The opinion is non-binding on the Court of Justice of the EU (CJEU) which will issue a formal judgment on the issue in the coming months, but advocate general Manuel Campos Sánchez-Bordona said it was his view that provisions set out in the EU's privacy and electronic communications (e-Privacy) directive preclude member states from drawing up such requirements.
The opinion issued by Campos Sánchez-Bordona concerns data retention obligations that previously applied under the Data Retention and Investigatory Powers Act 2014 (DRIPA). The legislation has subsequently been superseded by the Investigatory Powers Act.
The advocate general considered DRIPA's compatibility with the EU's e-Privacy regime in tandem with three other cases concerning data retention obligations imposed on providers of electronic communication services that are also before the CJEU. Two of the cases concern data retention laws in France, and the other the framework in Belgium. If the CJEU follows Campos Sánchez-Bordona's opinions when it comes to issue its formal judgment in the cases, data retention laws in France and Belgium will need to be reformulated.
According to Campos Sánchez-Bordona, EU member states cannot sidestep the privacy protections provided for in the e-Privacy framework when imposing data retention obligations on telcos on national security grounds.
While the e-Privacy regime does not regulate the measures public authorities in EU countries take on their own to safeguard national security, it does apply where businesses are imposed on to help in that regard, the advocate general said.
The e-Privacy regime provides scope for member states to draw up their own rules on data retention in the interests of national security, but the advocate general said those rules must respect EU case law that has developed in this area.
In 2016, the CJEU set out the restrictions, limitations and safeguards that should apply to data retention laws in the EU. It explained that EU countries cannot pass a law that "provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" in order to help fight crime.
It also said that while EU law does permit national law makers to, "as a preventive measure", require traffic and location data to be retained on a targeted basis, this can only be mandated where the objective of the data retention rules is to fight "serious crime".
Limits must be set out "with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary", the CJEU ruled.
The CJEU also endorsed restrictions on how data is accessed, including the application of a "prior review" process to allow a court or other "independent administrative authority" to evaluate authorities' requests for data to be retained, "except in cases of validly established urgency". The 2016 judgment further clarified telcos' obligations on data security and the destruction of data.
Campos Sánchez-Bordona said the French legislation is incompatible with the e-Privacy Directive as it creates a general and indiscriminate obligation to retain data, and disregards data subjects’ rights. He said the Belgian legislation is incompatible too since it imposes a general and indiscriminate obligation for private operators to retain the processed traffic and location data.
The advocate general also expressed the view that a tribunal can, under strict conditions and provided it is authorised by national law, temporarily maintain the effects of a law incompatible with EU law if it is justified by public security or national security concerns where there are no other means to address those concerns. The laws can only be maintained for as long as is strictly necessary, he said.
Out-Law News
21 Dec 2016