Data Retention? Advocate General says “Asked and answered!”

 On 18 November, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) released his opinion on three data retention-related cases: one from Germany brought by service providers SpaceNet and Telekom Deutschland, one criminal prosecution case from Ireland (C‑140/20) and another case involving market abuse charges from France (C‑339/20 and C‑397/20).

After the 2020 landmark ruling (La Quadrature du Net and others), one would have hoped that the Court had provided sufficiently clear conclusions with regards to the legality of data retention regimes in the EU. Nonetheless, the three referring national courts maintained their requests for preliminary rulings.

This is why, without surprise and very much to his own despair, the Advocate General has had to repeat what the Court had previously ruled on data retention in his non-binding opinion.

Here we go again

 The German Federal Administrative Court had argued that German legislation differs in many ways from the French and Belgian legislation (declared incompatible with EU law in the 2020 judgment), thus requiring a new examination by the CJEU. According the AG, however, these variations do not change the fundamentals of the Court’s ruling on data retention:

•  The indiscriminate and general retention of traffic and location data is incompatible with EU law. It is only permissible in very specific circumstances involving a serious threat to national security that is genuine and present or foreseable, and for a limited time period. To the contrary, the purpose of combating serious crime is not a sufficient justification. “If the CJEU were to agree to open that door [extending the concept of a threat to national security to serious criminal offences], the careful balance underlying the judgment in La Quadrature du Net would have been futile.” (Irish and French cases)

•  It is up to Member States to select appropriate criteria for their targeted retention legislation, ensuring the respect of the rights safeguarded in the EU Charter of Fundamental Rights. While difficult, it is doable. 

• Even if the list of data categories retained is more restricted than the French and Belgian laws (no browsing data, email data or data from religious and social helplines), the set of retained data is, overall, still too broad.

•  Similarly, despite the reduced retention period (four weeks for location data, 10 weeks for other traffic data), it does not change the fact that the retention imposed is still general and indiscriminate. Furthermore, the AG relies on the Court’s conclusions in the Prokuratuur case on conditions for public authorities’ access to traffic and location data. This jurisprudence specifies that even small subsets of the data allow “precise conclusions to be drawn concerning the private life of the person concerned” (social relationships and activities, habits, whereabouts, etc.) because of the length of the retention period but also of the quantity and nature of the retained data. Further, the AG points that, as techniques for monitoring, correlating and evaluating data sets progress, it will become increasingly easier to build profiles with ever smaller data sets from shorter time periods in the future. As a result, ”regardless of the length of the period in respect of which access to those data is sought and the quantity or nature of the data available”, retention and access are considered serious interferences with privacy and data protection rights. 

•  Access to retained data must be subject to prior review by a court or an independent authority – a Garda (Irish national police) officer of a certain rank does not constitute one.

•  The AG declares irrelevant that data protection arrangements are made for retained data against the risks of misuse and unlawful access. The German and Irish laws still unlawfully require mass data retention.

•  The AG dismisses the German court’s claim out of hand that the Court contradicts itself on the retention of IP addresses. Only the investigation of serious crime, the prevention of serious threats to public security and the safeguarding of national security can justify the general retention of IP addresses assigned to the user of an internet connection. 

Member States still turning a deaf ear

 Despite the repeated calls from the CJEU to “abandon any attempt to prescribe the general and indiscriminate storage of all traffic and location data”, Member States keep scrambling to find ways around this. 

For example, France reintroduced mass data retention, on the basis of its Highest Administrative Court’s (Conseil d’Etat) ruling, which was analysed as willfully ignoring the CJEU’s binding caselaw. In order to circumvent the Court’s requirement, the French government encoded a systematic state of emergency (basically declaring national security under constant threat) in its “Loi Renseignement 2”, so that the metadata of the entire population remains continuously available to the police, in violation of European law. 

In Denmark, the government, after criticising the CJEU’s judges as democratically illegitimate to impose their opinion on Danish law (and therefore, showing its defiance against the democratic principle of separation of powers), has proposed a bill to maintain general and indiscriminate data retention. Even though, the bill contains a scheme for targeted retention, this is only planned as an emergency plan in case the general data retention regime is brought down by courts. 

Lastly, even when national governments propose targeted retention schemes, they often end up with such an extensive list of criteria that the term ‘targeted’ is rendered meaningless.

EDRi and its members will continue to monitor the political developments at national and EU levels, as the European Commission and the Council are still figuring out the next steps on the issue of data retention.

Image credit: Clint Adair / Unsplash

(Contribution by:)