject to effective review, either by a court or by an independent administrative body whose decision is binding, the aim of that review being to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed, and iii) that instruction may be given only for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists (Recital 72 SpaceNet). The Court considers such to be permissible because objective of protecting national security corresponds to the primary interest in protecting the essential functions of the State and the fundamental interests of society through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities (Recital 92 SpaceNet).
The CJEU equally rejected the argument from the Danish Government according to which competent national authorities should be able to access, for the purpose of combating serious crime, traffic and location data that have been retained in a general and indiscriminate way in order to confront a serious threat to national security which is shown to be genuine and present or foreseeable (Recital 126 SpaceNet). In the CJEU’s assessment allowing such access would be depriving of any effectiveness the prohibition on such retention for the purpose of combating serious crime (Recital 130 SpaceNet). In any event, it would be a processing of personal data for a different purpose, and this require a basis in Union or Member State law, which would have to prove to be a necessary and proportionate measure in a democratic society, in order to ensure compliance with the principles under Article 23 of the General Data Protection Regulation.
Based on its arguments, the Court’s message to national authorities is quite clear: the fact that it may be difficult to provide a detailed definition of the circumstances and conditions under which targeted retention may be carried out is no reason for the Member States, by turning the exception into a rule, to provide for the general and indiscriminate retention of traffic and location data (Recital 113 SpaceNet).
In any case, the CJEU seeks to address the questions raised by the referring court and the national governments during the hearing, in order to devise practical concordance solutions aimed at safeguarding Member States’ crime control and public security competences (recitals 64 and 65 SpaceNet), namely through the possibilities of targeted retention, expedited retention or retention of IP addresses (recitals 95 et seq SpaceNet).
In light of the invocation of European Court of Human Rights (ECtHR) case law by some national governments at the hearing [namely the judgments of 25 May 2021, Big Brother Watch and Others v. the United Kingdom (EC:ECHR:2021:0525JUD 005817013) and Centrum för Rättvisa v. Sweden (ECHR:ECHR:2021:0525JUD 003525208)], claiming that the European Convention on Human Rights (ECHR) does not preclude national regulations providing, in substance, for the generalised and indiscriminate storage of traffic and location data, the CJEU held that those ECtHR judgments cannot call into question the interpretation of Article 15(1) of the e-Privacy Directive which follows from the considerations set out above. Indeed, these ECtHR rulings concerned large-scale interception of data relating to international communications. Thus, in these judgments the ECtHR did not rule on the compliance with the ECHR of a generalised and indiscriminate retention of traffic and location data on the national territory of an ECHR State, nor even of a wide-scale interception of such data for the purpose of prevention, detection and investigation of serious criminal offences (Recital 125 SpaceNet).
In any event, it should be recalled that Article 52(3) CFREU aims to ensure the necessary consistency between the rights contained therein and the corresponding rights guaranteed by the ECHR, without calling into question the autonomy of EU law and of the CJEU, so that it is only as a minimum protection threshold that the corresponding rights of the ECHR have to be taken into account for the purposes of interpretation of the CFREU (judgment of 17 December 2020, Centraal Israëlitisch Consistorie van België and Others, C-336/19, EU:C:2020:1031, paragraph 56).
In conclusion, regarding the objective of combating serious crime, the CJEU held that national legislation providing, for that purpose, for the general and indiscriminate retention of traffic and location data exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society. In view of the sensitive nature of the information that traffic and location data may provide, the confidentiality of those data is essential for the right to privacy. Thus, and also taking into account, first, the dissuasive effect on the exercise of the fundamental rights enshrined in the CFREU which is liable to result from the retention of those data, and, secondly, the seriousness of the interference entailed by such retention, it is necessary, within a democratic society, that retention be the exception and not the rule, as provided for in the system established by the e-Privacy Directive, and that those data should not be retained systematically and continuously (Recital 74 SpaceNet).
 This post follows our previous contributions on data retention which may be read in the following links: 1) Metadata retention is first and foremost a matter of EU law: a revision of the Portuguese Constitution will not solve the issue; and 2) Some additional thoughts on metadata retention – points to consider when adopting new legislation [on joined cases C‑793/19 and C‑794/19 (SpaceNet) and the German legislation on this matter].
 A similar judgment was also delivered by the CJEU in VD (Joined Cases C-339/20 and C‑397/20), in which the Court again rejected the possibility of generalised and indiscriminate retention and restated that national courts cannot restrict the temporal effects of the CJEU’s judgments.
 Regarding the subject of profiling and inferred data in EU Law see: https://officialblogofunio.com/2021/12/01/editorial-of-december-2021-2/
Picture credits: Fernando Arcos on Pexels.com.