In its ruling on 6 October 2020, the Court of Justice of the European Union (CJEU) softened the ban on data retention. But the exception applies only in a case of emergency. What does this mean for businesses which collect personal data to provide their communication services?
Which kind of data retention is affected?
In this context, data retention means the obligation of electronic communication companies to collect and store personal data, including traffic and location data, on a mass-scale. Several EU member states including the UK previously passed laws that would require companies to retain the data and transmit it to the relevant authorities, for the purpose to combat crime in general or safeguard national security.
Data protection advocates consider this a violation of data protection laws. Therefore, the highest European court was asked to decide if, and to what extent, such practices should be allowed.
The CJEU ruling
The CJEU judges stated in a press release:
“The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose to combat crime in general or of safeguarding national security”.
A general data collection would affect all users of these services who are not suspected of any crime. Therefore, opponents of data retention consider these practices to be unacceptable mass surveillance. On the other hand, EU Member States argue that this prevention would hinder combating serious crime and protecting national security.
The CJEU judges ruled that in the event of an acute threat to “public security”, mass data collection of telephone calls and internet visits could be allowed in this case. Only if national security is seriously threatened, and if an EU Member State considers the threat to be “genuine and present or foreseeable”, electronic communication service providers could be obliged to collect the data and keep it available. However, permission to store data should only be effective for as long as it is “strictly necessary”. The CJEU emphasises that adequate safeguards must be in place so as not to interfere with the fundamental right to data privacy. Additionally, any interference with the right to privacy must be reviewed by a court or by an independent administrative authority.
While the judges confirm that a general or indiscriminate storage of call data is not permitted, they do consider the fight against serious crime or in the case of a concrete threat to national security as an exception to that prohibition.
The CJEU decided on that question after proceedings were brought before national courts in France, Belgium and the UK. The cases questioned the lawfulness of legislation adopted by EU Member States laying down, in particular, an obligation for providers of electronic communications services to forward users’ traffic data and location data to a public authority or to retain such data in a general or indiscriminate way. This argumentation is based on the Digital Rights Ireland case as well as Tele2 Sverige case where the CJEU decided that electronic communications providers could not be obligated to collect data on a mass-scale. France, Belgium, and the UK had asked the CJEU for an assessment of the question of whether or not combating serious crime and protecting national security could be an exception.
Advice for companies
Therefore, any company that is involved in the transmission of communication data, such as telecommunication providers, could fall within the scope of an electronic communications service provider and thus be obliged by data retention measures. The decision of the CJEU demonstrates that companies may be required to re-organise their policies concerning data collection and storage, causing an extra administrative burden.
Any concerned company, falling within the relevant scope, should follow national legislative developments and statements by the Supervisory Authorities for new developments and requirements.
