Advocate General Saugmandsgaard Øe: General data retention obligation may be compatible with EU law

In its judgment in Digital Rights Ireland of 2014, the Court of Justice invalidated the Data Retention Directive on the grounds, first, that the general obligation to retain certain data imposed by that directive constituted serious interference with the fundamental rights to respect for private life and to the protection of personal data and, second, that the rules accordingly established were not limited to what was strictly necessary for the purpose of the fight against serious crime.

Following that judgment, two cases were referred to the court on the general obligation imposed, in Sweden and in the UK, on telecommunication service providers to retain data relating to electronic communications. The court accordingly had the opportunity to specify the interpretation to be given in a national context to the judgment in Digital Rights Ireland.

The day following the delivery of the judgment in Digital Rights Ireland, the telecommunications undertaking Tele2 Sverige notified the Swedish post and telecommunications authority of its decision to cease retaining the data and of its proposal to delete the data already registered (Case C-203/15). Swedish law requires providers of electronic communication services to retain certain personal data of their subscribers.

In Case C-698/15 Tom Watson, Peter Brice and Geoffrey Lewis brought actions against the British data retention rules, which authorise the Home Secretary to require public telecommunications operators to retain all communications data for a maximum period of 12 months, it being understood that the retention of the content of those communications is excluded.

In references for a preliminary ruling made by the Kammarrätten i Stockholm (Administrative court of Appeal, Stockholm, Sweden) and the Court of Appeal (England and Wales) (Civil Division), the court was requested to indicate whether a general obligation to retain data is compatible with EU law (in particular the Directive on privacy and electronic communications and certain provisions of the EU Charter of Fundamental Rights).

In this week’s opinion, Advocate General Henrik Saugmandsgaard Øe first specified the categories of data which are subject to the general obligations to retain data imposed in Sweden and in the UK. Those involve data making it possible to identify and locate the source and the destination of the information, data relating to the date, time and duration of communication and data identifying the type of each communication and the type of equipment used. In both Sweden and the UK the content of communications is not the subject of that retention obligation.

The Advocate General was of the opinion that a general obligation to retain data may be compatible with EU law. The action by member states against the possibility of imposing such an obligation is, however, subject to satisfying strict requirements. It is for the national courts to determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied.

First, the general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.

Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.

Thirdly, the Advocate General noted that EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considered that the fight against serious crime alone is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.

Fourthly, the general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights. Furthermore, the Advocate General pointed out that that obligation must respect the conditions set out in the judgment in Digital Rights Ireland as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.

Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime.