Luxembourg, 20 September 2022
PRESS RELEASE No 156/22
The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security
However, in order to combat serious crime, the Member States may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses
SpaceNet and Telekom Deutschland provide publicly available internet access services in Germany. Telekom Deutschland also provides telephone services. They brought actions before the German courts challenging the obligation imposed on them by the German Law on Telecommunications (TKG) to retain, as from 1 July 2017, traffic and location data relating to their customers’ telecommunications.
With some exceptions, the TKG requires providers of publicly available electronic communications services – inter alia for the purposes of prosecuting serious criminal offences or preventing a specific risk to national security – to retain, in a general and indiscriminate way, for a period of several weeks, most of the traffic and location data of the end users of those services.
The German Federal Administrative Court seeks to ascertain whether EU law, as interpreted by the Court of Justice, precludes such national legislation. Its doubts arise in particular from the fact that that the retention obligation laid down by the TKG concerns fewer data and a shorter retention period (4 or 10 weeks) than that provided for by the national legislation at issue in the cases that gave rise to the Court of Justice’s previous judgments. In the German Federal Administrative Court’s view, those characteristics reduce the possibility that the retained data may allow very precise conclusions to be drawn concerning the private life of the persons whose data have been retained. In addition, it considers that the TKG ensures the effective protection of retained data against the risks of abuse and unlawful access.
By its judgment delivered today, the Court of Justice confirms its previous case-law. It replies to German Federal Administrative Court that EU law precludes national legislation which provides, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data.
However, EU law does not preclude national legislation which
– allows, for the purposes of safeguarding national security, an instruction to be given requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable. Such an instruction must be subject to effective review, either by a court or by an independent administrative body, and can be given only for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists;
– provides, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended;
– provides, for the same purposes, for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary;
– provides, for the purposes of safeguarding national security, combating crime and safeguarding public security, for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems, and
– allows, for the purposes of combating serious crime and, a fortiori, safeguarding national security, an instruction to be given requiring providers of electronic communications services to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers.
Such national legislation must, moreover, ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.
As regards the TKG, the Court notes that it is apparent from the order for reference that the retention obligation laid down by that legislation covers, inter alia, the data necessary to identify the source of a communication and its destination, the date and time of the start and end of the communication or – in the case of communication by SMS, multimedia message or similar message – the time of dispatch and receipt of the message and, in the case of mobile use, the designation of the cell sites used by the caller and the recipient at the start of the communication.
In the context of the provision of internet access services, the retention obligation covers, inter alia, the IP address assigned to the subscriber, the date and time of the start and end of internet use from the assigned IP address and, in the case of mobile use, the designation of the cell sites used at the beginning of the internet connection. The data enabling the identification of the geographical location and the directions of maximum radiation of the antennas serving the cell site in question are also retained.
While it is true that the data relating to electronic mail services are not covered by the retention obligation laid down in the TKG, they represent only a very small part of the data in question. The data of users who are subject to a duty of professional secrecy, such as lawyers, doctors and journalists, are also retained. Thus, the retention obligation laid down by the TKG applies to a very broad set of traffic and location data which corresponds, in essence, to those which led to the previous judgments mentioned above. That set of traffic and location data retained for 10 weeks and 4 weeks respectively may allow very precise conclusions to be drawn concerning the private lives of the persons whose data are retained, such as habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them and, in particular, enable a profile of those persons to be established.
As regards the safeguards provided for by the TKG, which are intended to protect the retained data against the risks of abuse and against any unlawful access, the Court points out that the retention of and access to those data constitute separate interferences with the fundamental rights of the persons concerned, requiring a separate justification. It follows that national legislation ensuring full respect for the conditions established by the case-law as regards access to retained data cannot, by its very nature, be capable of either limiting or even remedying the serious interference with the rights of the persons concerned which results from the general retention of those data.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
Source – EU Court of Justice – Email