Information Privacy Law
Professor Ira Rubinstein
April 3, 2017
The highest court of the European Union rules that Member States may not impose a general obligation to retain data on providers of electronic communications services
Last December, four days before Christmas, the European Court of Justice (“ECJ”) made a present to the European citizens in a major privacy decision declaring that indiscriminate storing of private citizens’ communications data is illegal under EU law.
In 2015, two cases from Sweden and United Kingdom were referred to the ECJ on the general obligation imposed on telecommunication service providers to retain data relating to electronic communications. The Court was requested to indicate whether a general obligation to retain data is compatible with EU law (specifically the Directive on privacy and electronic communications and certain provisions of the EU Charter of Fundamental Rights).
According to the Court, data retentions can result in very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. Therefore, the national legislation of the Member States that provides for the retention of traffic and location data must be subject to strict requirements. In words of the Court: “the fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference”.
The Court said that exceptions to the protection of personal data should be limited to the absolutely necessary. This applies also to the access of authorities to the stored data and the national legislation of the Member States providing a general and indiscriminate data retention which does not have a link between the data and a threat to public security goes beyond the limits of the absolutely necessary cannot be justified in a democratic society. Therefore, the legislation of the Member States that do not comply with these requirements must be abolished or amended accordingly. Also the Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse.
According to Camilla Graham Wood from Privacy International the judgment is a “major blow against mass surveillance and an important day for privacy. It makes clear that blanket and indiscriminate retention of our digital histories can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep.”
Last week as a consequence of the decision, the Council of Europe, the institution representing the member states’ governments, informed the Member States that intends with the European Commission to provide guidance on bringing national data retention laws into line with the judgment.
- Judgment of the European Court of Justice of 21th December 2016
- Press release of the European Court of Justice
- Opinion of the Advocate General of the European Union
- Press release of the Advocate General’s Opinion
- Outcome of the Council Meeting of 28th March 2017
- The Guardian