On 19 November 2021, Advocate General (AG) Campos Sánchez-Bordona tabled his opinion on pending cases before the CJEU that concern the question of whether national data retention regimes are compatible with EU law interpreted in light of the CJEU’s previous case law on this matter. The basic question is whether national regimes that retain personal data generated in electronic communications for the access by law enforcement authorities transgress the limits set by Art. 15 of Directive 2002/58 (the “e-Privacy Directive”). This provision allows, to a limited extent, exceptions to the obligation to ensure confidentiality of electronic communications. The CJEU has established detailed case law on the possibility for national legislatures to retain data in this sense, above all in its judgements in Tele2 Sverige/Watson (Joined Cases C-203/15 and C-698/15 → eucrim 4/2016, 164), in Ministero Fiscal (Case C-207/16 → eucrim 3/2018, 155-157), and in the recent landmark judgments in Privacy International/Quadrature du Net (Cases C-623/17 and Joined Cases C-511/18, C-512/18 and C-520/18 → eucrim 3/2020, 184-186).

The pending cases refer to the data retention systems in Germany and Ireland. In addition, a French case dealt with the question whether the principles established in the previous case law are also valid if EU secondary law confers powers for the authorities to have access to traffic data. The AG stated, however, that all references for preliminary rulings deal with the retention of data in a general and indiscriminate manner, so that the answers can be inferred from the CJEU’s previous case law, in particular in Privacy International/Quadrature du Net. In detail:

Joined Cases C-793/19 and C-794/19 (SpaceNet and Telekom Deutschland):

This case concerns the compatibility of the German data retention regulations as designed in the Law on Telecommunications (Paragraphs 113a et seq. TKG). In the case at issue, the Federal Administrative Court (Bundesverwaltungsgericht) must decide on complaints lodged by two companies, which provide publicly available internet access services in Germany, against their obligations to retain traffic and location data under the TKG (→ eucrim 3/2019, 176). The referring Federal Administrative Court stressed that the German legislature established several limits to data retention, including the requirement to store only certain telecommunications data of certain means of electronic communications and a significantly reduced storage period (4 weeks for location data, and 10 weeks for other data).

AG Sánchez-Bordona acknowledged the progress made in the German legislation showing the will to comply with the CJEU case law. However, the German rules constitute a general and indiscriminate data retention regime with storage obligations of a wide range of traffic and location data. The time limits did not remedy this situation and the storage of electronic communications must be more targeted. In conclusion, the AG found that the German data retention legislation cannot be upheld; it is still an unjustified serious interference with the rights to privacy and data protection (irrespective of the duration of storage).

Case C-140/20 (G.D. v The Commissioner of the Garda Síochána)

In the Irish case, the importance of a general/universal data retention regime was demonstrated because the Irish police could identify a murder on the basis of metadata retained from discarded mobile phones. The referring Irish Supreme Court, before which the defendant challenged the validity of the Irish legislation to retain and make accessible telephony data, stressed that there are no less intrusive, equally effective means for the detection and prosecution of serious crimes.

Similarly to the German case, AG Sánchez-Bordona opined that only the protection of national security, which does not include the prosecution of offences (even serious ones), can justify a general and indiscriminate regime of traffic and location data retention. The Irish legislation has gone beyond the requirements of the e-Privacy Directive. In addition, the AG pointed out that the Irish legislation has not met the condition (as required by the CJEU case law) that access by the competent national authorities to retained data is subject to prior review by a court or an independent authority, because, under Irish law, the review is done internally by the Gardaí (the Irish police). Lastly, the AG reiterated with regard to the murder conviction that a national court cannot limit in time the effects of a declaration of illegality of national data retention legislation incompatible with EU law.

Joined Cases C-339/20 and C-397/20 (VD and SR):

The cases concern investigations against two suspects in France for having committed illicit insider dealings. The prosecution was mainly based on personal data relating to the use of telephone lines that were collected by the Autorité des marchés financiers (Financial Markets Authority). The referring Cour de Cassation asked whether there is an independent obligation for the national legislature to require electronic communications operators to retain connection data on a temporary but general basis in order to enable the administrative authority to comply with EU Directive 2003/6 and Regulation 596/2014. This secondary EU law on market abuse confers administrative authorities the power to “require existing telephone and existing data traffic records”.

According to AG Sánchez-Bordona, the CJEU’s case law in La Quadrature du Net is applicable to the case even though the EU Directive and Regulation on market abuse come into play. He argued that the processing of data traffic records set out in the EU legislation on market abuse must be interpreted in the light of the e-Privacy Directive, which constitutes the reference standard in this regard. Neither the EU Directive nor the Regulation on market abuse confer specific and autonomous powers to retain data. They merely authorise the access to these data. As in the other cases, the French system concerns data retentions for the fight against crime, but which is preventive, generalised and indiscriminate and thus lacks the balance to be made as underpinned by the CJEU in La Quadrature du Net. With regard to the criminal investigations against the two defendants, the AG again stressed that a national court cannot limit in time the effect of that incompatibility.

It remains to be seen whether the CJEU takes up the AG’s views or whether the judges bench takes a more nuanced approach to the individual referrals. For a thorough analysis of the CJEU’s case law on data retention and the demand for recalibrating EU legislation on this matter → article by A. Juszczak/E. Sason, published at the eucrim website on 8 September 2021.